Citi Bank revisited: Citi.com login broken

[kelendral]

URL of your login link?
UA override you have for citi.com?
Compatibility mode you have set in PM?

Using any extensions which may be affecting things?
Can you still log in after restarting PM in Safe Mode?
(Very possible that even something like uBlock is allowing things to work, where without it may not.
[See, Bahco.com - Unable to view product's technical details.])

https://online.citi.com
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 (Pale Moon)
Firefox

Many (about 90 installed extensions).
Opened another profile with no addons and no settings changes and was unable to logon. Did not try safe mode.
Tested disabling uBlock Origin could still logon. Will test some more (it could also be a setting).

[pshipwrite]

One small footnote regarding this discussion concerning the Citibank website. This problem/issue was recently discussed in the "Pale Moon for Linux" forum at Christmas time, https://forum.palemoon.org/viewtopic.php?f=37&t=23493. Even though I run Pale Moon on Windows 7, I searched all the Pale Moon forums for Citi and found the posts in the Linux forum. I suggest users search all the PM forums for a potential issue, not just the "General support" forum.

[Pallid Planetoid]

is it broken on 28.8.2 point nothing? Is it broken on 28.8.0? Is it broken on 28.7.whateverthatwas? Did you check?

It appears that it last worked on PM v27.9.4 (thanks to input by Tony0945): viewtopic.php?f=3&t=23774&start=20#p183721 (read this post and mine subsequent to this post). That said, my recollection is that it worked in much more current PM builds than this (using Win10). What and when Citi has done may very well be a factor as well beyond PM version releases.

[rereser]

solution posted by roytam1 on the msfn board.
about:config --- network.http.upgrade-insecure-requests = true (default = false)
don't know if this poses a security risk.

[Moonchild]

And you don't even have to dive into the realm of dragons for that.

I made settings like these available in preferences for a reason.

It does mean that citi has a problem with their website setup though, that something is set to make requests over http when it should be https. Faulty website security causing breakage.

don't know if this poses a security risk.

The setting itself doesn't. It tells the server that you prefer that it uses the upgrade insecure requests CSP directive:

The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.

Since this is a transparent "upgrade" mechanism, the result is that website owners (like here) probably won't be alerted to mixed-content links still present. It's only meant to be used during a transitional period between http and https for large and complex sites (which a bank most certainly should not be in!)

[Pallid Planetoid]

.... giving you illogical secure site errors when you're supposedly not on a secure site.

Would these "errors" in some cases at some level potentially break the proper functioning of any other non-citi impacted sites? And if so would you have any idea as far as a rough estimate of the prevalence of impacted sites in terms of percentage?

[Moonchild]

[statistics and big data question]
You're asking the wrong person. That's not my job.

[pshipwrite]

Just another quick footnote. Pale Moon's development team added Opportunistic Encryption, including the option to "Enable Upgrade Insecure Requests", back in version 28.2, released on November 13, 2018. Therefore, this latest Citi.com login issue is solely due to Citi changing its website, which I believe occurred sometime in December, 2019.

[New Tobin Paradigm]

Well.. I can only suggest using a different browser or a different bank or try flipping that off or on.

[pshipwrite]

New Tobin Paradigm, I am going to turn on "Enable Upgrade Insecure Requests" when I need to login to Citi's website and when done, turn it back off. I just wanted to point out this option was added way back at the end of 2018. This issue with Citi's website is due solely to their website changes and NOT to any Pale Moon browser changes.

[Tony0945]

Citibank working in bootleg "New Moon" build of 28.3.1 Windows (forbidden two character name)
network.http.upgrade-insecure-requests does not appear at all.
Not working in PM for Linux 28.8.4 bone stock.
Toggling network.http.upgrade-insecure-requests from false to true allowed login
SOLVED! Gott Sie Dank!

[New Tobin Paradigm]

Citibank working in bootleg "New Moon" build of 28.3.1 Windows (forbidden two character name)

And this helps us how? Why are you even here?

[Tony0945]

It's data. It shows that citibank works in a compiled version when it doesn't try to upgrade to https.

Why am I here? Because I like to use Palemoon and I've banked at citi for 30 years and I am confirming the previous poster's post to help others that want to use PM at citi.

Which is what YOU should be doing instead of insulting posters to show what a bad ass you are.
I still use Thunderbird because YOU are the developer of interlinks.
I forbear a lot because, unlike you, I was taught to be civil. Were you raised by cannibals?

[New Tobin Paradigm]

Too bad you don't use Pale Moon, btw that is the browser's name. If it isn't an official build it isn't a valid datapoint. So your verification is worthless.

Also, good. I don't want you to use Interlink, also that is the correct name of the email client.

So you regard cannables as badasses. Is it because they eat people? Is this something you secretly wish you could do but can not bring yourself to because it would be considered uncivilized? Do you live only for apperences then? Perhaps you just consider your self weak and use civility as a reasonable excuse.

I have so many questions but these are already getting far off-topic.

[Tony0945]

Folks, one more thing. Don't use a VPN. That also causes this problem.

[KlarkKentThe3rd]

network.http.upgrade-insecure-requests being true SOLVES IT.

Freaking thanks!

[Pallid Planetoid]

^ This isn't the topic where you were posing your questions about Citibank -- it was in this topic at this location in the topic: viewtopic.php?f=46&t=19119&start=260#p188641 where you first brought up Citibank (first asking about Noscript presumably thinking originally that this was the cause of the Citibank problem in a post above this - which it isn't. It is Citibanks problem of which thankfully there is a pref setting as you now know provides a "workaround" to the ongoing Citibank login issue).

[KlarkKentThe3rd]

Well, my thanks goes into the æther, and hopefully reaches whoever came up with it.

[Pallid Planetoid]

Well, my thanks goes into the æther, and hopefully reaches whoever came up with it.

It was actually HERE (where it was discussed further) in this one and another topic than the one you were in previously where rereser came up with the pref setting that was originally mentioned on an msfn board.

[KlarkKentThe3rd]

Re-sent thanks his way.