Be able to login to bank

Discussions about the Application Boundaries Enforcer (ABE) module
User avatar
lakrsrool
Senior Member
Posts: 194
Joined: Wed Nov 12, 2014 4:20 pm

Be able to login to bank

Post by lakrsrool » Fri Mar 10, 2017 8:27 am

I get the following now (after a very long time of successful logins) when I try to log-in to Citibank:
Image
I have had this set in ABE for a long time and has worked:
[ screenshot hidden by moderator ]
and I have this in XSS:
Image
This has all worked before until now. To access bank I have to disable ABE for the time being.

What do I do now to get bank to work again in NoScript using ABE again?

The error is the same that used to work with the settings I had before displayed in the second and third images (since PM 27 problems, have no idea if the new PM build is contributing to the ABE problem now or not).

Sorry for the first image on end, can't figure out how to solve this (rotate image, even when it looked okay it posts in this manner). Also the Postimage program wouldn't work (failed to successfully post images using the new Postimage interface for some reason if thought everything appears fine), so I had to return to older program (fortunately that was still available to users). Oh and I would have posted in other related topic, but it has been locked.

I have to say this ABE and XSS stuff is far beyond the average user, hence my opinion is that average users simply have to turn off a lot of security that would otherwise benefit the average user as opposed to the ability to use the functions if they could be applied in a more understandable or shall we say user friendly interface as opposed to needing to know how to format obscure code to get it all to work.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.1.2

User avatar
therube
Ambassador
Posts: 7271
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Be able to login to bank

Post by therube » Fri Mar 10, 2017 11:36 am

What in the world is "start.me"?

Are you using some sort of extension, or is it something you "subscribe to", or?

(To me, sounds like something you want to get rid of.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: Be able to login to bank

Post by barbaz » Fri Mar 10, 2017 3:09 pm

I hid the screenshot with your unobscured WAN IP. Forum staff see this - viewtopic.php?p=87095

Try changing your ABE rule to

Code: Select all

Site .online.citi.com
Accept from .citi.com
Deny INC
Accept from https://start.me/* .citi.com
Deny
Last edited by barbaz on Fri Mar 10, 2017 9:42 pm, edited 1 time in total.
Reason: fix ABE rule
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
lakrsrool
Senior Member
Posts: 194
Joined: Wed Nov 12, 2014 4:20 pm

Re: Be able to login to bank

Post by lakrsrool » Fri Mar 10, 2017 9:09 pm

Thanks barbaz for the reply, that ABE rule didn't help, still get the same result.

I've been using that start-page (start.me) for years with no problems and been able to use the same log-in page to Citibank as well.

therube, start.me is a start-page portal: https://about.start.me/p/3xxOD3/about-start-me

Btw, thanks barbaz for removing the image, for reference here is the ABE settings screen-shot with the IP redacted: Image
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.1.2

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: Be able to login to bank

Post by barbaz » Fri Mar 10, 2017 9:42 pm

Sorry, I forgot something. I'll fix it above.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
lakrsrool
Senior Member
Posts: 194
Joined: Wed Nov 12, 2014 4:20 pm

Re: Be able to login to bank

Post by lakrsrool » Fri Mar 10, 2017 10:07 pm

Thanks barbaz, that did the trick. :D

These are things that the average user just won't know about as far as logic and syntax of these rules it seems to me. It would be nice to have this available to users in a more understandable way.

Anyway, since I've been using the bank log-in and start-page for a very long time with the previous ABE setting, the issue must be related to the new PMv27 build apparently. The FF browser works fine with the very simple rule below:

Site citi.com
Accept from .citi.com .excite.com
Deny


And that is not only using start.me start-page but excite as well (which it was originally written for), so it seems the qualifier that is necessary for start-me in PM is not necessary in FF.

Thanks again. :D
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.1.2

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: Be able to login to bank

Post by barbaz » Fri Mar 10, 2017 10:16 pm

You're welcome! Image
lakrsrool wrote: The FF browser works fine with the very simple rule below:

Site citi.com
Accept from .citi.com .excite.com
Deny


And that is not only using start.me start-page but excite as well (which it was originally written for), so it seems the qualifier that is necessary for start-me in PM is not necessary in FF.
That's because, unlike your Pale Moon ABE rules, that one protects only "citi.com". None of its subdomains. But the site you're trying to protect is "online.citi.com". So actually, you'd either need to spell it out or add a leading dot. :)
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
lakrsrool
Senior Member
Posts: 194
Joined: Wed Nov 12, 2014 4:20 pm

Re: Be able to login to bank

Post by lakrsrool » Tue Mar 14, 2017 7:18 am

Now I've got NoScript ABE giving me problems with another bank, Union Bank and I need to know my balance and to pay bills at the time when I need to as we all do of course.

This forum for some reason is the only forum I know of that does not provide users with the ability to post images, so this is an additional problem.

And on that last point, when I go to Postimage.org I can't seem to upload images tonight, I noticed this message "Our DNS provider experienced a major outage, effectively shutting us
down for half the globe. They pinky swear this won't repeat. We're sorry, guys :\", so I guess I can't provide a screen-shot of the ABE problem (and I don't have time to look into another method of posting a screen-shot at this time).

So back to my current problem, I got two different errors from ABE (as I tried by trial and error what to do), the last of which was similar to the previous one with Citibank. Below is what applies to this new situation with Union bank (again similar to Citibank previously):

For Union bank I had this previously in ABE:
Site .sso.unionbank.com
Accept from .unionbank.com
Deny

So I tried the same as I had done before with Citibank as posted below:
Site .sso.unionbank.com
Accept from .sso.unionbank.com
Deny INC
Accept from https://start.me/* .sso.unionbank.com
Deny

But I still get the same error, thus cannot use ABE at all since the user can only enable or disable ABE and there is no way to do a SIMPLE WHITELIST of a WEBSITE ADDRESS in ABE but instead this completely obscure, esoteric code has to be used that the AVERAGE user would have no idea what it means.

The Internet is very commonly used to access bank accounts, in fact in my case this is one of the major reasons I use the Internet at all....

MY QUESTION IS WHY IN THE WORLD CAN'T NOSCRIPT take the approach to SIMPLY provide the user with a way to WHITELIST A WEBSITE IN ABE which in this case would of course simply be something like "https://sso.unionbank.com...."

What average user would really ever want to use ABE at all not having any concept in general what to do to access their respective bank accounts when something like this occurs. All security apps generally provide a "whitelist" functionality where a website address is added to the list as an exception that is to be ignored (skipped). This idea of requiring a code that an average user should not have to try and comprehend is something that is clearly an unreasonable requirement that should be changed, imho. Average users understand URL's and I can't see any reason why the way ABE functions could not be more user friendly by applying a more INTUITIVE APPROACH.... When I used to write code it would never work to require non-tech-savvy users (average users) to need to know what to do at this level to get some security app to work.

What average user is going to know to enter the following to get ABE to ignore a website so that it will work in the users browser?
Site .sso.unionbank.com
Accept from .sso.unionbank.com
Deny INC
Accept from https://start.me/* .sso.unionbank.com
Deny

And of course, in this case it still does not work so I'm unable to log-in to do anything with the Union Bank Website without disabling ABE altogether for all sites.

It seems to me a simple straight forward approach would simply to code NoScript in a way that a website address i.e. "unionbank.com" when added to a "whitelist" database ABE would simply ignore the site (any additional security measures, code wise) and thus not block it which could be implemented by providing user prompts i.e. to "Deny Inclusions" (whatever that is) or to "Deny" all other access which would then build the code at a level simple enough to minimally get the job done. For those who understand the code above NoScript (ABE or SSL or whatever) could always have the option provided to the user to manually enter the exceptions for a more detailed or precise application of the exception.

I tend to think a lot of NoScript users would simply end up not using (disable) ABE and possibly SSL as well for these reasons.... I'm totally confident that code could easily be programed to write exceptions (as illustrated above) in background (behind the scenes) simply by the user entering key information (written in English prompts that the user understands) to automate the code to implement the necessary exceptions to allow access to websites which I would point out would in many cases be a website that the user would have been always using for years and would therefore be considered presumably safe in the first place anyway. Security should not be so overbearing to make it in many cases nearly impossible for the average user to apply and I know this could be done by interfacing with the user via appropriate user friendly prompts to apply the exceptions code (and not at all difficult to do), but then that's just me.... :D

But I digress, so I'll get of my soapbox.... ;)

Any ideas on what do to get the Union Bank website to allow me to log-in would be once again appreciated. (in the meantime I'm forced to once again disable ABE unfortunately, I would certainly like to be able to use these security functions in NoScript without all of the problems of course)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.1.2

User avatar
lakrsrool
Senior Member
Posts: 194
Joined: Wed Nov 12, 2014 4:20 pm

Re: Be able to login to bank

Post by lakrsrool » Tue Mar 14, 2017 8:26 am

Solved, I had left the old code:
Site .sso.unionbank.com
Accept from .unionbank.com
Deny

Ahead of the new code:
Site .sso.unionbank.com
Accept from .sso.unionbank.com
Deny INC
Accept from https://start.me/* .sso.unionbank.com
Deny

By placing the new code in the order above the old code the problem is resolved (via the new code) posted here.

I would still like to know however why NoScript doesn't consider the approach of building required "rule sets" like this by issuing user prompts to enter the necessary parameters to create the entire "rule set" via either a combination of URL extraction and more to the point concatenating this information in a manner to create the rule sets illustrated above?

Such as, in a case like this I would prompt the user with the question: "Would you like to override ABE for this website"? "Y or N", in which case a "Y" would then extract the ".sso.union.bank" from the URL and build the necessary ABE "rule set" for this website posted above by concatenating the remaining syntax of the "rule set" posted above. Keeping in mind that the user could be prompted with additional questions if necessary for other elements of the "rule set" posted above in a step-by-step fashion if required to create a functional "rule set". Using this approach the syntax of the "rule set" would be applied behind the scenes hence not requiring the user to know all of the ends-and-outs of an obscure "rule set" syntax generally unknown to the average user.

Makes sense to me and clearly not a difficult task really. If a prompt is necessary to actually know what part of the URL to be used by simply entering a string text this could be prompted from the user to create the "rule set" even if it involved a certain level of "trial and error" on the part of the user. This wouldn't be any different than the level of "trail and error" that already inherently exists for non-experienced users and would be profoundly more user friendly by using this approach as opposed to requiring from the user every abstract element of the "rule set" from top-to-bottom. :idea:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.1.2

User avatar
lakrsrool
Senior Member
Posts: 194
Joined: Wed Nov 12, 2014 4:20 pm

Re: Be able to login to bank

Post by lakrsrool » Tue Mar 14, 2017 9:24 am

Okay, spoke too soon. I was able to get past the User ID, but ABE failed on PWD.

After entering the following:
Site .sso.unionbank.com
Accept from .sso.unionbank.com
Deny INC
Accept from https://bankingsso.unionbank.com/* .sso.unionbank.com
Deny

Site .bankingsso.unionbank.com
Accept from .bankingsso.unionbank.com
Deny INC
Accept from https://sso.unionbank.com/* .bankingsso.unionbank.com
Deny

I was able to get past the PWD, but still no access to the account. (note: two different ABE errors, the second of which was four lines long which required the second rule set).

Okay, now even though I can get past both UID and PWD and I have allowed ALL Noscript requests as well, I am unable to get into my account (never ending process circle spinning is all I get), but if I DISABLE NoScript altogether then I have no problems with the website.

So it appears the NoScript application is causing something to block my access even though I've allowed everything as far as NoScript site requests (nothing blocked).

I'll post this in NoScript board: Union Bank blocked by NoScript, since it appears to be a NoScript issue as opposed to specifically ABE.

In the meantime, anyone have any opinions on my far more user friendly suggestion as to how to interface ABE with the user?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.9) Gecko/20100101 Goanna/3.0 Firefox/45.9 PaleMoon/27.1.2

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: Be able to login to bank

Post by barbaz » Tue Mar 14, 2017 5:44 pm

There are reasons ABE doesn't have a user-friendly way of adding exceptions - viewtopic.php?p=86801#p86801

Thrawn was working on an addon to provide a user-friendly interface to ABE, but that side of Thrawn's addon was mostly dropped in favor of µMatrix. See the discussion starting here viewtopic.php?p=79861#p79861 for the details.
*Always* check the changelogs BEFORE updating that important software!
-

fatboy
Junior Member
Posts: 45
Joined: Fri Jul 25, 2014 6:56 am
Contact:

Re: Be able to login to bank

Post by fatboy » Tue Mar 14, 2017 6:46 pm

@barbaz

If in your rule to replace citi.com -> start.me and try to link from the fourth message, then it will fail.

Code: Select all

Site https://about.start.me/p/3xxOD3/about-start-me
Accept from .start.me
Deny INC
Accept from https://start.me/* .example.com #not forums.informaction.com
Deny
That is, it won't be possible to go to online.citi.com from other page.
Why not use:

Code: Select all

Site ^https://online\.citi\.com/US/login
Accept GET POST from SELF
Deny
#
Site https://online.citi.com/US/JRS/portal/index.do
Accept from .citi.com
Accept GET from ^https://start\.me/\S+/my-start-page
Deny
#
Site .online.citi.com
Accept POST SUB from SELF+
Deny SUB
Accept GET
Deny
I apologize if I misunderstood, and that the specific problem of new versions of NS, or specific problem of PaleMoon.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 SM/2.38 NS/2.9.0.12

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: Be able to login to bank

Post by barbaz » Tue Mar 14, 2017 7:05 pm

Because CSRF can also happen by a redirection or clicking a link.
*Always* check the changelogs BEFORE updating that important software!
-

fatboy
Junior Member
Posts: 45
Joined: Fri Jul 25, 2014 6:56 am
Contact:

Re: Be able to login to bank

Post by fatboy » Tue Mar 14, 2017 7:43 pm

Means the rules specified in https://noscript.net/abe/ make a sense, only if the user isn't logged in in bank.com yet.
And when opening the bank.com page it is necessary to switch rules to others:
Site .bank.com
Accept from .bank.com
Deny
Site ALL
Deny
… and not to open other tabs?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 SM/2.38 NS/2.9.0.12

barbaz
Senior Member
Posts: 8871
Joined: Sat Aug 03, 2013 5:45 pm

Re: Be able to login to bank

Post by barbaz » Tue Mar 14, 2017 8:14 pm

fatboy wrote:Means the rules specified in https://noscript.net/abe/ make a sense, only if the user isn't logged in in bank.com yet.
While those rules might be useful for protecting a bank, they aren't designed for that per se.
fatboy wrote:And when opening the bank.com page it is necessary to switch rules to others:
Site .bank.com
Accept from .bank.com
Deny
Site ALL
Deny
… and not to open other tabs?
That would be overkill. It's fine to have other tabs open because ABE will block any unwanted redirections. And as far as I know, there is no real reason not to allow clicking links to bank.com on specific trusted HTTPS sites (like start.me in lakrsrool's rules).

Plus something that restrictive could interfere with the bank site's normal operations.

lakrsrool's latest ABE rules should be fine, shouldn't they?
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply