SOLVED - Problems using No Script with Bank of America site

[barbaz]

@lakrsrool:
1) I don't understand why you would get ABE warning for that - can you do a reverse DNS lookup of sso.unionbank.com & post the results here? Command Prompt, type

Code: Select all

nslookup sso.unionbank.com

2) You don't need multiple Accept lines - it's more efficient if you put it all on one line, each different entry separated by a single whitespace:

Code: Select all

Accept from .unionbank.com .excite.com

[lakrsrool]

@lakrsrool:
1) I don't understand why you would get ABE warning for that - can you do a reverse DNS lookup of sso.unionbank.com & post the results here? Command Prompt, type

Code: Select all

nslookup sso.unionbank.com

2) You don't need multiple Accept lines - it's more efficient if you put it all on one line, each different entry separated by a single whitespace:

Code: Select all

Accept from .unionbank.com .excite.com

Here's the DNS look up you requested:

Code: Select all

C:\Users\user>nslookup sso.unionbank.com
Server:  homeportal
Address:  192.168.1.254

Non-authoritative answer:
Name:    sso.extn.unionbank.com
Address:  204.138.240.91
Aliases:  sso.unionbank.com

Let me explain:

I don't need this ABE setting if I login using a login link off of say a web-search for the bank login page and just click on the login link from there.

But I DO need this ABE setting if I use that same link incorporated into the "Excite.com" start-page. The Start-page provides the user the opportunity to create links on the Start-page by adding the same login link used on the web to the start-page and giving it an appropriate name-tag so that all commonly used links can be grouped by category according to the users preferences which to a large extent simplifies the navigating all commonly used URL links.

For some reason regardless that the URL link is the same that works WITHOUT the need of the ABE setting if that same URL link is NOT part of the Excite start-page but on the other hand that same URL link started from the Excite start-page DOES need the ABE setting. I know it doesn't really make any sense as "Excite" only serves as the vehicle to allow the user to access the Bank URL link that loads the bank login webpage, but I simply cannot get to the login page because ABE blocks it with the message that I posted on the previous page if I don't include the entry in ABE that I did.

I've formatted the ABE entry as you suggested, all on one line. Thanks for the tip.

ADDENDUM: Read the follow-up two posts down

[lakrsrool]

Apparently ABE works independently so to speak from the NoScript "allowed" settings as I've already got NoScript for ".excite.com" set to "Allow" regarding my start-page.

Yes, they're completely unrelated. Theoretically ABE could be a stand-alone application.

Hopefully doing this does not open up another "security hole".

It should be OK if you trust excite.com. I would probably restrict it, though, to 'Accept from https://www.excite.com', instead of the wildcard.

That certainly seemed like a good idea and I WOULD feel much safer using your suggestion, that is to 'Accept from https://www.excite.com', instead of the wildcard. I was certainly hoping this would work in order to provide more security.....

But it didn't work , I get the same ABE warning that completely blocks the login page the same as if I didn't have the ABE entry at all if I do this which is displayed as it did before in the top banner: "Request {GET https://sso.unionbank.com/obc/forms/login.fcc <<<https://www.excite.com/-6} filtered by ABE: <.sso.unionbank.com> Deny". Pressing "Options" as always takes me to the ABE setting and if I remove the "https://www" then when I click on the Union bank login link it works just fine.

Another oddity if you ask me, why ".excite.com" in ABE works but "https://www.excite.com" doesn't is beyond me. I'm of course open to any ideas!

[lakrsrool]

barbaz, HERE'S A FOLLOWUP:

What I'm finding is that the same link I have in the Excite web page that needs that ABE entry will work just fine just adding the URL to the address bar.

I can right/click on the Excite page link and copy this website address: https://sso.unionbank.com/obc/forms/login.fcc and paste it to the address bar and no problem. But if I click on this SAME link in the Excite start-page then I need the ABE entry.

Also I've found that there are other links that can be found just doing a search for the banks login page that ALSO will not work unless I add something NEW to ABE.

Here's two examples:

1) The one we already know about: https://sso.unionbank.com/obc/forms/login.fcc will get this ABE error used in Excite: Request {GET https://sso.unionbank.com/obc/forms/login.fcc <<<https://www.excite.com/-6} filtered by ABE: <.sso.unionbank.com> Deny

The above needs ".excite.com" in ABE

2) Here is another bank login off a bing web search: https://sso.unionbank.com/obc/forms/log ... ser_type=R that IF I click on the link in the SEARCH results I will get this error in ABE: Request {GET https://sso.unionbank.com/obc/forms/log ... ser_type=R<<<https://www.bing.com/search?q=union+ban ... rmMOZSBR-6} filtered by ABE: <.sso.unionbank.com> Deny

If I add ".bing.com" to ABE for #2 above then I can click on the link off the web search and login without any problem. And if I copy the link instead and paste it to the address bar (the same as the Excite link) then the URL will work without any problem.

3) And here's another bank login off a bing search: https://www.bing.com/search?q=union+ban ... orm=MOZSBR where if I click on the link in the SEARCH results I will get this error in ABE: Request {GET https://sso.unionbank.com/obc/forms/log ... ser_type=R<<<https://www.bing.com/search?q=union+ban ... rmMOZSBR-6} filtered by ABE: <.sso.unionbank.com> Deny

And as is the case in example 2, if I add ".bing.com" to ABE for this example 3 as well then I can click on the link off the web search and login with no problem. And as usual pasting this same address to the browser address directly will work fine.

AND, it's interesting to note as well that I did find one link off the bank login search list that will actually work without any need to add something to ABE.

[Thrawn]

why ".excite.com" in ABE works but "https://www.excite.com" doesn't is beyond me.

What about

Code: Select all

https://www.excite.com/*

?

[lakrsrool]

why ".excite.com" in ABE works but "https://www.excite.com" doesn't is beyond me.

What about

Code: Select all

https://www.excite.com/*

?

Nope, doesn't work either.

Take a look at the post above yours and see if you can make any sense out of the fact that different links off the web will either need all together different ABE entries specific to the URL but ONLY if you click on the link itself (left-click) to load the website. If you actually COPY the link and paste it to address bar the same URL that can't get past ABE if clicked on works just fine launched from the browser address bar after pasting the very same link to the address bar that fails when clicked from the search listing of the website.

And then I did find one link off the search that actually has no problem at all and is not blocked by ABE when clicked on.

I've been posting a number of times on that entry just trying to get past the SPAM filter wiping out my entire entry. That REALLY needs to be addressed!!!! Seriously.

[barbaz]

Re: clicking vs copy-pasting - all as expected. ABE can't distinguish between a click & an automatic redirect, so as far as it's concerned both are coming from the page. When you copy+paste however, the origin becomes chrome://browser/content/browser.xul meaning the browser, so ABE lets it through.

So I'm puzzled about one thing, is the 192.168 address in the DNS lookup your DNS server or an IP address for the domain I requested a lookup for?

EDIT About the spam filter, I have brought up your difficulties in the Mods only forum, since you seem to be having more trouble with it than any other legitimate user here AFAIK.

[lakrsrool]

So I'm puzzled about one thing, is the 192.168 address in the DNS lookup your DNS server or an IP address for the domain I requested a lookup for?

It is not my IP, so it must be the IP address for the domain you requested presumably.

Addendum: As to the SPAM filter, if they want to keep it so restrictive they could at least not wipe out the entire post to help the user out in that way.

[barbaz]

Looks like you've got a misconfigured DNS then, it's resolving that domain to a private IP address *and* a public IP address, and ABE isn't taking chances... the solution is not then to write an ABE exception but to fix the DNS misconfiguration.

[lakrsrool]

Looks like you've got a misconfigured DNS then, it's resolving that domain to a private IP address *and* a public IP address, and ABE isn't taking chances... the solution is not then to write an ABE exception but to fix the DNS misconfiguration.

It seems to me if what you're saying is true then if I removed the ABE entry for this site I would not be able to successfully reach the website at all with any link. But the fact is, if I remove the ABE setting for this bank website I have no problem reaching the website by clicking on any one of the links that on the other hand fail WITH the ABE setting. Would you agree?

Also shouldn't flushing DNS resolve this issue? I ask, because I've done this.

[barbaz]

OMG. Sorry, I somehow managed to misread the end of the ABE error message as saying "<local> Deny" and I thus assumed that the SYSTEM rule was what's giving you problems

Ignore everything I've said about DNS etc. The reason for the ABE rule is that a malicious site (or a site being used) can take advantage of the fact that you're logged in to make fake requests to the bank site to perform transactions with your account and such, or XSS the bank site by altering the link (possibly behind your back). It's really better if you copy&paste the links in a situation like this, then you have a chance to vet them and (barring unicode look-alike domains) you can be reasonably sure it's the link you expect.
So yes if you want to click links to the bank, you should manually add exceptions for sites you trust not only to not exploit your bank, but also trust to be secure enough that they won't themselves get exploited and be a kind of middleman for such an attack on your bank site.

[therube]

(I'm jumping in the middle... again...)

https://www.excite.com

https: does not look to be valid.
http: is.

But why in the world would you "trust" Excite?

Further I'm not following why Excite (or Bing) have any bearing at all, much less why anything from either of them would be needed?

Let me say that again:

Further I'm not following why Excite (or Bing) have any bearing at all, much less why anything from either of them would be needed?

And to "trust" Excite, in any shape or form!?

[therube]

Do you need to do the same if you start from a Google search?
(NoScript by default should be neutering all the crap Google adds to its search links.)

https://www.google.com/search?q=https%3A%2F%2Fsso.unionbank.com%2Fobc%2Fforms%2Flogin.fcc&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a

(First link looks to be the wanted one.)

[therube]

they could at least not wipe out the entire post to help the user out in that way

That's actually a separate issue, having to do with https: usage on this board, AFAIK.

PS: At times when I know the possibility exists that I'll be crapped on, I'll make a copy of my work (post) prior to hitting a Submit button. (I believe there may be extensions that do similar, automatically.)

SPAM filter

Just what types of things are you trying to post that are causing the SPAM filter to hit?
Am I exempt?
Does it happen if you use

Code: Select all

 tags in your post?

[therube]

the 192.168 address

Should not be [WAN} routable, no?

Is this your A/V (again) playing into the picture?

I somehow managed to misread the end of the ABE error message

(And I didn't read it at all .)


What type of internet connection do you have?
DSL? Cable? Satellite?
Who is your ISP?