The login doesn't work in Firefox either. The reason is that the page is HTTPS but is taking active content from a source which is using HTTP.
Now, you could say that reverting to HTTP should cure the problem. And so it might. But that's like advising someone not to bother with password protection if they have trouble remembering their password. HTTPS should be the default level of connection security, and any site which supposedly offers that protection should not be allowing mixed content on the page. What we have here is even worse than that - the login setup is needlessly convoluted, with the apparent login page feeding content through to a separate (secure) login page over an insecure connection. Arcane, or what?
[23:56:25.003] user.siteadvisor.com : server does not support RFC 5746, see CVE-2009-3555
Oh yes, and we STILL have the situation where the SiteAdvisor server doesn't support RFC 5746. If the patches haven't been applied this leaves the whole session open to a MITM attack. It's a theoretical weakness right up to the moment when suddenly it's not.
This weakness was discovered in 2009 and it must be two years since I first drew it to Mcafee's attention via a conference call. It looks as if nothing has been done yet. That is glacial progress.
The CVE-2009-3555 error message in the Tools > Error Console should not prevent from accessing that website. This may change in the future, but currently it is only to make the administrators of a server aware that they need to fix that security vulnerability in their server and install a patch.
In 2009, a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web content via an address prefixed with “https”.
This flaw could allow a ‘man-in-the-middle’ (MITM), to be able to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an authorised user, or to even collect authentication credentials of authorised users.
This security flaw has been labled CVE-2009-3555 and is (being) described in more detail:
Because the flaw is not limited to any specific software implementation, but is rather a fundamental protocol design flaw, a lot of software using SSL/TLS is vulnerable.
Scope and Discussion
The attack is related to a SSL/TLS protocol feature called session renegotiation. The discovered vulnerability could be used to manipulate data received by a client or by a server. For example, a server is vulnerable if it is configured to allow session renegotiation, but is not yet using updated software.
One way to protect against the attack is to disable session renegotiation on the server. Hopefully, most Internet servers that do not yet support RFC 5746 have followed the recommendation and disabled the renegotiation feature.
Unfortunately, when a server is using the vulnerable SSL/TLS protocol version, it is impossible for the browser to know whether a site is protected or vulnerable (i.e whether session renegotiation is enabled or disabled on the server).
Because of this uncertainty, when using the existing SSL/TLS protocol versions, Firefox does not know whether a server is vulnerable. Firefox, therefore, is unable to determine whether a connection has been attacked.
In order to ascertain that SSL/TLS sessions are protected, Internet deployments using SSL/TLS must be upgraded to support the new protocol enhancement described in RFC 5746.
Message was edited by: Hayton on 29/11/13 00:56:00 GMT
Correct, my IE settings are not the default. That's because I've tried to strengthen security wherever possible. Privacy settings are set to High, which does cause occasional problems with cookies.
SiteAdvisor is in the Trusted Sites zone, which is very lax indeed by default. I tightened that up a bit by making two important changes, which creates the hoops to jump through -
Display Mixed Content : Prompt
Websites in less privileged web content zone can navigate into this zone : Prompt.
Oddly, IE logs me in to SA even though the login cookie is blocked.