InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

ssl.G-A.com required by large quasi-bank login page

https://forums.informaction.com/viewtopic.php?t=20228

Page 1 of 1

ssl.G-A.com required by large quasi-bank login page

Posted: Mon Oct 27, 2014 1:38 am
by HologramImage
So http://www.globalcashcard.com has its login page http://cardholder.globalcashcard.com use ssl.google-analytics.com for user login. This Corp isn't a bank so it doesn't have to follow banking laws and can be fast and loose with privacy. Oddly, the NoScript menu shows the blocked ssl.google-analytics.com for just a second, and then it is erased from the user's attention completely. (This 1 second appearance and erasure in the NoScript menu happens on many blocked sub-sites across the interwebs.) Since that erasure occurs from the NoScript menu, it was very difficult for me to find out WTF I couldn't login, and they froze my login account. I called them and got it reset, and then noticed the use of the ssl site by them. I read through your faq, and it appears that if I want google to be my banking privacy protector on the globalcashcard login, I can allow them on that site by this ABE script:

# ssl.google-analytics.com rule
Site https://ssl.google-analytics.com
# the above is shortcut for ssl.google-analytics.com, not *.google-analytics.com
Accept from https://cardholder.globalcashcard.com/
Deny

If I have understood your example in your handy faq. Thank you for that example. It would be nice/great if there was a work-around so as to not use the ssl variant of google analytics. But perhaps goog is creating their ssl sub-site to more forcefully require users to be tracked by goog. Is that possible?

Re: ssl.G-A.com required by large quasi-bank login page

Posted: Mon Oct 27, 2014 1:52 am
by barbaz
IIUC you can't log in if you do not allow ssl.google-analytics, and it works if you do?
If so, this is a bug in the surrogate script. You should not "need" to (Temp-)Allow google-analytics ever.
Are you using either NoScript latest development build or NoScript 2.6.9.3?

If your NS is up-to-date, and if checking this isn't going to get your account locked again, could you please post any JS errors (orange) & log messages (light gray) you see in the Browser Console when it fails and when it loads incorrectly? (Ctrl-Shift-J)
HologramImage wrote:Oddly, the NoScript menu shows the blocked ssl.google-analytics.com for just a second, and then it is erased from the user's attention completely. (This 1 second appearance and erasure in the NoScript menu happens on many blocked sub-sites across the interwebs.)
Do you have a URL that doesn't require login to see this?
Does it happen in a clean profile with only NoScript installed and all default settings?

Re: ssl.G-A.com required by large quasi-bank login page

Posted: Thu Oct 30, 2014 9:05 pm
by HologramImage
I have NoScript version 2.6.9.

I normally don't use development versions of anything as I'm not a proficient programmer.

The anti-spam filter on the forum is erasing even my previews, so I am using a images of the text of the javascript error/log CTRL SHIFT J to see if that helps.

-----------------

This is a screen capture showing the menu from NoScript that has the ssl.g-a.com URL listed:

http://i.imgur.com/WDIGKom.jpg

The ssl.g-a.com link showing there disappears nearly instantly if the menu isn't opened before the page load finishes. Why does the

NoScript add-on remove it (and others on other webpages) from the menu if the webpage has requested the link? It is better to know

what the webpage is trying to do, and see all the links.

-----------------

This image link below is the javascript error/log output from CTRL SHIFT J, of the initially loaded page, before login attempt (page newly loaded before this reply post):

http://i.imgur.com/qj3W6AG.jpg

This is the javascript CTRL SHIFT J, from the tab that I didn't close, when the login failed just before my original top post of this thread:

http://i.imgur.com/yoromW1.jpg
------------------

This is the image link to the text of the URLs for the failed login page and the initial login page. The two URLs are similar.

http://i.imgur.com/yDKe8Fa.jpg

I haven't done the clean profile in FF yet. I do use Bleachbit and CCleaner which wipe a lot of profile info when FF is closed.

Re: ssl.G-A.com required by large quasi-bank login page

Posted: Thu Oct 30, 2014 11:03 pm
by barbaz
Ghostery has a long history of causing weird issues - if clean profile with only NS works, maybe try disabling Ghostery then updating NoScript to 2.6.9.3?

The following messages may be related

Code: Select all

TypeError: node.hasAttribute is not a function clearHTTPStatus.js:94
TypeError: can't access dead object priv.js:129
generatorInstance is undefined common.jsm:84
Are any of those from the site's scripts?

Unlikely to make a difference, but what if you turn off Automatic Secure Cookies management in NoScript?

Best check will be if it still fails in a clean profile with only NS, that will show for sure if the surrogate has a bug of if your issue is something else.
HologramImage wrote:The anti-spam filter on the forum is erasing even my previews,
Yeah, that is an unfortunate side-effect of serving this forum over HTTPS.

Re: ssl.G-A.com required by large quasi-bank login page

Posted: Fri Oct 31, 2014 6:51 am
by Thrawn
barbaz wrote:
HologramImage wrote:The anti-spam filter on the forum is erasing even my previews,
Yeah, that is an unfortunate side-effect of serving this forum over HTTPS.
Does the Lazarus addon help?

Re: ssl.G-A.com required by large quasi-bank login page

Posted: Fri Oct 31, 2014 3:38 pm
by barbaz
Thrawn wrote:Does the Lazarus addon help?
Honestly I haven't had the time to try it yet... :(
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited