1 2 Previous Next 16 Replies Latest reply: Dec 18, 2013 9:00 AM by Hayton RSS

    Unable to log in as a SiteAdvisor reviewer - AGAIN.

    Hayton

      The curse of McAfee's user-hostile interfaces strikes again, this time on the SiteAdvisor user-review comments page (AGAIN).

       

      Entering a correct reviewer name and a correct password fails to register with the website : you just get presented with the name/password boxes again.

       

      The Chrome javascript console shows the following message which may be relevant

       

      [blocked] The page at 'https://user.siteadvisor.com/forums/login.php' was loaded over HTTPS, but ran insecure content from 'http://www.siteadvisor.com/cs.psp?bbsessionhash=e3194b23e6c3235abc2a7a1611c…1416 432388&bbid=394824&bbpassword=547b6606385b9a15c6251f56c84bf7c8543d9e80': this content should also be loaded over HTTPS.

       

       

      There is also a failed call to get mbox.js when (re-)loading the webpage.
      Chrome console mbox-js.PNG

      This is ridiculous. it's been going for ever and has been reported over and over again. I don't care if there's only one person left in the department to do all the program changes, this one is easy enough to fix and should have been done months ago.

       

       

      Not in a good mood anyway, and this doesn't help.

       

      Message was edited by: Hayton on 28/11/13 21:44:17 GMT
        • 1. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
          Ex_Brit

          I agree about not helping to be in a bad mood...I'm not in any mood for nonsense and the reviewer page caused me to attempt log in about 10 or 12 times before it took.

          All I can suggest is try another browser perhaps?

          • 2. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
            spc3rd

            I've experienced the same issue on my end many times.  It typically takes multiple log-in attempts before I may be able to get on.  Perhaps the SA staff no longer values the input/site reviews from what volunteer reviewers are still left?

             

            Message was edited by: spc3rd on 11/28/13 7:19:17 PM EST
            • 3. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
              Hayton

              The login doesn't work in Firefox either. The reason is that the page is HTTPS but is taking active content from a source which is using HTTP.

               

              Now, you could say that reverting to HTTP should cure the problem. And so it might. But that's like advising someone not to bother with password protection if they have trouble remembering their password. HTTPS should be the default level of connection security, and any site which supposedly offers that protection should not be allowing mixed content on the page. What we have here is even worse than that - the login setup is needlessly convoluted, with the apparent login page feeding content through to a separate (secure) login page over an insecure connection. Arcane, or what?

               

              FF SA Console errors.PNG

               

               

              Edit :

              [23:56:25.003] user.siteadvisor.com : server does not support RFC 5746, see CVE-2009-3555

               

              Oh yes, and we STILL have the situation where the SiteAdvisor server doesn't support RFC 5746. If the patches haven't been applied this leaves the whole session open to a MITM attack. It's a theoretical weakness right up to the moment when suddenly it's not.

               

              This weakness was discovered in 2009 and it must be two years since I first drew it to Mcafee's attention via a conference call. It looks as if nothing has been done yet. That is glacial progress.

               

              The CVE-2009-3555 error message in the Tools > Error Console should not prevent from accessing that website. This may change in the future, but currently it is only to make the administrators of a server aware that they need to fix that security vulnerability in their server and install a patch.

               

               

              https://ietf.org/doc/rfc5746/

              http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-049-an-inside-look-at-cve -2009-3555-the-tls-renegotiation-vulnerability.aspx

              https://wiki.mozilla.org/Security:Renegotiation

               

               

              Background

              In 2009, a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web content via an address prefixed with “https”.

              This flaw could allow a ‘man-in-the-middle’ (MITM), to be able to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an authorised user, or to even collect authentication credentials of authorised users.

              This security flaw has been labled CVE-2009-3555 and is (being) described in more detail:

              Because the flaw is not limited to any specific software implementation, but is rather a fundamental protocol design flaw, a lot of software using SSL/TLS is vulnerable.

              Scope and Discussion

              The attack is related to a SSL/TLS protocol feature called session renegotiation. The discovered vulnerability could be used to manipulate data received by a client or by a server. For example, a server is vulnerable if it is configured to allow session renegotiation, but is not yet using updated software.

              One way to protect against the attack is to disable session renegotiation on the server. Hopefully, most Internet servers that do not yet support RFC 5746 have followed the recommendation and disabled the renegotiation feature.

              Unfortunately, when a server is using the vulnerable SSL/TLS protocol version, it is impossible for the browser to know whether a site is protected or vulnerable (i.e whether session renegotiation is enabled or disabled on the server).

              Because of this uncertainty, when using the existing SSL/TLS protocol versions, Firefox does not know whether a server is vulnerable. Firefox, therefore, is unable to determine whether a connection has been attacked.

              An enhanced SSL/TLS protocol version has been finalized and is now published as RFC 5746.

               

              Action

              In order to ascertain that SSL/TLS sessions are protected, Internet deployments using SSL/TLS must be upgraded to support the new protocol enhancement described in RFC 5746.

               

              Message was edited by: Hayton on 29/11/13 00:56:00 GMT

               

              Message was edited by: Hayton on 29/11/13 01:23:21 GMT
              • 4. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
                Ex_Brit

                I wish I had a suggestion.  It worked for me, after a lot of tries.

                • 5. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
                  Hayton

                  Oh, hoo-ray. I finally got it to work in IE. But look at the hoops I had to jump through to get it to work.

                   

                  SA login from IE - Security Warning 1.PNG

                  SA login from IE - Security Warning 2.PNG

                  SA login from IE - Security Warning 3.PNG

                  • 6. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
                    Ex_Brit

                    It looks to me like you aren't using default settings....is that correct?   In which case I woiuld have thought abnormal behaviour is to be expected.   I could be wrong of course and probably am.

                    • 7. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
                      Hayton

                      Correct, my IE settings are not the default. That's because I've tried to strengthen security wherever possible. Privacy settings are set to High, which does cause occasional problems with cookies.

                       

                      SiteAdvisor is in the Trusted Sites zone, which is very lax indeed by default. I tightened that up a bit by making two important changes, which creates the hoops to jump through -

                      Display Mixed Content : Prompt

                      Websites in less privileged web content zone can navigate into this zone : Prompt.

                       

                      Oddly, IE logs me in to SA even though the login cookie is blocked.

                      SA login successful with cookie blocked.PNG

                      • 8. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
                        Ex_Brit

                        'Oddly' is a good word for the way it works,  ;-)

                        • 9. Re: Unable to log in as a SiteAdvisor reviewer - AGAIN.
                          Hayton

                          "Odd" scarcely begins to describe it. I just finished writing a long review of that website (which markets spyware and keyloggers) and hit Submit. I then got presented with ...

                          Kicked out AFTER writing a review.PNG

                           

                          Sometimes I think this is just a waste of time.

                          1 2 Previous Next