After updating to 36.0.1 this morning my online banking website for Intelligent Finance is no longer secure: https://my.if.com/Security/Auth/Logon
Always had the green padlock until this update. When I click on the orange triangle it tells me: “Connection partially encrypted. Parts of the page you are viewing are not encrypted or the encryption is not strong enough before being transmitted over the internet. Information sent over the internet without encryption can be seen by other people while it is in transit.” Yet when I open the same page in Internet Explorer there’s a gold padlock which states “ fully encrypted” when clicked and certificate issued by VeriSign. Can others please confirm that that they also cannot access the fully encrypted page on https://my.if.com/Security/Auth/Logon via Firefox 36.0.1 so that I can be sure the problem solely relates to this latest Firefox version? If so, is there any solution other than to use I.E. and hope the next update fixes the bug?
All Replies (9)
In Firefox 36.0, there is a gray triangle with an exclamation point; I don't have 36.0.1 on this PC yet.
Google Chrome's connection description (attached) probably identifies the problem: the server uses an older RC4 cipher that is no longer considered secure in Firefox 36.0 and higher, so you get the triangle instead of the padlock.
I'm not sure when (?!) Firefox will have better explanations for this issue in the user interface: it's definitely hard to distinguish from other reasons for that icon.
Firefox use this cipher for me: TLS_RSA_WITH_RC4_128_MD5 If I disable security.ssl3.rsa_rc4_128_md5 then I get this error:
An error occurred during a connection to my.if.com. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)
So it looks that the server really needs to update its software and install support for more up to date ciphers.
Thanks to both of the helpful explanations. So it's not Firefox at fault, but the bank's software. That really is disgraceful that a UK bank, ultimately owned by Lloyds banking group, is potentially exposing customers bank accounts by using obsolete insecure cryptography. I supose my only resource is to complain and bring this to the attentiom of Intelligent Finance bank?
To cor-el, How does one disable security.ssl3.rsa_rc4_128_md5?
Type about:config in the Location Bar and hit Enter. accept the warning message
Paste security.ssl3.rsa_rc4_128_md5 in the Search field at the top.
Then double-click that one pref below where it says Preference Name - Status - Type - Value to toggle that pref to false. Then close / restart Firefox.
Thank you, the-edmeister. At least I now know the culprit is my bank's servers and not the Firefox update. How much risk, in reality, do people think I'm taking if I continue to login online to the bank with it's current encryption? I do need to access my accounts on a regular basis. I suppose using I.E. wouldn't be any more secure than using Firefox, just because I.E. hasn't yet identified the obsolete cryptography?
Firefox still uses the HTTPS protocol to connect to the server. Only the cipher suite that is used is no longer considered strong enough and that is why you won't see the padlock. As long as Firefox or you do not disable this cipher suite then you will still be able to connect to servers. All websites that use weak ciphers will have to update their software.
cor-el said
As long as Firefox or you do not disable this cipher suite then you will still be able to connect to servers. All websites that use weak ciphers will have to update their software.
So you think there's very little risk of any traffic between my computer and the Intelligent Finance website being read by anyone in transit, even with the server's weak encryption?
I've tried all of these recommendations and none of them help. I still get a triangle with an exclamation mark instead of a padlock. Here are some screenshots of the error::
http://www.silkblooms.co.uk/images/prototypes/ssl3.jpg http://www.silkblooms.co.uk/images/prototypes/ssl2.jpg http://www.silkblooms.co.uk/images/prototypes/ssl1.jpg
The SSL certificate is modern, up-to-date with the latest technology and I have no proxy settings in the tools>options>advanced>Network>connection>settings area (so it's not that).
Can anyone help me diagnose the issue on my own website in particular?
Thanks in advance for any help or advice you can offer.
@silkblooms, let's continue the discussion in the thread that you have created at https://support.mozilla.org/en-US/questions/1051000