|WF consider the password-saving feature of the wand is contrary to their security goals. |
and so they should
|...insecure and this complete lack of communication was the main reason why we after trying to discuss it with them for a couple of years in the end decided to spoof id completely.) |
by issuing a cloaking patch that applies only to WF, they are specifically interfering with transactions between WF and their clients. why wouldn't WF ban the browser? wouldn't you?
furthermore, consider that the display of ads by the free version of Opera while the browser is open on the WF site is an invitation for code injection phishing/pharming exploits. should WF wait until it actually happens?
and i found this:
|As was mentionned previously, individual sites can disable the wand if they do not wish passwords to be saved on their site (truth be told, I think anybody who figures they can tell me how I should protect my data can go, uh, pleasure themselves.) The problem many sites seem to have with Opera is that Opera retains page state when using the back button on secure pages, which is a potential security issue (especially since Opera can reopen closed windows). I believe that will be fixed in Opera 7.60. |
Edit: the problem isn't that Opera retains page state when using the back button on secure pages, but that it didn't follow the must-revalidate directive before 7.54u1. That is now "fixed", actually leading to reduced usability because of all the "webmasters" out there with improperly configured servers.
So WF should be expected to track the version at the .0X level? Especially when Opera is cloaking its version to begin with? Would you write code to accomodate such idiocy?
[edited by: plumsauce at 4:21 am (utc) on Feb. 3, 2005]
I gotta say, you're right, plumsauce.
<edit>What do you think the author meant by
? If it's fixed, doesn't that mean that all the other browsers are in the same position?</edit>
|leading to reduced usability |
|As was mentionned previously, individual sites can disable the wand if they do not wish passwords to be saved on their site. |
If this is a server-side programmatic solution to a security hole, then (a) WF needs to lighten up and implement it and (b) where can I find this bit of code?</edit2>
From where I sit, this is a "neither here nor there" issue, but I've got to say that I've lost a lot of respect for Opera, since this certainly seems to be Opera's fault.
From the Opera forums ( [my.opera.com...] ):
|[Some fellow posited...] |
I'd be willing to bet that Opera is deliberately doing this so that in the past, Opera could bypass whatever broken browser sniffing Wells Fargo used to do.
[And an Opera developer responded...]
Yes. In order to make the site usable for Opera users we have for some time been using a non-Opera User Agent against Wells Fargo's site.
We are currently evaluating this policy in light of recent events.
So Opera added code to their browser that specifically mucks about with a financial website, and people whine when said financial site bans Opera?!
Think of it this way: the browser is using deceptive tactics to gain access to confidential financial information.
I wonder what other, uh, "easter eggs" Opera hides...
No think about it this way, the Browser is changing its U/A without the knowledge of the user.
Further to this story:
Junior Member Brett_Tabke posted a link to this thread in Operas Open Web Forum and got this response:
Known problem: [my.opera.com ]
AFAIK v7.54u1 and v7.54u2 should work OK. Earlier versions will not work, and 8.0 beta does not0, at present, implement the any specific spoofing for this bank.
We have not yet been able to find out exactly why Wells Fargo blocks Opera. Attempts to find out have not been succesful. Some indications have been given in answer to other people's queries, but we have been unable to verify those (We also believe what has been indicated as the reason is not a problem with 7.5x).
<edited: added link>
After being on the phone with Wells for about 20mins, I was told:
"We stopped supporting opera because it saves form values such as passwords and login ids.
I hope Opera can redo the agent name for Wells again.
Nice follow-up Brett. Turns out that WF has their customers best interests in mind.
"We stopped supporting opera because it saves form values such as passwords and login ids."
Best interests maybe, but since when is the bank responsible for the consumers security choices?
Since they've been entrusted with the client's money...
|We stopped supporting opera because it saves form values such as passwords and login ids. |
Ok, I must be missing something here. Isn't that exactly what most browsers do anyway? I know FireFox offers to save form data all the time when I use it, and Safari has a similar option(turned it off though). I would assume IE can too. Or is this a different kind of saving than what Opera does?
other browsers support a nonstandard tag to stop pw/id caching.
All the major financial sites I use force a fresh login - at most, they will remember your username but require password entry.
This is a reasonable precaution, IMO. While some individuals may employ good security practices at the machine level (user authentication on bootup, inactivity lockout, etc.), most users are lazy; if they left their notebook somewhere, or if their dog-sitter was using their home PC, they'd be vulnerable. And for users who might choose to access their financial accounts from public PCs, some percentage would save their password intentionally or unintentionally.
The solution would seem to be for Opera to support the same tag that IE does. It's amazing that the Opera coders felt the best solution to the initial Wells Fargo problem was to spoof the user agent for that site.
It wouldn't surprise me that once this issue gets publicized other financial sites also ban Opera - probably many IT departments weren't aware of Opera's different approach to password caching. I'm betting Opera makes the change sooner rather than later.
| This 42 message thread spans 2 pages: < < 42 ( 1  ) |