Netteller considers FF45 too old to support; ends my online banking

Dr. T Michaels's Avatar

Dr. T Michaels

16 Oct, 2020 11:43 PM

Netteller is a 3rd party vendor of online banking services to small banks. It is the largest such in the country, as well as big world-wide ops. It was recently taken private by US Vulture Capitalist funds; they are re-structuring the company to improve short-term earnings by cutting staff and limiting their services. Netteller's main competitors have long been acquired by Netteller.

I have had accounts at some small banks for decades. They are too small to support their own IT and contract with Netteller. Suddenly, as of September, I have been cut off by Netteller. The response they gave the bank was that I was using FF45, and that it was "too old."

The bank "IT" personnel have minimal IT experience and understanding, so I did not detail TFF27 for them, just to say that it was an up-to-date browser.

Given that Netteller is on a profit-max drive, top-driven, it's unlikely that they will alter their decision.

QUESTION > is it possible to give TFF a sham identity to avoid this cutoff. The example for this is iCab, the German Mac browser that has the option to present itself as another identity, such as versions of IE and Safari, the appropriate one selected by the user in the Preferences.

Can this be done with TFF ? Obviously, iCab did it very efficiently, as it was necessary for them to get max adoption of their browser which no one knew about.

Pls Advise
   Dr. t

  1. Support Staff 1 Posted by Chris (chtrusch... on 17 Oct, 2020 07:15 AM

    Chris (chtrusch)'s Avatar

    Hello Dr. t, the answer is: yes, it can. Go to Preferences > TenFourFox and choose 'Select user agent string to use' …, then start with Firefox 52; if that works, leave it at that. Otherweise try more recent FF versions.

    However, looking at your screenshot, this problem cannot be cured by choosing a different user agent string. The website thinks TFF FPR 27 doesn't have sufficiently strong encryption available to talk securely to the website, which is not true.

    What's the exact URL you're trying to reach? Maybe https://www.neteller.com? This works fine for me.

  2. 2 Posted by cal yooper on 17 Oct, 2020 08:56 PM

    cal yooper's Avatar

    Hello Chris
    Thanks for your input.

    1. I will do the Preferences change you suggest, and if it works, I will advise.

    2. If the problem is Netteller's faulty analytics, then an approach
    to them directly, through
    the bank, their paying customer, would be the best way.
    For this approach, I would need to give them a direct contact in your
    shop so that TFF27's encryption sufficiency could be explained to
    them.

    (Remember, this 'insufficiency' of TFF is NEW, since Sept. Up until
    then, the current and previous versions of TFF were sufficiently
    sufficient -- unlikely an algorithm made that decision, unless it is a
    new algorithm.)

    3. As expalined, Netteller is a big, old [in internet terms] operation.
    My 'portal' [if I'm using the right term] is the bank's page, as
    Netteller is their contract vendor.

    Netteller deal directly with the public as a quasi-bank, money
    transfer agent, which has nothing to do with me.

    Thanks for the response. If you do not hear from me on the
    Preferences change by Monday, 19th, assume it didn't work. Pls
    provide contact procedure that I can give to the bank's 'IT' person to
    give to their Netteller rep to contact your shop on the encryption
    issue.

    Rgds,
        Dr. t

  3. Support Staff 3 Posted by Cameron Kaiser on 17 Oct, 2020 10:35 PM

    Cameron Kaiser's Avatar

    I can get all the way to the login screen without a problem, and our cryptography library is current to Firefox 78. Like Chris asked, we really do need a specific URL to test with so we can see what you're seeing (obviously no usernames or passwords).

  4. 4 Posted by cal yooper on 18 Oct, 2020 03:47 PM

    cal yooper's Avatar

    Gents
    1. went straight to FF78 (see attach). No joy. (did a re-start before trying)

    2. Here are a couple of portals -- note that all the locally-owned
    banks in the 906 & 715 area code districts are Netteller clients,
    their individual HP designs notwithstanding.

         msbir.com
         fnbimk.com

  5. 5 Posted by cal yooper on 18 Oct, 2020 04:23 PM

    cal yooper's Avatar

    FYI CONFIDENTIAL

     Just to update you on the recency of this problem, I attach a snip
    that shows that I accessed fnbimk.com on 7th October using TFF27.

    Clearly, Netteller didn't have a problem with TFF27 encryption. There
    was a subsequent arbitrary decision on their part.

    rgds,
       Dr. t

  6. Support Staff 6 Posted by Chris (chtrusch... on 18 Oct, 2020 05:35 PM

    Chris (chtrusch)'s Avatar

    I can access both websites just fine with TFF FPR 27.

    However when I try to log in with a bogus ID I actually can see what you're talking about.

    The actual URL is:
    https://www.netteller.com/login2008/Authentication/Views/Login.aspx?returnUrl=%2ffnbim

    It does load in Webkit (latest version), which has *all* weak cyphers since it hasn't been updated in two years, and it loads in FF 78 ESR. It does not load in Waterfox Classic 2020.09 (based on FF 52), which uses the same cyphers as we do.

    On the other hand, Qualys says www.netteller.com wants
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    which we have.

    FF 78 connects using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 over TLS 1.2.

    I don't know what's going on. There must be some other SSL/TLS setting which prevents the login site from loading.

  7. Support Staff 7 Posted by Cameron Kaiser on 18 Oct, 2020 08:10 PM

    Cameron Kaiser's Avatar

    Yes, I can reproduce with that URL on the development machine. Disabling enforced TLS profiles didn't help either.

    Frankly, this should work. Debug version doesn't show anything obviously wrong, however, so it won't be fixed for FPR28.

  8. 8 Posted by cal yooper on 18 Oct, 2020 08:45 PM

    cal yooper's Avatar

    I don't understand the technical aspects of ssl/tls, nor wish to.
    But, what I hear you saying is that there is nothing obvious about why
    it is not working.

    What we have as an answer to that is the Netteller customer rep
    telling the bank liaison that "FF45 is too old" -- not exactly a
    precise answer to the question. But it does tell us that TFF27 is
    seen as FF45 on that end.

    What we DO KNOW is that all WAS copacetic, that FTT27 was working just
    fine with the Netteller sys well into Sept '20, that the existing
    systems had no problems communicating with whatever those protocols
    were. So, it's reasonable to assume that at that point, the wonks
    at Ntlr made some change on their end which cut us off.

    Here is a TFF problem > it is showing up at Ntlr as FF45, not FF78.
    If TFF has the ssl/tttls encryption protocol of FF78, then why is Ntlr
    not seeing it as FF78, esp. when the User Agent has been set to it ?
    What parameter did Ntlr change in Sept that stopped the communication
    that had been going on previously ?

    Tomorrow, Mon, I will ask the MSBIR IT person to tell her Ntlr rep
    that we [you guys] need to talk to someone in the Ntlr shop who knows
    what they did and why. That we need names to get to the root of the
    problem.

    Or, is there a site-designated comms person for you guys to reach out to there ?

    Any other thoughts, directions on how to proceed ?

    Thanks for all the effort.
    Rgds,
       Dr. t

  9. Support Staff 9 Posted by Cameron Kaiser on 18 Oct, 2020 09:12 PM

    Cameron Kaiser's Avatar

    The browser is being seen as Firefox 45 because that is its basis. Certain components have been upgraded, including the security library, but the browser is still Fx45 at its core.

    I am able to correctly view the page in Firefox 78 and 80. Since we have the same cipher set as Firefox 78, then it should work on our end too, and we are probably merely missing some additional piece or setting to make that function. I'll look into this but it won't be for the next version, which is already in testing and scheduled to emerge on Tuesday.

    I'm sorry this is frustrating you, but we do not talk to other companies on users' behalf. That is not a reasonable expectation from a volunteer project. The browser is free, no money changes hands, and no guarantees or promises are made.

  10. 10 Posted by cal yooper on 22 Oct, 2020 02:31 PM

    cal yooper's Avatar

    Cameron
    FYI >
    Have been pushing one of the banks who has an officer with a little
    background with IT vendors. Here's some input that may be of interest.

     I can sometimes guest on a pc system w/T1 line, the system managed by
    outside firm, so updates of apps don't always get made timely. On
    that system, the last upgrade to FF was v.81.0.1. That v. is
    incompatible with Netteller's security.

    The bank advises that 'lots' of users of Ntlr had problems accessing
    w/FF.v.81. The new FF v.82 has solved only 'some' of those users'
    problems.

    Question > are the FF Mac & pc versions different in sequence ? ie.
    is FF78 the latest Mac .v ?

    Rgds,
       Dr. t

  11. Support Staff 11 Posted by Cameron Kaiser on 28 Oct, 2020 04:14 AM

    Cameron Kaiser's Avatar

    When attempting to log in now, Neteller seems to be using a different flow. Reporter, please start from the front page and log in as you do normally. Do you see a difference? This time when I do it, it asks me to do a recaptcha, and then correctly returns an error (since I have no credentials). But the URLs are different, so they may have changed something on their end.

  12. Support Staff 12 Posted by Cameron Kaiser on 28 Oct, 2020 04:14 AM

    Cameron Kaiser's Avatar

    (If it does not work, please be very specific about the URL you are using to log in from.)

  13. 13 Posted by cal yooper on 28 Oct, 2020 01:48 PM

    cal yooper's Avatar

    Thanks Cameron.
    I think I mentioned last week that when guesting on a windows pc [w/T1
    line], that FF82.0.1 could not interface w/Netteller.
     Yesterday I tried agan, _successfully_.
       Didn't have time to give TFF a try last night, but will do so today.

    Will advise results tomorrow.

    Thanks for staying on top of this.
        Dr. t

  14. 14 Posted by cal yooper on 06 Nov, 2020 12:03 AM

    cal yooper's Avatar

    Cameron
    Netteller still not accepting TFF.

    Rgds,
        Dr. t

  15. Support Staff 15 Posted by Cameron Kaiser on 06 Nov, 2020 02:08 AM

    Cameron Kaiser's Avatar

    As I wrote above: please be very specific about the URL you are using to log in from.

  16. 16 Posted by cal yooper on 06 Nov, 2020 02:48 PM

    cal yooper's Avatar

    I really don't understand your advice. I don't have any choice -- I
    have to log in from the banks' page. There's no other access, unless
    they're not telling me something.
       t

  17. Support Staff 17 Posted by Cameron Kaiser on 06 Nov, 2020 04:17 PM

    Cameron Kaiser's Avatar

    I want the exact URL you are typing your login and password into. Before you press submit, copy the URL from the address bar.

  18. 18 Posted by cal yooper on 06 Nov, 2020 05:23 PM

    cal yooper's Avatar

    url is www.msbir.com
       you'll have to get your own password.
           [did you REALLY ask me for my account password ?]

  19. Support Staff 19 Posted by Cameron Kaiser on 06 Nov, 2020 06:30 PM

    Cameron Kaiser's Avatar

    I'm trying to be polite here, but at no point did I ask you for your password, and I said above I don't want your password. I asked you for the URL. Thank you for providing it, from which I can now see the form actually connects to https://www.netteller.com/msbir .

  20. Support Staff 20 Posted by Chris (chtrusch... on 06 Nov, 2020 06:48 PM

    Chris (chtrusch)'s Avatar

    I still see the same problem as in comment 6 (now on FPR 29). I.e., TFF (based on FF 45) and Waterfox Classic (based on FF 52) are unable to connect, but LWK and FF (recent) can. There may be something implemented after FF52 that's needed.

  21. Support Staff 21 Posted by Cameron Kaiser on 06 Nov, 2020 07:39 PM

    Cameron Kaiser's Avatar

    Pale Moon 28 also doesn't work, but SeaMonkey 2.53.4 does, which is based on Gecko 56. So the needed change occurs somewhere in there.

  22. Support Staff 22 Posted by Chris (chtrusch... on 06 Nov, 2020 11:30 PM

    Chris (chtrusch)'s Avatar

    Tried to find a regression windows for Firefox. Found that both FF 52.9.0 ESR and 45.9.0 ESR work. Even 38 ESR works. So that's not it.

  23. Support Staff 23 Posted by Cameron Kaiser on 07 Nov, 2020 12:29 AM

    Cameron Kaiser's Avatar

    Wait, you're not saying TenFourFox 38 works, are you?

    What OS are those on? I tested on macOS 10.14.

  24. Support Staff 24 Posted by Chris (chtrusch... on 07 Nov, 2020 12:59 AM

    Chris (chtrusch)'s Avatar

    No, I was speaking about Firefox ESR, testing on a 10.11 MacBook Pro (2009 Intel Core2 Duo) I use for Zoom and other Intel-only stuff nowadays for obvious reasons.

    TenFourFox 38 on 10.5 has the same 'Secure Connection Failed' error.

  25. Support Staff 25 Posted by Cameron Kaiser on 07 Nov, 2020 01:15 AM

    Cameron Kaiser's Avatar

    Can you try Pale Moon 28 on it and see if it does the same thing?

  26. Support Staff 26 Posted by Chris (chtrusch... on 07 Nov, 2020 10:46 AM

    Chris (chtrusch)'s Avatar

    Where do I download this? I only see Pale Moon for Windows and Linux.

  27. Support Staff 27 Posted by Cameron Kaiser on 07 Nov, 2020 07:43 PM

    Cameron Kaiser's Avatar
  28. Support Staff 28 Posted by Chris (chtrusch... on 07 Nov, 2020 08:35 PM

    Chris (chtrusch)'s Avatar

    Wow, that browser is a blast from the past :-)

    Same error "Secure Connection Failed. The connection to the server was reset while the page was loading."

  29. Support Staff 29 Posted by Cameron Kaiser on 10 Nov, 2020 05:01 AM

    Cameron Kaiser's Avatar

    Something doesn't make sense here. When I analyse the connection on a working debug copy of Firefox, I see multiple POST requests to netteller with different data from a script it downloads. TenFourFox makes just one, and then aborts. That seems to be the same for Pale Moon.

    I would ordinarily conclude this is a script problem but that doesn't make sense why regular Firefox 45 and 38 would work but not TenFourFox 45.9 (which I checked) or 38. So I really don't know why this doesn't work. It's not ciphers, I've completely ruled that out.

  30. Support Staff 30 Posted by Chris (chtrusch... on 10 Nov, 2020 02:18 PM

    Chris (chtrusch)'s Avatar

    And what do TenFourFox, PaleMoon and Waterfox Classic have in common? Correct: They send a useragent string which is not "clean" Firefox. I'm not at home right now and can't confirm this with TFF, but using a standard Firefox useragent string makes the site suddenly work with Waterfox Classic. Maybe the netteller server is so stupid it blocks further requests from nonstandard useragent strings?

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • nettellr.fail.tiff 72.4 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac