[Bug 965738] New: Chromium: Impossible login on https://e-fibank.bg/
http://bugzilla.suse.com/show_bug.cgi?id=965738 Bug ID: 965738 Summary: Chromium: Impossible login on https://e-fibank.bg/ Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: x86-64 OS: openSUSE 42.1 Status: NEW Severity: Major Priority: P5 - None Component: X11 Applications Assignee: bnc-team-screening@forge.provo.novell.com Reporter: studio@anchev.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.82 Safari/537.36 Steps to reproduce the problem: 1. Open https://e-fibank.bg/ 2. Enter login credentials 3. Click Login The browser simply refreshes the page and does not log in the user. No error messages, no problems in Network section Dev Console (all HTTP 200). NOTE: for testing you can use random credentials. Chromium will not give you an error message (as it should) and will refresh the page again. Please note - Chromium != Chrome. Everything worked fine in an earlier version. Not sure which one but right before Christmas 2015 it worked This works in other browsers (tested in official Google Chrome from Google's repo and Firefox). I know you cannot test without login credentials. Unfortunately the bank's tech support is very bad and they don't understand that in order to test this on your side they should provide some kind of log or at least a test account. But they don't respond when I ask for this. They simply say "We didn't make any changes on the server side" and don't reply any more. I understand that for security reasons they might be right but still I hope you can check what might have changed from previous version of Chromium when everything worked. NOTE2: This has been reported to code.google.com but they replied with a WONTFIX: https://code.google.com/p/chromium/issues/detail?id=585053 In summary: They say Chormium must have been modified/patched by the Linux distro and I should address this bug here, i.e. to openSUSE. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
Andreas Stieger
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c1
Raymond Wooninck
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c2
George Anchev
Maybe other distributions are patching chromium, but on openSUSE I am trying to stay as close as possible to the official tarball. Of course it will never be equal to chrome, but it comes very close to it.
Could you please explain why? When talking about stable versions - isn't it supposed that Chromium and Chrome are the same thing, just the former one being FOSS and not sending tracking info to Google? (at least this is what I read in articles around the web)
Please let me know about the chromium/chrome versions.
In Google Chrome Help -> About I read: Version 48.0.2564.103 (64-bit) In Chromium it is: Version 48.0.2564.82 (64-bit) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c3
--- Comment #3 from George Anchev
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c4
--- Comment #4 from Raymond Wooninck
Maybe other distributions are patching chromium, but on openSUSE I am trying to stay as close as possible to the official tarball. Of course it will never be equal to chrome, but it comes very close to it.
Could you please explain why? When talking about stable versions - isn't it supposed that Chromium and Chrome are the same thing, just the former one being FOSS and not sending tracking info to Google? (at least this is what I read in articles around the web)
Well, I am not sure about the tracking info, etc. However inside the code Google made the split between chromium and chrome branding. Certain features are only active on the chrome branding. If you take a real plain chromium build then you will notice that widevine is not active and only recently the pdf library became also available for Chromium (before it was only available with Chrome). So Chromium is not equal to Chrome and my feeling is that it will never be. Of course from a distribution perspective, we are trying to create add-ons and some small patches to make the two come closer. E.g. since recently we have the widevine capability due to a small patch and an add-on package from Packman OBS.
In Google Chrome Help -> About I read:
Version 48.0.2564.103 (64-bit)
In Chromium it is:
Version 48.0.2564.82 (64-bit)
And this is what I suspected already. Your Chrome version is one stable build ahead of the Chromium package. Due to a delay in delivering the tarballs, I only was able to build the 103 build yesterday and will submit it today to Leap. Hopefully you would get it towards the end of the week. You could test however the new build by getting it from the network:chromium repository, otherwise you have to wait for the update. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c5
--- Comment #5 from George Anchev
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c6
Andreas Stieger
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c7
--- Comment #7 from George Anchev
Actually, let's test this now. :-) George, could you switch the package to the network:chromium repo and see if this fixes your issue? https://software.opensuse.org/ymp/network:chromium/openSUSE_Leap_42.1/ chromium.ymp?base=openSUSE%3ALeap%3A42.1&query=chromium
Ok, I updated to Version 48.0.2564.103 (64-bit) according to your instruction. Unfortunately the issue remains. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
George Anchev
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c8
--- Comment #8 from Raymond Wooninck
Ok, I updated to Version 48.0.2564.103 (64-bit) according to your instruction. Unfortunately the issue remains.
Ok, I am testing something to see if this is affecting something. Will report on this bugreport if I find something -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c9
--- Comment #9 from George Anchev
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c10
--- Comment #10 from Raymond Wooninck
Thanks.
BTW now Chromium asks me for access to KWallet. How can I prevent this?
Chromium is auto-detecting what is installed on your system. This means that you have a KDE desktop installed. If you do not want to use KWallet to securely store your password, but rather have it in an unprotected way, then you need to change the /usr/lib64/chromium/chromium-generic script and change the --password-store=detect on the last line in --password-store=basic -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c11
--- Comment #11 from George Anchev
Chromium is auto-detecting what is installed on your system. This means that you have a KDE desktop installed. If you do not want to use KWallet to securely store your password, but rather have it in an unprotected way, then you need to change the /usr/lib64/chromium/chromium-generic script and change the --password-store=detect on the last line in --password-store=basic
Hm. I actually just found and added to ~/.config/kwalletrc [Auto Deny] mywallet=Chromium,Google Chrome and now I am not getting the message. But what do you mean unprotected? I have "Sync everything" enabled with my Google account. Is that insecure? Also is there a way to explicitly point Chromium to use a particular separate wallet and not the one which other apps use? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c12
--- Comment #12 from Raymond Wooninck
(In reply to Raymond Wooninck from comment #10)
Chromium is auto-detecting what is installed on your system. This means that you have a KDE desktop installed. If you do not want to use KWallet to securely store your password, but rather have it in an unprotected way, then you need to change the /usr/lib64/chromium/chromium-generic script and change the --password-store=detect on the last line in --password-store=basic
Hm. I actually just found and added to ~/.config/kwalletrc
[Auto Deny] mywallet=Chromium,Google Chrome
and now I am not getting the message.
Ok. I guess that the rejection of kwallet would make Chromium fallback on the basic password-store
But what do you mean unprotected? I have "Sync everything" enabled with my Google account. Is that insecure?
These two has nothing to do with each other. Your passwords are still stored on your local computer. This can either happen by using the GNOME keyring, the KDE KWallet or by a local text file. The GNome keyring and KDE KWallet are the ones that are secured and protected by encryption and additional passwords. The local text file however is just an ascii file which can be read by everyone. Regardless of which local password store you choose, if you have the Sync everything active, then it will synchronize also your passwords.
Also is there a way to explicitly point Chromium to use a particular separate wallet and not the one which other apps use?
As indicated the above three choices are available. There are no other options. As that you have a KDE desktop, chromium would go for the kwallet password store which is secure. As indicated you could redirect it to use the basic password store. But why do you not want chromium to store your passwords in kwallet ? What would be against it ? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c13
--- Comment #13 from George Anchev
But why do you not want chromium to store your passwords in kwallet ? What would be against it ?
Actually I do want that, as it is encrypted. But in my wallet there are passwords for LAN SSH/SFTP access and I surely don't want the browser to access them as it accesses the same wallet. That's why I am asking if there is a way to use a separate wallet for chromium. But as far as I understand that is impossible? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c14
--- Comment #14 from Raymond Wooninck
(In reply to Raymond Wooninck from comment #12)
But why do you not want chromium to store your passwords in kwallet ? What would be against it ?
Actually I do want that, as it is encrypted. But in my wallet there are passwords for LAN SSH/SFTP access and I surely don't want the browser to access them as it accesses the same wallet. That's why I am asking if there is a way to use a separate wallet for chromium. But as far as I understand that is impossible?
Well, it will not mix those passwords up :) It will create an new entry in the wallet itself called "Chrome Form Data" and only that entry with the passwords underneath will be synchronized. I hope that you are aware that all KDE based applications have access to the wallet and could theoretically read all passwords. I guess a lot depends on how much do you trust applications. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c15
--- Comment #15 from George Anchev
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c16
Raymond Wooninck
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c17
George Anchev
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c18
--- Comment #18 from Raymond Wooninck
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c19
--- Comment #19 from George Anchev
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c20
--- Comment #20 from Raymond Wooninck
http://bugzilla.suse.com/show_bug.cgi?id=965738
http://bugzilla.suse.com/show_bug.cgi?id=965738#c21
--- Comment #21 from George Anchev
participants (1)
-
bugzilla_noreply@novell.com