paypal trouble

[mikele1959]

@moonchild if there is something strange its not me ... and its TRUE email from my outlook account from TRUE paypal sender... I will try some tweak like firefox /geckoo /native to see what happens now

[mikele1959]

I can not login anymore now, an other step seem to be done by paypal...and I dont know why he speak to me in french I'm in Frankfurt...it seem that my browser is not up to date this is what thats say

[coffeebreak]

I can not login anymore now,

Try this:

• Navigate to about:config
  (Type about:config in the address bar, hit enter.)
• Right-click anywhere in the page, and from the context menu select New > String
• In the box that pops up, enter this string. After pasting it in, hit enter.

  Code: Select all

  general.useragent.override.paypal.com

• In the next pop-up box, enter this string (it's a user agent for Firefox 60). Hit enter.

  Code: Select all

  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0

• Clear your cache and any Paypal cookies.
  Open Paypal's login page. If it was already open, refresh the page.

See if you can log in.

[mikele1959]

Yes thats work !!! Thanks. I will see june 30 whats happens

[parpfish II]

Hypothetically speaking, if PayPal is only going to support the big 4 or 5 browsers (Chrome, Firefox, Edge, Safari, Opera), it seems you could change the user agent of Pale Moon and let PayPal think you're using one of their "supported" browsers. In this case, change Pale Moon's user agent to Firefox. After all, Pale Moon already meets PayPal's security concerns.

Yes, I initially had tried this (changed UA and cleared cache etc) and it still failed. Subsequently tried again and it worked. My impression is there are a lot of changes going on at PayPal right now and so it's something of a moving target. I tested with Opera and originally got the update your browser notice. I tried again today and it passed.

P.

[Moonchild]

@parpfish
PayPal has never "officially supported" Pale Moon. Nothing has changed there.
PCI DSS requirements are clear, and Pale Moon has no problems connecting to PCI DSS compliant servers -- that is all this is about. PayPal, being a processor of financial transactions, has to be compliant. That in turn restricts which browsers will be able to connect after June 30th, irrespective if they are "officially supported" or not, because their servers will shut off TLS 1.0 and 1.1 and non- PCI DSS ciphers.

That is all there is to it.

But if you're convinced I'm "missing the point" and this is somehow something else, then I'll just stop here, because you're clearly choosing to believe fiction in that case.

@everyone:
If your user agent compatibility mode is set to "Firefox compatibility" then there shouldn't be an issue (there isn't for me, anyway?). No override is required in my case; but if that solves it for you, then huzzah!

[mikele1959]

@Moonchild just to say I have firefox compatibility enabled but I got the issue from paypal and the tweak from coffeebreak had helped me to connect without issue for now
Anyway thanks for your help you all

[DrKnow]

Am I missing something?

People are still trying to massage Palemoon to work for financial sites? PLEASE GET SENSIBLE!

For any financial transactions use a browser that is more likely to be tested to be secure and supported directly. Especially use one that has a team dedicated and actively searching for issues.

PS feel free to use Palemoon, but when the 'security' testing is code reviews and hoping being open source will result in user reports is foolish beyond belief for financial matters.

I know I'll be in the minority, but posting for these less tech aware to be very careful. Any fuzz test results available to share?

[DrKnow]

I should add, using a non-supported browser WILL void any liability the bank has for any fraud. Use at your own risk!

[hitokage]

Especially use one that has a team dedicated and actively searching for issues.

If Google, Microsoft, Mozilla, Apple, etc had these teams there wouldn't be as many security fixes and other general bug fixes after their software is released. They do usually have general quality assurance (QA) teams, but they don't find everything. Some of them do public alpha and/or beta releases that volunteers use to see what is coming up, help test and find bugs, but they don't find everything either. Some of these companies have released software with obvious problems that should hold back the release until resolved.

Besides all that - there are several people here that test various alpha and beta builds before a general release. How big a team do you want?

I should add, using a non-supported browser WILL void any liability the bank has for any fraud. Use at your own risk!

This depends on a few things - the country you're in, the type(s) of fraud, the amount(s) involved, and the bank(s) in question. It would also require logs that include user agents/browser ID (which can be falsified) to try to make a case. Besides supported actually means in this instance if you have an issue they will help you to resolve it - not that you can't use another program.

Edited because I changed my mind and decided to comment on something else stated. Moonchild

[Moonchild]

feel free to use Palemoon, but when the 'security' testing is code reviews and hoping being open source will result in user reports is foolish beyond belief for financial matters.

You, sir, clearly have no idea how software security works in practice.

I should add, using a non-supported browser WILL void any liability the bank has for any fraud. Use at your own risk!

Actually, no, it won't. A bank's liability for on-line transactions is not tied to which browsers they officially support. It is the bank's responsibility to ensure secure communications, and in general it is the end-user's responsibility to make sure their systems aren't compromised (but that responsibility does not void liability by default). The bank's liability only comes into play when there is clear negligence on the user's part, and even then it's usually only a limitation of liability, nothing more. This negligence does NOT include any as-of-yet unknown or undiscovered vulnerabilities in the browser in use. The bank may refuse access to their on-line banking from clearly insecure clients (e.g. those not supporting TLS 1.2) or any other reason they see as a sign of insecure communications, as part of their responsibility to make sure their internet banking is performed in a secure manner -- that is always the bank's responsibility to ensure, not the customer's.

[DrKnow]

You, sir, clearly have no idea how software security works in practice.

You, sir, clearly have no idea how banking software security works in practice.
Paypal or many banks are actively telling you Palemoon is NOT supported. Any issues arising from its use can void any right to recompense for any abuse while using it.
For years I was a high-level architect for banking software at one of the world's largest banks. I know banking. I know security.

I should add, using a non-supported browser WILL void any liability the bank has for any fraud. Use at your own risk!

Actually, no, it won't. A bank's liability for on-line transactions is not tied to which browsers they officially support. It is the bank's responsibility to ensure secure communications, and in general it is the end-user's responsibility to make sure their systems aren't compromised (but that responsibility does not void liability by default). The bank's liability only comes into play when there is clear negligence on the user's part, and even then it's usually only a limitation of liability, nothing more. This negligence does NOT include any as-of-yet unknown or undiscovered vulnerabilities in the browser in use. The bank may refuse access to their on-line banking from clearly insecure clients (e.g. those not supporting TLS 1.2) or any other reason they see as a sign of insecure communications, as part of their responsibility to make sure their internet banking is performed in a secure manner -- that is always the bank's responsibility to ensure, not the customer's.

^^ This is pure conjecture by someone who clearly doesn't understand banking.
The negligence on the user's part is using software the bank told you not to use and actively blocked! How do you not grasp that?

We understand Palemoon is most likely secure and safe

HOWEVER:

PAYPAL IS TELLING YOU DIRECTLY NOT TO USE PALEMOON.
How clear can it be?

Any financial site that gives you this warning means you may not be covered for any issue arising from the use of Palemoon.
If a bank says don't do something and you do it anyway, it's your fault.

------------------------

If Google, Microsoft, Mozilla, Apple, etc had these teams there wouldn't be as many security fixes and other general bug fixes after their software is released. They do usually have general quality assurance (QA) teams, but they don't find everything.

Of course they don't find every issue, however, Palemoon doesn't have any team looking at security issues. Palemoon is released with a goodwill gesture hoping everything is OK.
No doubt Moonchild could release the security test results from the last release to disprove, but don't hold you breath for them as he seems to release software and then hopes someone spots an exploit.

[Moonchild]

I guess whatever I say is going to be dismissed as conjecture from an ivory tower perspective. So be it. I'm done here, save leaving you with a few facts.

Fact: if you use Pale Moon and run into trouble using their website, you are on your own. (=no support)
Fact: if you use their website it is their responsibility to make sure the transactions can only be performed in a secure manner (=financial institution is liable)
Fact: PayPal is not forbidding the use of Pale Moon. Pale Moon in its default setup can and will connect without issue to PayPal's site. The "blocked" page is only thrown up if PayPal believes you are using a very old version of one of the browsers they do actively support.
Fact: Pale Moon's development is proactive when it comes to security and vulnerabilities, including Defense-in-Depth measures (see release notes)

[Pallid Planetoid]

.... there is many many many website like bank or paypal account ebay amazon etc where I can not logon now and this is annoying

With User Agent Mode set to "Native" using Pale Moon 28.0.0a4 (cannot say whether the alpha version makes a difference unfortunately but I can say that I'm not aware of any issues for the any of the sites referenced below previously using PM 27.9.2 either) on Win7 (64-bit), FWIW I am able to successfully login and/or use each of the sites you have referenced in the post above:
1) Paypal - CHECK - not using a site specific UA Override for this site (which is interesting since it is reported that a UA Override is required).
2) Ebay - CHECK - not using a site specific UA Override for this site.
3) Amazon - CHECK - using the DEFAULT site specific UA Override for this site.

I am also able to successfully use numerous other merchant websites i.e. Best Buy, CVS, RiteAid, Home Depot, JC Penney, Kmart, Kohls, Macys, Office Depot, Ross Stores, Sears, Staples, Target, Walgreen, Walmart (just to mention the more popular sites).

Now to banks -Currently I am successfully logging into all of these Banks:
1) Citibank - using DEFAULT site specific UA Override and also using general.useragent.override.city-data.com set to Mozilla/5.0 (Windows NT 6.1; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 (not sure if this is necessary) for this site.
2) Bank of America - using general.useragent.override.bankofamerica.com set to Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0.
3) Chase Bank (JPMorgan Chase) - using DEFAULT site specific UA Override for this site.
4) US Bank - general.useragent.override.usbank.com set to Mozilla/5.0 (Windows NT 6.1; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 (Pale Moon).
5) Union Bank - not using a site specific UA Override for this site.
6) Capital One Bank - not using a site specific UA Override for this site.
7) Fidelity Bank - not using a site specific UA Override for this site.
8) Umbqua Bank - not using a site specific UA Override for this site.

Note: I have had virtually zero problems with all of these sites referenced above with the exception of Citibank which due to their frequent suspicious redirects I occasionally need to adjust ABE security rule-sets in the NS extension -- but this is entirely a website issue and is not in any way browser related and has not been a problem once the rule-set has been changed/added to satisfy NS's security screening.

I would add-- in regards to financial sites in general I have not had any issues of any kind using Pale Moon to access multiple brokerages sites as well -- hence in my case as far as Pale Moon working with financial sites in general I have not had any issues transferring funds and/or paying all types of monthly bills via banks referenced above and/or using merchant credit card sites (other than supporting a software forum in the capacity of a global moderator the majority of my time on the Internet is for financial reasons and in that regard I can say Pale Moon does an excellent job). Note: these specific comments directly above are more in respect to this comment as opposed to the OP:

... People are still trying to massage Palemoon to work for financial sites? PLEASE GET SENSIBLE!

For any financial transactions use a browser that is more likely to be tested to be secure and supported directly. Especially use one that has a team dedicated and actively searching for issues...

So specifically in response to the OP, I don't seem to have any problems with any of the sites referenced here which includes 8 banks that I use on a regular basis as well as many other merchant websites.

[doofy]

For years I was a high-level architect for banking software at one of the world's largest banks. I know banking. I know security.
...
The negligence on the user's part is using software the bank told you not to use and actively blocked! How do you not grasp that?

Well, call me naive - and you of course are the expert - but I'd like to think that banking security was based on something a bit higher level than U/A sniffing.

A browser - any browser - is simply a GUI for initiating communication.

Browser goes to bank says: "can I come in?" Bank investigates security credentials of browser and, if they are acceptable, says: "OK".

I suggest to you that any breach of security after the bank says: "OK" is entirely the fault of the bank.

[therube]

I'd like to think that banking security was based on something a bit higher level than U/A sniffing

Security is.

But... that does not stop them from sniffing, which they do, & when they find something they don't "support", then they present you with that dumb message, "Unsupported Browser", which at that point is immaterial to security, & only applicable to "support" & sniffing.

[Night Wing]

I own 4 computers (2 desktop towers, 2 laptops). I have not changed the user agent for PayPal in Pale Moon in both linux and windows Pale Moon. My wife can get to her PayPal page on any of our computers whether she is using linux or windows Pale Moon at:

https://www.paypal.com/sg/home

And on the page above in the above link, my wife can access her PayPal account with her user name and password. My wife has never gotten any emails from PayPal stating the Pale Moon browser is not supported and/or not secure. If you click on the link below, it will take you a page and if you scroll on down the page, look for the heading; "Check your desktop browser to see if it’s up-to-date". Just below the heading, click on the "Click Here" prompt and if Pale Moon is up to date and also secure, you will get a connection which states: "PayPal_Connection_OK".

If Pale Moon 27.9.3 is out of date and not secure, you'll get a different prompt which says: “ERROR! Connection is using TLS version lesser than 1.2. Please use TLS1.2”

With the above said, the link is below.

https://www.paypal.com/sg/smarthelp/art ... al-faq3893

BTW, on all of my hard drives running both linux and windows Pale Moon 27.9.3, I get the "PayPal_Connection_OK" prompt.

[DrKnow]

Let's be clear:

• If you are using the most up to date version of any browser and any financial institution says it isn't supported it means they haven't tested against it.
  The bank can not guarantee the browser will work correctly.
  ALL the risk is with you if things go wrong. That's why they block and give you a message. If you can proceed, the risk is on you.
  
  If your up to date browser is masquerading as another browser to gain access eg specific UA overrides etc
  ALL the risk is with you if things go wrong.

Moonchild has previously admitted that NO security audits other than basic code reviews are done prior to release of a Palemoon latest version.
No major browser does this. I don't care how careful coders are or any 'defence in depth' coding. Mistake happen.

Let's ask Moonchild why he refused an offer from an ex-Mozilla security dev to show how easy Palemoon would be to exploit. He thinks I'm in an Ivory tower so maybe he can climb the ivy up to the top and explain why such an offer would be refused in return for a small donation to a charity of his choice?

Use Palemoon for financial sites at your own risk.

[doofy]

Use Palemoon for financial sites at your own risk.

LOL.

One does have to ask oneself why you persist with this facile scaremongering.

My perception is that for a few days within the time frame of the 2 threads on this issue, that PP was playing up a bit. I assume they were changing something or other and the system had to adjust.

FYI - I've never received an email from PP about my browser, and I can log in quite happily with this U/A:

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:3.4) Goanna/20180610 PaleMoon/27.9.3.

So, in your world, am I risk free yet other PM punters are not?

[Pelican]

scaremongering...

The recent TLS upgrade requirements are because old SSL processes have proven to be insecure, Ie: the transmission of data between server > browser > server can be exploited by intercepting packets and decrypting the data to obtain account details and passwords. It is that pipleline between endpoints that has been found to be insecure. Endpoints like a web browser on the user's computer are not the concern here. If any browser does not support TLS 1.2 then there will be no transaction to worry about because the merchant gateways (like banks, Paypal, etc) will not allow it.