But, when setting Opera to mask as Firefox (or IE) to get in, everything works perfectly. So I suspect that it's not an actual incompatibility but an assumed incompatibility. For example, I know the myUVM content page used to assume Opera couldn't handle inline frames.

Anyway, I've looked at clientsniffer.js and all it does is create an extraordinary number of variables containing true or false for browsers and versions (i.e. is_ie4). There's no code to actually create a message. So that warning must be coming from another script that's using those variables.

On 2/19/2010 11:55 AM, Paul T Webb wrote:
[log in to unmask]" type="cite"> clientsniffer.js is a vendor supplied file.  The test portal is a slightly newer release of Luminis undergoing evaluation and I'll try to find out if there's any real reason why it's not supporting Opera.  It works with the current version running on myUVM and I haven't heard of any issues.  It's possible that there are some incompatibilities with Luminis components we're not using (such as a legacy Sun email and calendaring application, course management, chat, etc).  If anything, the rather rude (and grammatically incorrect) message it presents when using Opera should be toned down.

For the IE 'Insecure Content' issue, there's a FAQ on the help tab that shows a workaround.  This is usually caused by embedding remote images into the channel content.  Anything served by our servers should already be https, but maybe the portal content folks can double check (and look at the WCAX issue as well). 

For reference, our current portal browser usage is:
 Firefox  37.57%
 Safari   36.92%
 IE       20.72%
 Chrome    4.36%
 Opera     0.13%

Paul

On 2/19/2010 11:08 AM, Tyler Whitney wrote:
[log in to unmask]" type="cite"> Meant to be on list for everyone's info.

-------- Original Message --------
Subject: Re: myUVM portal password storage
Date: Fri, 19 Feb 2010 11:08:10 -0500
From: Tyler Whitney <[log in to unmask]>
To: Keith Kennedy <[log in to unmask]>


I noticed that most of the browser detection is done in the Javascript file here: https://myuvm.uvm.edu/js/clientsniffer.js based on the source code of the login page. Perhaps some Javascript editing there to flag the browser differently?

I didn't fine-tooth over the code, and I didn't see if it was a luminis made file or a uvm made one. Its been awhile since I've looked at the actual backend of portal stuff, but I remember it used to have serious issues with IE7 when it came out. Now it seems to work just fine, I doubt (and no offense to Rudy) that many people use Opera... but it is a larger contender considering other smaller browsers.

My only complaint with the portal is the HTTPS errors that come about in IE8... the new IE messages that warn users about data being served insecurely when on a secure site asks you to click NO if you want to show all data and YES to show only the secure ones... I find many people end up clicking YES without looking and it makes things look funny or not show up. I would edit links to anything using HTTP and make it served up with HTTPS to make things work a little smoother. Happens immediately after logging in.

Oh, and whats with the "<STRONG>More local stories from <FONT color=#ff0000>Vermont&#39;s Own&nbsp;WCAX-TV News.</FONT> </STRONG>" code being displayed under WCAX Local News instead of actually parsing the html?

Tyler

On 2/19/2010 9:35 AM, Keith Kennedy wrote:
[log in to unmask]" type="cite"> Hi Rudy,

Well, it's a purchased package (portal = luminis), and if it has a hard-coded list of what it considers
vulnerable browsers, we may or may not be able to convince it otherwise.
I'm surprised that the app even tries to make that judgment.
As far as the relative security/reliability of browsers...
we are certainly not knowledgeable in that area.

I hope this off-list approach is OK. Reply all is appreciated. Several of us are involved in one way or another
and it's good to share what test/results we are seeing...

Thanks again.

- Keith



On 2/19/2010 9:14 AM, Rudy Raab wrote:
[log in to unmask]" type="cite"> Well, I've found a flaw on your test system. It blocks Opera with the message "The Opera browser you are using has a various serious security defects and is not allowed to be used with this application." That's a little strange since Opera 10.0 and above have a grand total of zero open vulnerabilities (according to Secunia). And if it's talking about DEP and ASLR, Opera's supported those since 9.64. I think your browser detection system needs to be updated.

And after having Opera 10.5 beta and 10.1 stable mask themselves as Firefox to get in, they both still prompt to remember the password. But Chrome and Firefox now do not prompt. Perhaps Opera's strangeness is due to it using not auto-complete, but its own actual password manager with form-filling and such.

Anyway, at least FF and Chrome are fixed.

And this off-list reply is a little strange, but I've hit reply all so everyone gets my message.

On 2/19/2010 8:25 AM, Paul T Webb wrote:
[log in to unmask]" type="cite"> I've tried to exorcise some of the evilness by making a change to the login page of our test Luminis system, https://portaldev.uvm.edu  (added 'autocomplete="off"' to the form). 

With this change, neither Firefox nor Chrome will offer to save my password.  Same with IE8, but it already didn't before I made the change.

Could you folks do some testing as well?

To the bigger question -- is this the change we want to make, versus allowing the username to be stored as well?  I think not, given that access to the portal also allows single sign-on to several other system.  Comments from the Security Team, Don?

Thanks,
Paul


On 2/18/2010 8:17 PM, Rudy Raab wrote:
[log in to unmask]" type="cite"> Don't take my "evil" thing seriously. I call everything evil at least once in my life. I know it's not intentional design, just a mistake. And I'll help with browser testing of any modifications made to the page.

And thank you for taking the time to look at the page.

On 2/18/2010 4:10 PM, Keith Kennedy wrote:
[log in to unmask]" type="cite"> Hey hey hey!
...evil luminis.... really.

Yes, this is "mostly" a browser issue.
But I know there are directives that can be added to html to
help browsers make good decisions about whether or not to helpfully offer to remember what you typed last time.
We will review this page and see if we can make it NOT offer to remember passwords.

- Keith

On 2/18/2010 3:57 PM, Rudy Raab wrote:
[log in to unmask]" type="cite"> That might be why Chrome can't put the password in. It's trying to use the hidden input box. And isn't it bad HTML practice to use the same name on different tags?
But whatever. At least now we know we can blame the evil Luminis Platform for all the problems. :)

On 2/18/2010 1:22 PM, Tyler Whitney wrote:
[log in to unmask]" type="cite"> I think this is simply the nature of the Luminis Platform, the vendor of the MyUVM portal. In my experience at other universities the portal reacted the same way... especially when building in ports to the university's other services, because of single-sign-on authentication. It is pretty tricky. There shouldn't be anything very special about the input fields per se that would make the browsers react differently. However, looking at the code it may be simply because AFTER the login box is displayed there is a hidden field with the SAME name of the user field that is default to "" an empty string. See:

            <form name="userid" onSubmit="xferFocus(this); return false;">
                <dl>
                <dt><label for="user" accesskey="u"><abbr title="University of Vermont">UVM</abbr> Net<abbr title="identification">ID</abbr>:</label></dt>
                <dd><input type="text" id="user" name="user" class="textform" tabindex="1" /></dd>
                </dl>           
            </form>
            <form name="cplogin" action="https://myuvm.uvm.edu/cp/home/login" onSubmit="login(); return false;" method="post">
                <dl>
                <dt><label for="pass" accesskey="p">Password:</label></dt>
                <dd><input type="password" id="pass" tabindex="2" name="pass" class="textform" /></dd>

--------------------------------------

                        <dd> <input type="hidden" name="user" value=""></dd>
--------------------------------------


                </dl>
            </form>

My guess is that has something to do with it... but also there is tons of Javascript that manage what browser is being used, the cache/cookies... so it could be any number of things.

And I don't really know much about the Luminis portal software anyway.

Tyler



On 2/18/2010 12:21 PM, Rudy Raab wrote:
[log in to unmask]" type="cite"> My initial thoughts would be that it's a quirk of the page. I believe browsers use a sort of code-detection know that the box in question is a username or password box. Perhaps the NetID box is a little quirky and browsers can't recognize it as username input. Though that doesn't entirely explain Chrome's issue. And it doesn't explain why it used to be the other way around. So I'm not sure.

This is one of the reasons I rarely visit myUVM. And normally Opera's password-remembering is unbeatable-- I can never get Firefox or IE to remember my password on Blackboard, strangely enough, but Opera's always handled it with no problem.

Hopefully someone handling the myUVM page is watching this list...

On 2/18/2010 12:01 PM, Jarlath O'Neil-Dunne wrote:
[log in to unmask]" type="cite">

Thanks Rudy, I should have been more clear, it is Firefox that stores the password.  Just wondering why myUVM allows the password to be stored, not the Net ID.

 

--

Jarlath O'Neil-Dunne

Geospatial Analyst

University of Vermont

Spatial Analysis Laboratory

802.656.3324

http://www.uvm.edu/~joneildu

 

From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of Rudy Raab
Sent: Thursday, February 18, 2010 11:57 AM
To: [log in to unmask]
Subject: Re: myUVM portal password storage

 

I believe that it is the browser storing the password, not the site. I do not see any check box or option to save the password on the site itself-- only my particular browser's option. And myUVM has always been messed up in the password-remembering compatibility department. It used to be the other way around, e.g. it would save the netID but not the password.

And I've also not only confirmed the problem in Firefox 3.6 and Opera 10.5(beta), but also noticed different issues on these browsers:
Google Chrome: prompts to remember the password, but doesn't.
IE8: never prompts at all.

On 2/18/2010 10:35 AM, Jarlath O'Neil-Dunne wrote:

I noticed that myUVM portal will store my password (if I allow it), but not my Net ID.  This seems to be a bit backwards.  Would it not be less risky to have things the other way around?  Tested on Firefox.

 

--

Jarlath O'Neil-Dunne

Geospatial Analyst

University of Vermont

Spatial Analysis Laboratory

802.656.3324

http://www.uvm.edu/~joneildu

 



-- 
---
Rudy Raab
UVM Student

--
---
Rudy Raab
UVM Student
  

--

Tyler Whitney
IT Support Specialist
Department of Residential Life
The University of Vermont
Robinson Hall, 406 South Prospect Street
Burlington, VT 05405-0364

Phone: (802)656-7937; Fax: (802)656-1142; Cell: (518)335-3196
E-mail: [log in to unmask]

Staff IT Line; (805)656-7934
Submit a Footprint; http://reslife.uvm.edu/staffit
Submit a Website Issue/Problem; http://reslife.uvm.edu/bugs

  

--
---
Rudy Raab
UVM Student
  

--
---
Rudy Raab
UVM Student
  

--
Tes
Paul T. Webb
Database Administrator and maintainer of the slightly naughty Luminis Platform
University of Vermont
19 Roosevelt Highway, Suite 200
Colchester, VT 05446
(802)656-0249
[log in to unmask]



--
---
Rudy Raab
UVM Student
  

--

Tyler Whitney
IT Support Specialist
Department of Residential Life
The University of Vermont
Robinson Hall, 406 South Prospect Street
Burlington, VT 05405-0364

Phone: (802)656-7937; Fax: (802)656-1142; Cell: (518)335-3196
E-mail: [log in to unmask]

Staff IT Line; (805)656-7934
Submit a Footprint; http://reslife.uvm.edu/staffit
Submit a Website Issue/Problem; http://reslife.uvm.edu/bugs

  

--
Tes
Paul T. Webb
Database Administrator
University of Vermont
19 Roosevelt Highway, Suite 200
Colchester, VT 05446
(802)656-0249
[log in to unmask]



--
---
Rudy Raab
UVM Student