I ran into a similar problem with the website of my general practitioner. It worked fine in all cases, except when using Firefox on Linux, which I use.
After lots of testing and trying to contact whoever built the website I found that it blocked only user-agents which contained this literal string:
X11; Ubuntu; Linux
Only when that string was in there verbatim would it fail all requests with a 403 Forbidden.
After I saw the same error with some other websites for businesses in my town I started seeing a pattern. The company that hosts/builds this website apparently copy/pastes their basic server set up, and so every website they host works everywhere, except when using Firefox on Linux. So maybe one in a thousand users gets this.
I posted my search for the cause of this issue on StackOverflow¹, and even got a reply from (presumably) someone who works for the company that hosts these websites, but alas, the websites remain broken to this day. They suspected a hack to prevent some WordPress exploit…
It's frustrating, because a general practitioner's website should not fail like this (it is a point of contact that sits just below emergency services), but the people that work there don't understand the problem, and the company that hosts is can't be arsed to fix the issue.
Seeing this topic on HN reminded me to try to and contact the website builder again, and this time they did get their hosting party to fix the problem.
The explanation as passed on to me was:
> There was a bit in the htaccess that was there since 2019, we don't know why.
If you're in the US, call your doc and mention that this may be a violation of the 21st Century Cures Act, as it is preventing or interfering with the access, exchange, or use of electronic health information.
It would be a stretch to call this an outright violation (as they could satisfy the requirement by printing the information you want and mailing it to you...), but it's a trendy topic in healthcare right now, so it might be enough of a motivator.
While this is generally true, in my experience anything related to healthcare regulations are a lot less likely to get written off. Generally the failure mode is quite the opposite (people assume all sorts of things about, e.g. HIPAA, that aren't true).
EDIT: I also wouldn't characterize it as an "empty threat", as it is neither empty (I think a good faith argument could be made that this needlessly disrupts patient access to information), nor a threat (it's just making them aware of something).
> After I saw the same error with some other websites for businesses in my town I started seeing a pattern. The company that hosts/builds this website apparently copy/pastes their basic server set up, and so every website they host works everywhere, except when using Firefox on Linux. So maybe one in a thousand users gets this.
Haha! Never attribute malice when a simple incompetence would explain it!
This is not straight incompetence though, as that config is not there by accident. It’s more in line with “screw that 1 per 1000 users”, for whatever reason.
Malice might be too strong of a word, disdain could be closer to what we are seeing.
The reaponse to that is to play dumb and repeatedly report yhar the website is failing, but don't try to diagnose it for them. Just focus on your problem, and keep annoying them so that it's their problem too (write a script to email occasionally, and share it with your friends). Eventually they and other customers will complain to the website vendor to make it their problem too.
Try Japanese business banking - where you have to pick an OS and stick with it when registering (with a paper form), and must use either the ESR release of Firefox or Internet Explorer. If you don't have a user agent of either of those it won't even let you sign in.
For a while Firefox ESR was the only one still supporting digital certificate request/generation (KEYGEN).
My (not in Japan) and other banks used this as one securiy mechanism. With new EU rules they've now downgraded their security to a Phone app + some SMS verification.
Maybe now, not really sure if there are now changes (hopefully, since Microsoft is dropping IE), but in a time where browser plugins are abound you can't place an ActiveX plugin inside Firefox (or vice versa).
Try Spanish online digital administration. The digital certificates only worked in IE. And mid-process they require installing a Java-based program that required a different type of digital certificate. That of course make you restart the browser and lose all the data entered.
Just wow. I couldn't even come up with such a bad process if I wanted.
Oh boy are you wrong. We Spanish people love trash talking our own country, but after 3 years in Japan, I can tell you that the Spanish banks and bureaucracy are light-years ahead of Japan.
At least in Spain we have online administration, even if it's not perfect. Here? Hand written forms, hankos and fax machines. Everything is at least ten times as difficult as it should be.
Not sure if you're referring to something old, I've only been in Spain since 2012 but I'm having zero issues with the digital certificate for various government websites, from hacienda to local city governments websites. Never have I been forced to install Java either. I usually use Firefox on Linux and seems to work fine, at least for me.
That's strange, I've never needed @clave nor AutoFirm (and in fact, I've never even heard of AutoFirma before). I just use the digital certificate (for signing in and for signing documents) received from the government to sign everything directly in the browser, without any Java or anything else really.
Banks do stuff like this all the time - they are always the long tail of security - could be a topic in itself. I contemplated this for a very long time and decided that JP Morgan would rather take the hit for bad security then pay wages and benefits to support people to deal with password resets, lost yubikeys, etc. No other answer makes sense.
My advise to OP is to dump Chase, Citibank, Bank Of America, ASAP. Move your money to one of the millennial focused banks, or an ETrade checking account.
The big banks hate you, they think your stupid, offering you retail banking services is the bane of their existence. They are going to knock you over with $40 fees because you SHOULD pay them to put up with you — at least that is how they see it.
There are much better options these days, just search for zero fee checking.
From what I've seen CUs are not competitive with the big banks for jumbo loans. I got a significantly worse interest rate on my home loan with the CUs compared to BOFA (who I ended up going with).
Dude, all I know is that I was using chase for one of my businesses for 3 years, millions of dollars coming in via Intuit payments -- no problems, then I switched from Intuit for ACH to using Seamlesschex.com, and then after the first batch, they locked up my business bank account, and then after a few months talking to a call center in india, with the bank manager sitting there (there is nothing they can do when they automatically lock your account), the people in india saying they will "never" return the hundreds of thousands in the account they locked up, I filed a lawsuit against Chase in civil court the same day, and then a month later, the attorney representing the case mails me a check for the full amount they stole from the account. I understand risk, but this was months later, all ACH payments, and everyone knew they owed this money. My only regret was not charging them with theft/fraud and 3x the money back for damages. Bottom line -- don't use Chase for anything. They suck.
I had someone working at Chase telling my vendor how much money was in my account. I was a private client at JP Morgan and had a business account with them.
The vendor was threatening me and using my bank account level (down to the penny) to make the threats.
Chase identified the culprit, told me who it was, then offered me lifelock identity theft protection as a courtesy for my troubles.
I haven’t had $1k in my private client account since.
And like most things if you're not wealthy enough to afford a good attorney, and they usually can just draw out a case until you run out of money, the only people capable of protecting you are legislators who have failed time and time again to adequately take on big business abusing their positions.
This is what small claims courts are for, if you have an equivalent in your country. No/minimal lawyer involvement, as long as the amount is relatively low. If you have hundreds of thousands or more stuck in an account though, you likely have access to a lawyer. (+ obviously winnable cases will be sometimes taken without cost since the lawyers will negotiate that in the damages)
Blue Cross and Blue Shield of Illinois (I can't vouch for any of the other Blue Cross affiliates) recently redid their website. I was wondering why the hell it was kicking me out after logging in, with a "did you forget your password?" message. Multiple password reset attempts later, I called their tech support and asked what was up. I use Firefox on Linux as my daily driver.
What was up was that on their new site, I had to use Google Chrome and only Google Chrome. Not Firefox, not even Chromium. I wonder if Edge even works.
I'm seriously considering switching providers over it.
I have similar issues. I couldn't get to the billing site for BCBSIL from any browser on my system for the past year.
Unfortunately there are no decent alternatives for a PPO, where I am. If it's browser issues vs an HMO, I'll begrudgingly accept developer incompetence.
If you want to push back against the bureaucracy on this one, find a Firefox-only accessibility addon that can’t be used on their site, and play the ADA angle by sending a polite email mentioning that their negligent browser restrictions prevent “your favorite” visibility tweaker/screen reader/etc. from being used, harming the ability to access the site. You need not disclose the details of exactly what, if any, disabilities you personally suffer from.
I don’t have a FreeBSD machine handy right now but I just switched user agent to FreeBSD amd64 on a Linux machine with Chromium 95 and have no issue with the front page or logging into chase.com. I have rarely encountered issues using this Linux/X11 setup on chase.com for years.
Is it possible they are using an ancient browser and incorrectly assuming it’s the OS part of the user agent?
I use it almost every day. I'm thinking The user is using a weird user agent/browser and misdiagnosed the problem.
It looks like Firefox but there's just so many small browsers these days. Honestly I'd need to see the offending code. If it's user agent testing, those strings should still be readable even in a compressed js unless they run it through an obfuscator
> should be readable even in a compressed js unless they run it through an obfuscator
User-Agent may be determined on a webserver/proxy level and request redirected silently to a page with JS just showing the banner. It does not have to be based on JS checking anything.
The small browsers thing sounds about right. Check the link he posted about the email someone received on Reddit. It's posted like it's a screenshot from Mutt or some other terminal mail editor. Looks more like they are flexing their email terminal usage not just copy/pasting the message (png for text? come'on!).
Probably using qutebrowser or something else like that.
Just from the Reddit post as well - doesn't feel overly user-hostile or deserving of the 'JP Morgan Chase Bank admitting to me they hate Linux and BSD desktops and actively block them' title anyway.
If there's active blocking based on OS (from replies in this thread, evidence seems to be slim) then that's not great, but this seems to be pretty one-sided so far.
Well that kind of matches the message he received from the website. It looks like they are just trying to notify you that there is a Chase Mobile App available (which for the average phone user, would be 99.9999% better than using a browser). Personally I wouldn't use a phone for banking but some people don't have laptops/desktops.
The article is 100% correct, I've experienced the exact same thing. For a while I thought it was blocking me due to uBlock or something, took me a while to figure out it was just the user agent.
I can confirm this is 100% false. Been using Linux to login to Chase for years, never had any problems (other than weird ad-blocker issues which are cross-platform). Just tested again just to confirm that I can log in just fine.
Take a look at their evidence that chase "openly admits to hating linux and freebsd". It's a reddit post with 3 votes about a CS response saying not supporting linux doesn't constitute an ADA violation.
Everything in this article and it's supporting evidence is a stretch and should be evaluated very carefully.
I’ve certainly been blocked by chase on linux with firefox, but I was only using their auto loans at the time. It was super annoying, because I first tried to get a payoff quote on the iOS app, then the mobile website, then on a linux laptop, before resigning and using my work Macbook. Perhaps other lines of business support linux better?
My employer for currently blacklists Firefox from being used to launch a session in their 3rd-party remote desktop portal. I use a UA switcher. It works fine. This behavior, while brain-dead, is at least trivial to circumvent. I'm happy to let them continue to check a box on their audit preparation form saying they have control over this, and to continue to have a URL rule to change my UA for the portal, rather than having to hack my client further or keep a separate browser around to launch my daily session.
had the same with a very broken citrix setup. Inalways hated citrix itself because how srupidly it was set up, but the more quirks I was working around, I realized that in the windows world it's actually a pretty sophisticated product with a lot of tunables for even Linux guests.
Nevertheless, I left banking for good and chose a company where I have real IT engineers as colleagues.
Downloading, installing and running kernel mode software to prevent cheating is already required for a number of online games.
I wonder if/when banks will extend this idea to banking to prevent fraud?
Perhaps it'll be merely an optional thing at first, like 2FA.
Later it could become something that while optional, does get you a better price of some kind, much like the driving trackers that some auto insurance companies offer.
Before long, it could even become mandatory or there could be a penalty or higher price or fee to pay if you don't do it.
Just a random idea or conspiracy theory of what's possible I suppose, but it feels like something that could be possible in the not too distant future.
Already a thing on Android. Google "Safety"Net API is used by many apps to verify that the system is not rooted or modified. These days it's combined with hardware attestation from the phone to verify that the installed OS is properly signed by the manufacturer and unmodified. So there's no workaround to using an alternative Android distribution, or rooting your phone, and still being able to use media / banking / other apps.
Of course using the bank website with the phone's browser still works...
Can confirm it works fine for me under linux firefox. OP, just adjust your user agent string if you're using a weird browser and proceed at your own risk.
(I say this because you're dealing with actual money, so incompatibilities from your browser might cause major problems if you're not careful)
I mean there's an excellent and obvious answer and that's cost benefit when it comes to QA. Anything transactional, banks in particular, want to be 100% sure that end user experiences are doing exactly what they're expected to at all times. No one is being served incorrect information or is improperly served terms or disclaimers that they can use a leverage in a lawsuit. The tech teams likely have an explicit support matrix of browsers to test against and anything not on the list is considered untested and unreliable. They can't legally indemnify themselves against defects.
As a Firefox/FreeBSD user occasionally annoyed by this nonsense (not Chase but other things), but not being knowledgeable about modern web standards evolution, I wonder if https://wicg.github.io/ua-client-hints/ will fix this by killing User-Agent headers.
Things fail in the weirdest ways in unsupported environments though, it’s not like the “make transfer” button doesn’t work, it’s more like it might not even show up in the first place. Having 99% of your website work and the last 1% not work is a dealbreaker in many cases, and these “the site may not work for you based on your OS” banners lead the user into thinking it does work 100% if it works in 99% of the cases.
Not saying this is the way it should be, just saying that “doing your best” to allow unsupported platforms often leads to a terrible and confusing user experience.
That's not true. All it takes is using an unsupported CSS rule for something to simply disappear from the page under certain circumstances. As a recent example, I found out some of our users couldn't find a specific button in an application. It still existed, but we used the zoom property to make it stand out more, which for some reason is only supported in Chrome.
It is to a point, but then it just becomes painful. If you want to keep a good user experience for modern browsers while supporting ancient ones, you'll probably be writing at least all your layouts twice.
> Worse, Chase even openly admits to being hostile to Linux and BSD to someone on Reddit. It’s something even Microsoft, Windows PC/hardware OEMs, or Apple won’t do.
If you click through to the link, you will see that this claim is totally made up.
It's not just banks. Google Maps will refuse to work if you're running OS X Lion, even if you're using a fully up-to-date version of Chromium[1] which is just as capable as any other Chromium-based browser on any other operating system.
Google Maps work perfectly on Lion if you fake the user agent, because of course it does, it's a web app and the underlying OS is irrelevant.
Ugh, I remember when HSBC pushed Rapport. Is it still a thing? I run Linux exclusively and haven't seen them try to push it for a long time so not sure if it's still a thing.
They still prevent you from running their app on a rooted Android, which is nice considering I can do much more dangerous things with my money from the web site.
I have updated my article. It seems Chase is whitelisting OSes, but they seem to allow Linux and not FreeBSD based on comments and using a Linux user agent.
Chase may not block Linux because does Chase exactly want to deal with angry Linux users on the phone, or see Linux die-hards switch to competitors. Even if 1% of customers leave and don't come back, it could anger Chase's investors.
They may not officially support Linux but the web developers allow it anyways since it's too big of a minority.
They still block FreeBSD. Whether Chase's web developers don't know about BSD or they're willing to let BSD users switch to Citi Bank, I don't know.
I mean, they shouldn't whitelist by OS, but I don't know what the reasoning of blacklisting FreeBSD is.
This is interesting to me. I actually left Chase a few years ago over a very similar issue: their statement PDFs would show up blank in all the PDF readers I tested. After contacting support and being told that the only option was for me to install the latest Adobe Acrobat Reader, I told them to close my account.
I never even thought about the accessibility requirements. I am sure that relying on PDF features that only the latest Acrobat supports hurts a lot of people on that front too (unless Acrobat happens to be the most accessible of readers?)
I once got denied for a credit card app with a different company even though they pulled my credit because according to the company, quote, my user agent (Chrome on Linux) was suspicious activity.
My advice is to drop the bank now, after testing a replacement- there are plenty of smaller and "neo banks" looking to have your business with real development teams. I use the big, old and stogy bank of America but I have never had a complaint using desktop Linux and Firefox / chrome there.
Has this sort of thing been argued in court as an ADA issue? I could understand why using Linux might be considered legally a "choice", but if there's better ADA compliant tooling in Linux over windows, then a legal argument might just exist..
Unless one was to claim that Tux is their emotional support animal, I doubt it. Linux on the desktop has usability issues for able bodied people. I strongly doubt it has any edge on MacOS or Windows when it comes to accessibility.
A greater focus on scriptability and customizability might make it a better OS for people with some disabilities. Certainly I've heard that at one point Linux was the only OS you could use in Welsh, for example (not that that's a disability, but it's similar in terms of being a minority need).
A JS app can be perfectly accessible (if written correctly), despite giving a CLI browser nothing but a "please turn on JS" page.
Both Firefox and Google Chrome support powerful screen readers and other accessibility features based on an open standard. A site using these would surely be ADA-compliant
You can't dictate a specific solution. It probably hasn't happened yet but someone who exclusively uses the FOSS software probably has grounds to request flat text. Flat text may be better with current hardware, who knows.
A business is going to have a hard time arguing that providing text is unreasonable.
Unless we have more details about this claim we can’t be sure, but it seems like the ADA claim is probably well-intentioned but also not correct.
Chase does not have to implement a specific solution to a users problem, they have to make a reasonable adjustment - I.e. you can install a small ramp if someone asked for a lift.
Depending on the issue raised, chase may feel they have a reasonable way of providing the services - for instance if the user is blind and uses some specific Linux screen reader then telephone banking may also be a reasonable adjustment rather than Linux support.
Chase may see supporting Linux for all users because of one persons disability as an ‘unreasonable’ adjustment (I don’t see the issue, but this is approximately how the claim would work). To be open I’m not exactly sure how ADA works as I’m more familiar with UK legislation.
This gave me the idea to ban all non-free systems:
"You are using a non-free Operation System and thus signing away you fundamental rightsas a user. Please use a free Operationsystem like GNU/Linux to access this website."
But then you run into the issue of half of websites blocking free operating systems and half (haha) of websites blocking non-free operating systems.
At that point we'll need a user-agent switcher that is website aware to know which sites need which user-agents. Like secret hand signals to get into your secret clubs.
I'll just pass and not use any of it at that point.
Interesting. I just tried logging in from PopOS. No issues. Does it only affect FreeBSD?
I mean worst case scenario I can always open dedicated Windows VM, but I will admit that the trend is troubling.. especially with Win11 push towards 'trusted computing'.
Huh? I am able to log in to Chase just fine in my banking virtual machine (Ubuntu 20.04 LTS; Firefox 94.0 64-bit). I’m not using User Agent Switcher, and the User agent string shows that I’m using X11/Ubuntu.
As an aside, one issue Chase did have, 10 years ago, was that their DNS servers would return “query refused” if you sent them an AAAA (i.e. IPv6 IP) query. This actually caused issues with my recursive DNS server; I had to make AAAA (IPv6) queries handle errors differently than A (IPv4) queries. I just checked, and Chase finally fixed their DNS and IPv6 issues.
After lots of testing and trying to contact whoever built the website I found that it blocked only user-agents which contained this literal string:
Only when that string was in there verbatim would it fail all requests with a 403 Forbidden.After I saw the same error with some other websites for businesses in my town I started seeing a pattern. The company that hosts/builds this website apparently copy/pastes their basic server set up, and so every website they host works everywhere, except when using Firefox on Linux. So maybe one in a thousand users gets this.
I posted my search for the cause of this issue on StackOverflow¹, and even got a reply from (presumably) someone who works for the company that hosts these websites, but alas, the websites remain broken to this day. They suspected a hack to prevent some WordPress exploit…
It's frustrating, because a general practitioner's website should not fail like this (it is a point of contact that sits just below emergency services), but the people that work there don't understand the problem, and the company that hosts is can't be arsed to fix the issue.
1: https://stackoverflow.com/questions/66185885/some-websites-r...