SOLVED - Problems using No Script with Bank of America site

Ask for help about NoScript, no registration needed to post
barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by barbaz » Fri Sep 04, 2015 8:42 pm

therube wrote:
SPAM filter

Just what types of things are you trying to post that are causing the SPAM filter to hit?
Am I exempt?
Does it happen if you use [code] tags in your post?

@therube (& everyone else on forum staff, too): viewtopic.php?f=22&t=21227

@lakrsrool: Next time you hit the spam filter, can you please send the entire text of the spam-blocked post to me in PM? Thanks.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Fri Sep 04, 2015 11:39 pm

therube wrote:(I'm jumping in the middle... again...)

https://www.excite.com


https: does not look to be valid.
http: is.

But why in the world would you "trust" Excite?

Further I'm not following why Excite (or Bing) have any bearing at all, much less why anything from either of them would be needed?

Let me say that again:
Further I'm not following why Excite (or Bing) have any bearing at all, much less why anything from either of them would be needed?


And to "trust" Excite, in any shape or form!?


I've heard all this so many times before from a lot of "security conscious" people and have been using the Excite start page for some around 20+ years now without any issues. Fact is there just isn't any start-page that I'm aware of that is as easy to use and that has as much flexibility regarding formatting the page without having to paying for it.

When I'm using Firefox I have the add-ons NoScript, Disconnect, ABP, Avast Internet Security all blocking various levels of security concerns.

When I'm using Chrome I have the add-ons Ublock, Scriptsafe, Disconnect, Addblock add blocker and APB for the same thing.

The way I see it, If I haven't had any problems after 20+ years I'm not going to be that concerned. ;)

As to why either Excite or Bing is involved, you got me, but I'll post a reply to your other question about other search engines and they behave in the same exact manner.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by barbaz » Sat Sep 05, 2015 1:15 am

lakrsrool wrote:When I'm using Firefox I have the add-ons NoScript, Disconnect, ABP, Avast Internet Security all blocking various levels of security concerns.

(emphasis mine)
Er.. ABP since version 2.6 is not a reliable request blocker, as it will not block things while it's loading filters. You'll mostly notice that on browser startup but it could happen any time.
Now ABP is still a great reference and annoyance removal tool.. but its unreliability at blocking requests makes it completely unusable for any security purpose anymore. You really should look to something else for security (I personally recommend Policeman for Firefox, but it requires a little configuration to not be detectable to webpages - see viewtopic.php?f=19&t=20189).
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Sat Sep 05, 2015 1:27 am

therube wrote:Do you need to do the same if you start from a Google search?
(NoScript by default should be neutering all the crap Google adds to its search links.)

https://www.google.com/search?q=https%3A%2F%2Fsso.unionbank.com%2Fobc%2Fforms%2Flogin.fcc&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a

(First link looks to be the wanted one.)


OK this is what I've done, I've clicked on link you have posted here and I get a google search page listing various Union Bank links. The first link just as you suggested is a login page for the bank.

If I then click on that link (first in the Google search page just as you've suggest is the case) I get the same thing I get from Excite or the Bing search, that is ABE blocks the link with a similar banner message.

To be specific this is what I get see below:

ABE shows this clicking on the link you posted: "Request {GET https://sso.unionbank.com/obc/forms/login.fcc <<< [url]https://www.google.com/search?q=https%3A%2F%sFsso.unionbank.com%2Fobc%2forms%2Flogin.fcc&ie=utf-&oe=utf-8&aq>t&rls=org.mozilla:en-us:unofficial&client=seamonky-a-6}[/url] filtered by ABE:<sso.unionbank.com> Deny"

I've also got Firefox setup so that I've got the option in my Search bar to request a "Google Search" and I get the same thing as well doing the search this way. I am getting the google search page using either method as you know. Of course the ABE message will be different depending if I use the link you've provided or if I'm using the link I get in my own Google Search in my Firefox Browser (see below for more details).

ABE show this in the case of using the "Google Search" in my Firefox browser: "Request {GET https://sso.unionbank.com/obc/forms/login.fcc <<< https://sso.unionbank.com/obc/forms/login.fcc,%20https://www.google.com/search?q=union+bbank+login&ie=utf-8-6} filtered by ABE:<sso.unionbank.com> Deny"

The bottom line is that in ANY CASE, I'm using this SAME URL: https://sso.unionbank.com/obc/forms/login.fcc to login to Union Bank no matter which method I do the "Google Search".

Here is a LINK on the web that describes this specific URL as the "UNION BANK SECURE LOGIN PAGE" see THIS LINK. You will see that this "Union Bank Login Instruction Page" refers to the URL: https://sso.unionbank.com/obc/forms/login.fcc as the appropriate login URL to use to login to Union Bank.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Sat Sep 05, 2015 1:42 am

barbaz wrote:
lakrsrool wrote:When I'm using Firefox I have the add-ons NoScript, Disconnect, ABP, Avast Internet Security all blocking various levels of security concerns.

(emphasis mine)
Er.. ABP since version 2.6 is not a reliable request blocker, as it will not block things while it's loading filters. You'll mostly notice that on browser startup but it could happen any time.
Now ABP is still a great reference and annoyance removal tool.. but its unreliability at blocking requests makes it completely unusable for any security purpose anymore. You really should look to something else for security (I personally recommend Policeman for Firefox, but it requires a little configuration to not be detectable to webpages - see viewtopic.php?f=19&t=20189).


I didn't mean to suggest that ABP is providing me with "state of the art" security. I'm aware of what you've said and actually wasn't going to include APB, but did anyway.

I've tried the "Policeman" add-on and from what I could tell I found it to be more or less redundant to NoScript and as such using this add-on along with NoScript ends up doubling up all the hassles that already exist using NoScript as to making websites as safe as possible but still usable. I've still got the add-on actually but after checking it out have had it disabled for some time.

Are you saying that the "Policeman" add-on will provide additional security beyond what NoScript provides?

Hmmm, the "I" has already :? been added.
Last edited by lakrsrool on Sat Sep 05, 2015 3:47 am, edited 2 times in total.
-

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Sat Sep 05, 2015 1:47 am

therube wrote:
they could at least not wipe out the entire post to help the user out in that way

That's actually a separate issue, having to do with https: usage on this board, AFAIK.

PS: At times when I know the possibility exists that I'll be crapped on, I'll make a copy of my work (post) prior to hitting a Submit button. (I believe there may be extensions that do similar, automatically.)


SPAM filter

Just what types of things are you trying to post that are causing the SPAM filter to hit?
Am I exempt?
Does it happen if you use [code] tags in your post?


Yes there is an add-on for this "Form History Control", which works pretty well. It's just that it gets old for this to happen all the time.

I just got another one and I could not see anything in the post that would cause a SPAM filter getting triggered. I've PM'd the post to barbaz as requested.

I will say it will occur on a regular basis if more than a couple of color tags are used. But I will also have this happen without any color tags as well which was the case in the post I just sent to barbaz.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by barbaz » Sat Sep 05, 2015 1:48 am

Policeman provides similar functionality to NoScript's ABE but it's MUCH more usable. Its default configuration is as you have found out quite restrictive but it's easy enough to disable the restrictive part and just implement own rulesets, use it like a domain blacklist.

If Policeman doesn't work out for you for whatever reason, try µMatrix?
(re: µMatrix, you might find my write-up @ viewtopic.php?f=18&t=20815 useful)
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Sat Sep 05, 2015 1:56 am

therube wrote:
the 192.168 address

Should not be [WAN} routable, no?

Is this your A/V (again) playing into the picture?

I somehow managed to misread the end of the ABE error message

(And I didn't read it at all ;-).)


What type of internet connection do you have?
DSL? Cable? Satellite?
Who is your ISP?


Nope it's not my AV.

I'm using an AT&T U-verse Wireless LAN Network connection: attlocal.net, Broadcom 4313 802.11b/g/n
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Sat Sep 05, 2015 1:59 am

barbaz wrote:
therube wrote:
SPAM filter

Just what types of things are you trying to post that are causing the SPAM filter to hit?
Am I exempt?
Does it happen if you use [code] tags in your post?

@therube (& everyone else on forum staff, too): viewtopic.php?f=22&t=21227

@lakrsrool: Next time you hit the spam filter, can you please send the entire text of the spam-blocked post to me in PM? Thanks.


Clicking on your forum link I get "You are not authorised to read this forum." message.

I've sent a PM to you with the most recent post that triggered the SPAM filter for from what I can see no apparent reason.

I will say that all I have to do to have this occur on a regular basis is post more than a couple of color tags, REALLY!!!

barbaz, I do appreciate you're looking into this. Can you tell me what was wrong with the post I PM'd you?

Also could be be so kind as to post what I PM'd you as well, THANKS!!! :D
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Sat Sep 05, 2015 2:28 am

barbaz wrote:Policeman provides similar functionality to NoScript's ABE but it's MUCH more usable. Its default configuration is as you have found out quite restrictive but it's easy enough to disable the restrictive part and just implement own rulesets, use it like a domain blacklist.

If Policeman doesn't work out for you for whatever reason, try µMatrix?
(re: µMatrix, you might find my write-up @ viewtopic.php?f=18&t=20815 useful)


I've been using µMatrix on Chrome for some time (because NoScript is not available on Chrome) and figured it wouldn't be necessary with NoScript in Firefox.

I'll take a look at your write-up, thanks for posting it.

So you feel that NoScript misses some levels of security that µMatrix would cover? (personally I find myself plenty busy enough just adjusting when needed using NoScript actually)

Addendum: I just launched Chrome (I don't use Chrome much at all, typically ONLY use Firefox) and found µMatrix disabled due to an upgrade and enable it again. I'll have to look into the upgrade when I've got the time. (I don't find µMatrix as intuitive as NoScript)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Sat Sep 05, 2015 2:47 am

barbaz, In regards to my reply to your original comment that you had to post for me because of the SPAM filter on this forum; I found a typo (actually missing the one letter "I" in this sentence "I've tried the "Policeman" add-on and from what I could tell I found it to be more or less redundant to NoScript... " and tried to just correct the post by adding the one character.

But I've found that I can't even add that one letter "I" because I get the "Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry." Notice however I WAS able to bold and color tag the letter "I" (above). ;)

Let me know why there is apparently a problem with any reply at all to your post. :?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by barbaz » Sat Sep 05, 2015 3:48 am

lakrsrool wrote:So you feel that NoScript misses some levels of security that µMatrix would cover?

Short answer: in a way, yes. Basically the only way in which they overlap is script blocking, but aside that they cover completely different scopes, thus work well side-by-side. See my other post for more details.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
lakrsrool
Senior Member
Posts: 195
Joined: Wed Nov 12, 2014 4:20 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by lakrsrool » Sat Sep 05, 2015 10:14 am

barbaz wrote:
lakrsrool wrote:So you feel that NoScript misses some levels of security that µMatrix would cover?

Short answer: in a way, yes. Basically the only way in which they overlap is script blocking, but aside that they cover completely different scopes, thus work well side-by-side. See my other post for more details.


I didn't even know that µMatrix was even available on Firefox actually (the last I knew it was only available on Chrome). As I said, I have been using it on Chrome (just because NoScript is not available there) and of course I was also using µBlock as well on Chrome (use Chrome rarely, but wanted the security when I do).

I've always preferred µBlock over ABP in Chrome, µBlock just seems to work a lot better in Chrome than ABP does. But again when I had added both of these add-ons to Chrome it seems to me that both µMatrix or µBlock were not available for Firefox at that time.

Now that I've found out that they are available on Firefox I've added both to my Firefox browser (the browser I prefer).

So do you know when these add-ons become available on Firefox?

Just doing a little testing, I'm inclined to consider using both NoScript and µMatrix together for now and maybe permanently. But I have to say I still like how ABP works in Firefox in tandem with the "Element Hiding Helper" for APB (and I also have the APB Popup add-on for good measure) as opposed to how µBlock is working so far which is not blocking in the manner I'd prefer. I'm thinking along with the Disconnect add-on I already use which creates mostly overlap between all of my APB add-ons plus Disconnect compared to µBlock I'm inclined to just stay with the former add-ons as opposed to using µBlock in Firefox. I've notice that µBlock is essentially blocking the same as what Disconnect has already been blocking for me and between the two I like the way Disconnect tracks blocking. (Chome is a different story however, for one thing the Disconnect add-on, which I like, is not available in Chrome and neither is the APB "Element Hiding helper" or the ABP "Popup" add-on, so for Chrome I like using µBlock)

One thing I'm wondering about however is how much NoScript is actually needed with µMatrix installed on Firefox. I know you've mentioned that other than "script blocking" these two add-ons "cover completely different scopes". That said, click HERE :uMatrix & uBlock to Replace NoScript for a commentary on this topic.

It would appear based on the commentary I've linked above that µMatrix provides most if not all that NoScript provides in security or would you say that some aspects of NoScript have been overlooked in that commentary that is not included in µMatrix?

I'm curious how ascendancy works and happens to be specifically handled between NoScript and µMatrix when using them together in regards to an identical script or site, i.e. in the case where NoScript is blocking a specific script or site but µMatrix is not blocking that same script or site and visa versa then what exactly is the outcome. I'm assuming that if a specific script or site is blocked by either of the two add-ons then that specific script or site will be blocked regardless if either NoScript or µMatrix might be allowing that same specific script or site. Is this how you see it? In other words the scenario is that there is an "either" and not "both" outcome regarding "blocking", but on the other hand "both" and not "either" regarding "allowing" so to speak. To put it in Boolean terms "blocking" would be based on an "OR" operator (only one or the other required) and on the other hand "allowing" would be based on an "AND" operator (both required).

Again, am I interpreting this correctly as to how these two two add-ons (NoScript and µMatrix) would be working together?

OFF-TOPIC FYI: I've mentioned how I favor the Firefox browser, well I'm not sure how long that will last if Mozilla sticks with their plans. We're you aware of this:

1) As of Firefox 40, any add-ons that have not been signed by Mozilla generate a warning. You can still continue using the add-ons however.
2) As of Firefox 41 you will not get a warning and any unsigned add-ons will be blocked. There is supposed to be a (hidden) preference to still allow these add-ons, presumably in the "About:config" for Firefox (the setting they currently have now actually).
3) As of Firefox 42, any unsigned add-ons cannot be used in the standard release (and beta) builds of Firefox. Full stop.

I'm thinking I may not want to upgrade beyond either 40 or 41 and certainly not upgrade to 42. And of course if this is the case I'm probably going to have to consider using something else for my primary browser. I'm already getting warnings for two of my add-ons (and neither is going to be getting signed by Mozilla as both are not listed directly in Mozilla as available Firefox add-ons one of which unfortunately I can't replace).
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: SOLVED - Problems using No Script with Bank of America s

Post by barbaz » Sat Sep 05, 2015 4:04 pm

lakrsrool wrote:So do you know when these add-ons become available on Firefox?

No, sorry.

lakrsrool wrote:It would appear based on the commentary I've linked above that µMatrix provides most if not all that NoScript provides in security or would you say that some aspects of NoScript have been overlooked in that commentary that is not included in µMatrix?

µMatrix doesn't have an XSS filter, nor easy equivalent of the default ABE ruleset, nor inclusion type checking, nor ClearClick, nor scriptless key sniffer detection, nor...
(Well, as far as I know anyway.)

lakrsrool wrote:I'm assuming that if a specific script or site is blocked by either of the two add-ons then that specific script or site will be blocked regardless if either NoScript or µMatrix might be allowing that same specific script or site.

Correct.

lakrsrool wrote:OFF-TOPIC FYI:

I know all that, it's a small part of the reason why I using SeaMonkey ;)
Oh, and PaleMoon is a nice browser too but I don't currently use it much. My setup for it somehow got really outdated and I haven't had the chance to port over my addons to the newer PaleMoon.. :?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
therube
Ambassador
Posts: 7461
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: SOLVED - Problems using No Script with Bank of America s

Post by therube » Tue Sep 22, 2015 4:36 pm

> "*no hangs".

So today i notice a slight (second or so) delay, after signing in, after my account page has displayed - before I can interact with the page (which would typically entail opening each account in a new tab).

Now that is new, wasn't there yesterday, or even since their login page change.

No changes on my end to account for that.

So that has persisted for me & generally has been bugging me.

So tried to figure just what domains may or may not be needed & setting these a Untrusted seems to avert the hang:

-streak.bankofamerica.com
-pane.bankofamerica.com

I may have noticed another, "sofa" something or the other, so perhaps -sofa.bankofamerica.com, but haven't caught it after my first notice, so that may end up on my list too.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 SeaMonkey/2.35

Post Reply