blues

EAM & OA (Domains List)

Recommended Posts

I posted this question on the OA side of the forum as well but since it applies to both programs, I thought to ask it here as well...

 

Do you recommend, if running OA in tandem with Emsisoft Anti-Malware, to ignore the OA Domains List? EAM already has surf protection built in and I know that certain aspects of the OA Web Shield don't work within Sandboxie (while EAM seems to be fully functional within Sandboxie).

 

I also use Norton DNS if that info is of any assistance in responding to my question. Thanks in advance.

Share this post


Link to post
Share on other sites

The Online Armor domains list is quite different from EAM's surf protection as well as Norton's Safe DNS. Both the surf protection as well as Norton's Safe DNS are essentially blacklists. That means both services have a list of bad domain names and they won't let you access those domains. The Online Armor domains list technically is able to do the same, but it is usually used as a white list in combination with banking mode. That means: During banking mode you can't connect to any domain unless it is listed in the domains list as being trusted. That being said, if you are not concerned with banking mode, it is safe to simply ignore it.

Share this post


Link to post
Share on other sites

It's interesting, Fabian, because what prompted this whole thing was my intention to begin using Banking Mode again as I used to do in the past with earlier versions of OA.

(Up until the beginning of this year.)

 

Unfortunately, for some reason, banking mode is not working properly for me either after having imported my prior list of protected and trusted sites or after adding the sites anew via the "learning" process (while in advanced mode).

 

It may be that something in Sandboxie or a Firefox add-on is causing the issue but it's reached the point that I can't seem to narrow it down to the specific issue causing the problem.

 

I can successfully add the sites in learning mode but when I switch back to banking mode and connect I'll get a failure to obtain a secure connection notice.

 

If I switch back to "advanced" mode, it's fine. As I say, it's probably a function of either something in Sandboxie or an add-on in Firefox.

 

Only OA Premium, EAM and Sandboxie are running in real-time on XP Pro SP3.

 

Otherwise, OA is working perfectly as far as I can determine.

 

EAM doesn't use a proxy does it?  I do have it excluded within OA. (But I just tested it without the exclusion with the same result.)

Share this post


Link to post
Share on other sites

Fabian, perhaps this matter is now better discussed over on the Online Armor side of the forums?

If so, can you move it as I await your thoughts on the matter.

Thank you.

Share this post


Link to post
Share on other sites

I have moved your topic. OCSP in general is a system to check whether or not a given SSL certificate is valid. Internet Explorer on Windows XP (which is used for the learning mode) doesn't support OCSP. So chances are Online Armor never learned about the OCSP domains and therefore blocks all access to them. When Firefox then tries to validate the SSL certificate via OCSP it fails to do so and produces the error message you received. The easiest way to fix it is to find out the OCSP URL the certificate uses for validation and add it to the domains list manually.

The easiest way to do so is the following:

  1. Surf to your bank's homepage with banking mode disabled. Click on the green lock symbol left to your URL bar and click on "More Information...":
  2. Switch to the "Security" tab and click the "View Certificate" button:
  3. Switch to the "Details" tab and in the "Certificate Fields" list find the Extensions sub-tree. You want to take a look at both the "CRL Distribution Points" as well as the "Authority Information Access" fields there. You will find a bunch or URLs there like here for example:

    Write all those URLs down or copy them into a Notepad window.
  4. Go to the Online Armor domains list and add the domains of all the URLs you just collected to the list. In the example picture above you would need to add "EVSecure-crl.verisign.com" for example.
  5. Enable "Banking Mode" again and see if Firefox is able to verify the certificate now.

It is a bit painful but unfortunately Internet Explorer - no matter which version - won't do these checks automatically on systems prior to Windows Vista. So Online Armor doesn't learn about these URLs automatically. If something is unclear or looks differently for you, just let me know. If you can tell me the URL of your bank I will gladly look up the required verification URLs for you as well :).

Share this post


Link to post
Share on other sites

Update::

 

Fabian, I had some time this morning to test the instructions you provided above.

 

To avoid any possible issues with writing down the URL's, I copied and pasted the info directly into the "domains" list via the "add" button.

 

Unfortunately, this workaround failed.

 

I made sure to copy all entries from the two fields you specified but still got the "Secure Connection Failed" alert.

 

Since we have previously discussed my own particular circumstances regarding the need for "banking mode" privately, I am not overly concerned about my own situation but wanted you to know that the workaround was unsuccessful.

Share this post


Link to post
Share on other sites

If there are any additional fields from the certificate info that you feel might be added to get the sites to function properly in banking mode, please let me know and I'll test them this week.

Share this post


Link to post
Share on other sites
May I ask which site you can reproduce this particular problem with? Just want to try it as well on one of my test boxes.

 

Fabian,

 

I'll send you a PM as I'm reluctant to discuss any banking or financial sites publicly.  

Share this post


Link to post
Share on other sites

Just tested it on my system with default installs of Mozilla Firefox 17, the current stable version of Online Armor and the current stable version of Sandboxie and SSL on your bank website works just fine on my system with banking mode being fully functional. Have you customized your Sandboxie settings in any way? If you did: Which changes did you make?

Share this post


Link to post
Share on other sites

In the default box...only Firefox is allowed to connect to the net and only Firefox and Plug-In Container are allowed to run.

 

(I also have some restrictions as to files that would be off-limits to access but none of them would have anything to do with OA.  They are primarily documents and personal data.)

 

Do you think that any Firefox add-ons such as No-Script, Ad-Block Plus, or HTTPS Everywhere / HTTPS Finder might have caused the issue?

 

The only ones that weren't run in the past when I was successful at using Banking Mode are the two HTTPS extensions. 

 

I should have time to experiment a bit with or without the extensions this afternoon.

Share this post


Link to post
Share on other sites

Fabian, If you saved the URL's, would you send them to me in a PM and I'll add them to my domains list? (I didn't save them from the other day.)

 

I have a feeling that the extensions may be the problem as I was unsuccessful when trying to connect outside of Sandboxie when I tested as well.

 

This will help us narrow it down.

Share this post


Link to post
Share on other sites

I didn't actually have to add any URLs except the bank page and learning the page once. That was it. I also installed the same addons (again with complete stock settings) and it works just fine both within and outside of Sandboxie. Can you please post your "Certificate Validation" settings in Firefox? (Options, Advanced, Encryption, Certificate Validation)

Share this post


Link to post
Share on other sites

So you not only use custom Sandboxie settings but use custom Firefox settings as well. Easy fix is: Return your Firefox settings to default settings (which is "When an OCSP server connection fails, treat the certificate as invalid" turned off). If you insist nn keeping that option on, try adding the following 3 domains to your domain list and learn them as if they were banking pages:

EVSecure-crl.verisign.com
EVSecure-ocsp.verisign.com
EVSecure-aia.verisign.com

The learning process will be a bit strange, as those are not actual websites in most cases and you will most likely see some download windows popup which you can simply close. Restart Firefox, enable banking mode again and it should work. At least it does on my test systems.

Share this post


Link to post
Share on other sites

Fabian, interestingly enough, I had already added those sites via your original instructions.

 

I just tried "learning" them and I'll test it that way first.

 

If that doesn't work, I'll report back after I try the "default" setting you suggested.

 

Back in a few minutes.

Share this post


Link to post
Share on other sites

Okay...good news, Fabian.

 

By "learning" those three entries, (which I had already had in the domains list but not "learned" separately), I was able to open and access the site I wanted.

 

I'll try my other financial sites in a little while and see if I have to do the same with other sites. (I'm importing my old domains list to see how it goes.)

 

Worst case, I'll try the "default" setting if I can't get things working.

 

Thank you so much, Fabian for your assistance with this.

Share this post


Link to post
Share on other sites

Everything appears to be working, Fabian, thanks to you.

I did have to add some new sites to the "domains" list which weren't included on my previously saved sites.
(When I added verification sites I "learned" them as well, per your instructions regarding verisign.)

From a practical point of view, is there any difference between how "protected" and "trusted" sites are treated in "banking mode"?

In other words, does it make a difference how you label them in the domains list?  And if so, should only the main site, such as "ABC-Bank.com" be listed as "protected"?

Thanks again. I will have a toast in your honor this evening.

Share this post


Link to post
Share on other sites

Protected domains are verified against the Online Armor DNS service to see if the IP your DNS server returned for the domain is the same as the one returned by the Online Armor server. It was an attempt to detect man-in-the-middle attacks through DNS poisoning. The problem is that most bigger sites now use CDNs which naturally cause the IP address of the same domain to be different, depending on where in the world you try to access that domain from. So it is a lot less useful today than it was 5 or 6 years ago when it was first implemented. Expect the protected domains to go away eventually.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.