cannot log in to website (Error Message); transaction.cityofmerced.org.potentially vulnerable CVE-2009-3555
NEW Login Problem when attempting to pay Utility bill as I've normally done
The WEB site page then displays message: We apologize, the system is temporarily down.
Please report the following to the System Administrator: java.lang.Exception: This website does not currently support your web browser. You can view this site in Internet Explorer or FireFox
My FireFox error console on browser displays = "transactions.cityofmerced.org:potentially.vulnerable.CVE-2009-3555"
Jave search yields the following
Cyber Risk Report March 29–April 4, 2010
Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 43, April 1, 2010 Urgency/Credibility/Severity Rating: 2/5/3 CVE-2009-3555
Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability. http://www.cisco.com/web/about/security/intelligence/CRR_mar29-apr4.html
Will FireFox browser updates address this security problem???
URL of affected sites
http://transactions.cityofmerced.org/Click2GovCX/Index.jsp
User Agent
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefo796804586903 887809903
All Replies (2)
That message is meant for webmasters to make them aware that they need to fix their servers. Firefox 3.6 versions can detect such a misconfiguration and displays a warning in the "Tools > Error Console".
Thanks cor-el, I sent your answer on to the Webmaster.
I.E. still allows the negotiation of the (TLS) session and I mistook it to mean Firefox had fallen behind and was being refused access by the site.
You're saying because the Browser can detect such a misconfiguration that it won't accept the security risk of a misconfiguration at the site?
I appreciate your reply and explanation!! Bill Rogers