Page 1 of 1

Site won't load - secure connection problem

Posted: 2017-03-21, 10:52
by tenseys
Bank site won't load (loads in other browsers FF, IE and Edge).
OS is Windows 10 and PM version is 27.2.0 32bit.

Site is: https://www.myinvestorsbank.com/

Yields:

Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Thanks.

Re: Site won't load - secure connection problem

Posted: 2017-03-21, 13:02
by tenseys
I put the url through that ssl site and get this:

https://www.ssllabs.com/ssltest/analyze ... Results=on

Re: Site won't load - secure connection problem

Posted: 2017-03-21, 17:53
by Pallid Planetoid
Pale Moon is getting the following website identification for this bank (which is presumably why the website fails to load in PM):
circled part is not the same that other browsers get
circled part is not the same that other browsers get
Other browsers (FF, Chrome, IE etc) are getting the following website identification for this website (which is why the website loads successfully in other browsers):
What the bank identification should look like and does in other browsers
What the bank identification should look like and does in other browsers
Why this is the case is the next question to ask....

Re: Site won't load - secure connection problem

Posted: 2017-03-21, 18:00
by Pallid Planetoid
tenseys wrote:Bank site won't load (loads in other browsers FF, IE and Edge).
OS is Windows 10 and PM version is 27.2.0 32bit.

Site is: https://www.myinvestorsbank.com/
Did this banks website load successfully in a previous PM release?

Re: Site won't load - secure connection problem

Posted: 2017-03-21, 19:14
by tenseys
Hi.. thanks.

I don't know if it did... I don't remember. I just reinstalled PM after not having used it for a while.

Is there any trick i can do to make it load for me in PM?

Re: Site won't load - secure connection problem

Posted: 2017-03-21, 22:55
by Moonchild
The problem is the following (misconfigured server):
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
Pale Moon doesn't accept the combination of RSA key exchange with AES+SHA256/384 because straight-up RSA key exchange is deprecated and makes no sense to combine with a very strong HMAC (Firefox also doesn't support this, for example; IE and Safari do).
This means the encryption falls back to 3DES; this has been disabled in Pale Moon because of the SWEET32 vulnerability (IE/Firefox and Chrome still accept this weak cipher... for now).

The bank should enable common cipher suites with forward secrecy and disable 3DES to have SSL security as one would expect from a bank.
e.g. elliptic curve key exchange:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) or
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
or if their server does not (yet) support EC, use standard Diffie-Hellman:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) or
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) or
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) or
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)
If DHE isn't supported they can still use standard RSA key exchange:
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) or
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)

If you must connect to the bank using weak encryption, you have to do two things in about:config:
  1. Enable 3DES: find security.ssl3.rsa_des_ede3_sha and double-click it to set to true
  2. Allow unrestricted fallback to weak ciphers for the site: find security.tls.insecure_fallback_hosts and double-click it, then add www.myinvestorsbank.com to that pref

Re: Site won't load - secure connection problem

Posted: 2017-03-21, 23:02
by tenseys
Okay, I'll take a look at that. Thanks Moonchild.

Re: Site won't load - secure connection problem

Posted: 2017-03-21, 23:08
by Moonchild
I've made sure to update the FAQ about this as well with the security.tls.insecure_fallback_hosts step which is now needed as an extra measure.
(you should contact the bank about this though, they really need to fix it)