Security by...user agent?



  •  Since my internship I'm currently with is ending, I thought I'd share this story.

    Back this summer, I was headed home for a few days for some event (can't remember what) but I was going to be gone a few days. So to counteract this, we set me up with VPN access. For some reason, I needed to use IE to set up the VPN, but in typical "I know what I'm doing" fashion, I disregard this.

    As I'm setting up the VPN on my Mac, I can't for the life of me figure out why I keep getting "Access denied" errors even though my username and password are typed in correctly. Eventually I try my Windows laptop that I also have with Firefox. Shoot. No go either. So I try IE.

    Guess what? It works!...along with a feeling of "WTF?!" overcoming me. So, on a hunch, I tell Firefox on my Mac to say it is IE9 on Windows 7, and try to login. As you probably guessed, it works!...somewhat. I got past the error dialog, but it wouldn't install the VPN software. Still, I wonder who thought "Access denied" was better than "You are using an unsupported browser. Please use Internet Explorer 9 and above."



  • So to keep the site more secure they insist on IE?
    Hmmmm.....



  • @HuskerFan90 said:

    So, on a hunch, I tell Firefox on my Mac to say it is IE9 on Windows 7, and try to login. As you probably guessed, it works!...somewhat. I got past the error dialog, but it wouldn't install the VPN software.

    I'm assuming that you're running Windows on that Mac, and it's not that they a) have VPN software for Mac, yet b) require you to use IE (for Mac) to get it.



  • @Arnavion said:

    @HuskerFan90 said:
    So, on a hunch, I tell Firefox on my Mac to say it is IE9 on Windows 7, and try to login. As you probably guessed, it works!...somewhat. I got past the error dialog, but it wouldn't install the VPN software.

    @HuskerFan90 said:

    So I try IE.

    I'm assuming that you're running Windows on that Mac, and it's not that they a) have VPN software for Mac, yet b) require you to use IE (for Mac) to get it.

    No Windows on that Mac. The client software we use does have a Mac client and even clients for iOS and Android. Did I mention that you can't login on those platforms even though the VPN login screen loads fine because of what happens above?



  • Weird to be sure, but how is this security? Obviously the VPN software only works with Internet Explorer, so they only answer requests from Internet Explorer. As to not telling you why, they told you explicitly how to get the connection running, including needing IE. Why would I occupy a second of my server's time serving up errors to people who obviously aren't reading?



  • @Master Chief said:

    Weird to be sure, but how is this security? Obviously the VPN software only works with Internet Explorer, so they only answer requests from Internet Explorer. As to not telling you why, they told you explicitly how to get the connection running, including needing IE. Why would I occupy a second of my server's time serving up errors to people who obviously aren't reading?

    The installer works only with IE, but there are versions of the client software for multiple OSes. All IE is used for outside the installer is in the login pop up when you try to login. My point? That there is no reason why the VPN server checks the user agent to see if you're using IE. The login page renders just fine on the iOS login page in the iOS version of the client and even the Android version.



  • @HuskerFan90 said:

    The installer works only with IE, but there are versions of the client software for multiple OSes. All IE is used for outside the installer is in the login pop up when you try to login. My point? That there is no reason why the VPN server checks the user agent to see if you're using IE. The login page renders just fine on the iOS login page in the iOS version of the client and even the Android version.

    I'm confused. How do you have an installer required to run on IE work cross platform? I must be misunderstanding you.

    Edit: I get it now, IE installs the client for Windows, and the WTF is that IE is required for a login for a cross-platform service. Don't mind me, 14 hour days take a lot out of a guy...



  • @Master Chief said:

    @HuskerFan90 said:
    The installer works only with IE, but there are versions of the client software for multiple OSes. All IE is used for outside the installer is in the login pop up when you try to login. My point? That there is no reason why the VPN server checks the user agent to see if you're using IE. The login page renders just fine on the iOS login page in the iOS version of the client and even the Android version.

    I'm confused. How do you have an installer required to run on IE work cross platform? I must be misunderstanding you.

    It uses an embedded web browser to display the login screen in the client but a quick Google search for the Juniper VPN client shows that there is a Mac, iOS, and Android version available.

    What I am saying is that the login page checks the user agent, not the installer. However, the installer on the VPN site is configured for Windows only but I can easily get the VPN client easily on my iPad or Galaxy Tab where it says I'm unauthorized even with correct credentials.



  • Are you sure it's actually a check on the user agent, rather than, say, a call to an ActiveX component / Browser Helper Object / etc.?

    It's easy to make these for IE, and I don't think any other browser supports these.


  • ♿ (Parody)

    @HuskerFan90 said:

    t uses an embedded web browser to display the login screen in the client but a quick Google search for the Juniper VPN client shows that there is a Mac, iOS, and Android version available.

    What I am saying is that the login page checks the user agent, not the installer. However, the installer on the VPN site is configured for Windows only but I can easily get the VPN client easily on my iPad or Galaxy Tab where it says I'm unauthorized even with correct credentials.

    The VPN client is actually java. It sounds like your company made a decision to not support non-Windows. A real PITA if you don't want to run Windows, but not a complete WTF. Just use what they tell you to use and you'll be fine.

    The Juniper client is decent on Windows, but I've always had problems on Linux (where it's gotta run 32-bit java). Lots of random disconnects. And it really wants resolv.conf to be a file, which causes problems. I haven't used it with OSX, but I think it's flakier than on Windows, too.



  • Sounds a lot like the Cisco shit I had to endure a few years ago. I can't remember the details, fortunately, but they had so many different versions of VPN software with slightly different settings ... shudder.


  • Discourse touched me in a no-no place

    @TGV said:

    Sounds a lot like the Cisco shit I had to endure a few years ago. I can't remember the details, fortunately, but they had so many different versions of VPN software with slightly different settings ... shudder.
    Was that the code that was written in Qt and which was a poster child for how not to do VPN client software? It looked and worked like shit on every platform…



  • @dkf said:

    Was that the code that was written in Qt and which was a poster child for how not to do VPN client software? It looked and worked like shit on every platform…
    I'll take their classic VPN Client anytime over Cisco AnyConnect VPN. I usually use ShrewSoft VPN nowadays though.



  • @boomzilla said:

    @HuskerFan90 said:
    t uses an embedded web browser to display the login screen in the client but a quick Google search for the Juniper VPN client shows that there is a Mac, iOS, and Android version available.

    What I am saying is that the login page checks the user agent, not the installer. However, the installer on the VPN site is configured for Windows only but I can easily get the VPN client easily on my iPad or Galaxy Tab where it says I'm unauthorized even with correct credentials.

    The VPN client is actually java. It sounds like your company made a decision to not support non-Windows. A real PITA if you don't want to run Windows, but not a complete WTF. Just use what they tell you to use and you'll be fine.

    The Juniper client is decent on Windows, but I've always had problems on Linux (where it's gotta run 32-bit java). Lots of random disconnects. And it really wants resolv.conf to be a file, which causes problems. I haven't used it with OSX, but I think it's flakier than on Windows, too.

    I guess I just don't want to have to kick up a virtual machine or use dual-boot each time I want to use RDP to remote into my work computer. Not like it matters much anymore.

     



  • @dkf said:

    @TGV said:
    Sounds a lot like the Cisco shit I had to endure a few years ago. I can't remember the details, fortunately, but they had so many different versions of VPN software with slightly different settings ... shudder.
    Was that the code that was written in Qt and which was a poster child for how not to do VPN client software? It looked and worked like shit on every platform…

    Ah yes, before my current internship I worked at a place that used Cisco AnyConnect. Every time I logged in I felt like I was checking to see if I had bingo. I also have a baby brother who at the time really liked chewing on things, so I got one of those little code generators that if you drop it on the ground it needed to be recalibrated. God forbid if that happened on vacation away from the main office.

    Yes, I do remember how the client worked like shit. I vaguely remember having to reinstall it several times on my Linux install because some weird-ass thing kept getting corrupted. It also was kind of flaky on Windows too.



  • @HuskerFan90 said:

    I guess I just don't want to have to kick up a virtual machine or use dual-boot each time I want to use RDP to remote into my work computer. Not like it matters much anymore.

    Virtual machines and VPN are a good match because most VPN clients will disconnect the local network, which can be an annoyance if you like to watch Netflix or listen to internet radio while working and don't want it to happen on the remote internet connection. I maintain different VM with different virtual networks for all the clients where I have a VPN access, this also allows me to gracefully respect their preferences regarding the browser or operating system.



  • @Ronald said:

    @HuskerFan90 said:

    I guess I just don't want to have to kick up a virtual machine or use dual-boot each time I want to use RDP to remote into my work computer. Not like it matters much anymore.

    Virtual machines and VPN are a good match because most VPN clients will disconnect the local network, which can be an annoyance if you like to watch Netflix or listen to internet radio while working and don't want it to happen on the remote internet connection. I maintain different VM with different virtual networks for all the clients where I have a VPN access, this also allows me to gracefully respect their preferences regarding the browser or operating system.

    I never really used VPN unless my old boss called me while on vacation. One time there were some printers on some kiosks that weren't working while I was rougly 1200 miles away from where the kiosks were. Too bad the guy on site couldn't fix them. Now that I think about it, he couldn't fix a lot of things and when he thought it could be fixed and I said it couldn't, he would do the obvious "I'm right, you're wrong" crap. I still don't know how many times that happened and he didn't fix it.

    Also, conference calls while you're on vacation change your life. Especially when they go nowhere. Those two events caused me to routinely forget my VPN access card at home (read: I'm not working on vacation anymore).

     



  • @Ronald said:

    Virtual machines and VPN are a good match because most VPN clients will disconnect the local network, which can be an annoyance if you like to watch Netflix or listen to internet radio while working
    My VPN client likes to disable WiFi. This is more than annoying, because 99.9% of the time I need to use VPN, I don't have a wired connection available. The VPN client itself needs to connect through the WiFi network, but it disables it anyway. On the bright side, it means I don't have to work when I'm not in the office.

     



  • @HardwareGeek said:

    @Ronald said:

    Virtual machines and VPN are a good match because most VPN clients will disconnect the local network, which can be an annoyance if you like to watch Netflix or listen to internet radio while working
    My VPN client likes to disable WiFi. This is more than annoying, because 99.9% of the time I need to use VPN, I don't have a wired connection available. The VPN client itself needs to connect through the WiFi network, but it disables it anyway. On the bright side, it means I don't have to work when I'm not in the office.

     

    I don't understand why this would be a problem if you install the VPN client in a VM as long as it's a product that supports virtual networks like VMware workstation. The VM network is sandboxed and the VPN client has no way to tell that his internet gateway is actually a simple NAT running on the hypervisor.

    I have yet to find a VPN client that won't work with this setup.



  • @Ronald said:

    I don't understand why this would be a problem if you install the VPN client in a VM as long as it's a product that supports virtual networks like VMware workstation.
    I have no particular reason to think it wouldn't work, either, but it's not a configuration that is supported by our IT. I'd have to buy VMware myself, and hope the expense was approved. Besides, I kinda like being able to ignore work when I'm not in the office.

     



  •  And i thought this thread will be about DLink routers:

    http://www.zdnet.com/d-link-routers-found-to-contain-backdoor-7000021943/



  • @Helix said:

     And i thought this thread will be about DLink routers:

    http://www.zdnet.com/d-link-routers-found-to-contain-backdoor-7000021943/

    Or Kodak digital photo frames:

    http://seattlewireless.net/~casey/?p=13


  • BINNED

    @Master Chief said:

    Weird to be sure, but how is this security? Obviously the VPN software only works with Internet Explorer, so they only answer requests from Internet Explorer. As to not telling you why, they told you explicitly how to get the connection running, including needing IE. Why would I occupy a second of my server's time serving up errors to people who obviously aren't reading the vast majority of my user base?

    FTFY

    Seriously, the next constitutional amendment will formalize the right not to read instructions.


Log in to reply