problem with Online Banking

[Davey]

I use Online Banking with HSBC on an almost daily basis, using Mozilla
Firebird on Ubuntu.
Since Saturday, I only get an error message when I try to go to the
Sign-up page:

503 ERROR
The request could not be satisfied.
The Lambda function associated with the CloudFront distribution is
invalid or doesn't have the required permissions. We can't connect to
the server for this app or website at this time. There might be too
much traffic or a configuration error. Try again later, or contact the
app or website owner. If you provide content to customers through
CloudFront, you can find steps to troubleshoot and help prevent this
error by reviewing the CloudFront documentation.

I have researched this, and I have no idea what is usually discussed,
it is in a language level above my pay grade, but seems to say that it
is probably a problem with CloudFront, whoever they are.
If I use Chrome, still on Ubuntu, it works fine. That is always
updating whenever I do an update/upgrade.

What, if anything, can I do about this, apart from trying to contact
HSBC's annoying chatbot and explaining it to them? There have been no
recent updates to Mozilla, and there are none ready to download.

Any help gratefully received.

--
Davey.

[Marco Moock]

Am 24.09.2023 um 09:13:06 Uhr schrieb Davey:

> I use Online Banking with HSBC on an almost daily basis, using Mozilla
> Firebird on Ubuntu.

Mozilla Firebird?
Really?
Or Firefox?

> Since Saturday, I only get an error message when I try to go to the
> Sign-up page:
>
> 503 ERROR
> The request could not be satisfied.
> The Lambda function associated with the CloudFront distribution is
> invalid or doesn't have the required permissions. We can't connect to
> the server for this app or website at this time. There might be too
> much traffic or a configuration error. Try again later, or contact the
> app or website owner. If you provide content to customers through
> CloudFront, you can find steps to troubleshoot and help prevent this
> error by reviewing the CloudFront documentation.
>
> I have researched this, and I have no idea what is usually discussed,
> it is in a language level above my pay grade, but seems to say that it
> is probably a problem with CloudFront, whoever they are.
> If I use Chrome, still on Ubuntu, it works fine. That is always
> updating whenever I do an update/upgrade.

Many webmasters only care about Chrome.
Contact them and ask them for supporting all browsers.

> What, if anything, can I do about this, apart from trying to contact
> HSBC's annoying chatbot and explaining it to them? There have been no
> recent updates to Mozilla, and there are none ready to download.

Switching the bank is the last resort.

[Davey]

On Sun, 24 Sep 2023 10:35:18 +0200
Marco Moock <mm+use...@dorfdsl.de> wrote:

> Am 24.09.2023 um 09:13:06 Uhr schrieb Davey:
>
> > I use Online Banking with HSBC on an almost daily basis, using
> > Mozilla Firebird on Ubuntu.
>
> Mozilla Firebird?
> Really?
> Or Firefox?
>

Clearly, Firefox. it st gave been the Spellchucker! Or not.

> > Since Saturday, I only get an error message when I try to go to the
> > Sign-up page:
> >
> > 503 ERROR
> > The request could not be satisfied.
> > The Lambda function associated with the CloudFront distribution is
> > invalid or doesn't have the required permissions. We can't connect
> > to the server for this app or website at this time. There might be
> > too much traffic or a configuration error. Try again later, or
> > contact the app or website owner. If you provide content to
> > customers through CloudFront, you can find steps to troubleshoot
> > and help prevent this error by reviewing the CloudFront
> > documentation.
> >
> > I have researched this, and I have no idea what is usually
> > discussed, it is in a language level above my pay grade, but seems
> > to say that it is probably a problem with CloudFront, whoever they
> > are. If I use Chrome, still on Ubuntu, it works fine. That is always
> > updating whenever I do an update/upgrade.
>
> Many webmasters only care about Chrome.
> Contact them and ask them for supporting all browsers.

Indeed, I will try.

>
> > What, if anything, can I do about this, apart from trying to contact
> > HSBC's annoying chatbot and explaining it to them? There have been
> > no recent updates to Mozilla, and there are none ready to
> > download.
>
> Switching the bank is the last resort.
>

I don't want to do that, and there is no guarantee that the same thing
won't happen at another bank in the future. Our local Barclays branch
has just closed, and Lloyds has some notices in the window that look
ominous.

--
Davey.

[Davey]

On Sun, 24 Sep 2023 10:35:18 +0200
Marco Moock <mm+use...@dorfdsl.de> wrote:

I managed to talk to a human (!), but she could find no reference to
anybody else with similar problems reported. She suggested I do a
Browser Reset.

--
Davey.

[Marco Moock]

Am 24.09.2023 um 11:10:23 Uhr schrieb Davey:

> I managed to talk to a human (!), but she could find no reference to
> anybody else with similar problems reported. She suggested I do a
> Browser Reset.

Did you try it in a fresh firefox profile?
Go to about:profiles to create it.

[Davey]

Ah-ha! That worked. Which proves something, I just don't know how to
fix it. I need to find out what, in my Default Profile, is creating the
error message, and I have no idea how to do that. Starting in
Troubleshooting Mode (ex Safe Mode) made no difference.

But many thanks for putting me onto something that works.

--
Davey.

[Andy Burns]

Davey wrote:

> Marco Moock wrote:
>
>> Did you try it in a fresh firefox profile?
>> Go to about:profiles to create it.
>
> Ah-ha! That worked. Which proves something, I just don't know how to
> fix it.

start by clearing cookies and/or saved credentials for the bank, then
try disabling all add-ons, then just disable advert/javascript blocking
add-ons...

[Davey]

I thought that the troubleshooting mode had disabled the add-ons etc,
but I'll go through the whole process. Later, though, I have other
things to do at the moment.
But thanks for the help.

--
Davey.

[Andy Burns]

Davey wrote:

> I thought that the troubleshooting mode had disabled the add-ons etc,

yes within the fresh profile, but presumably you want to get back to
your original profile?

[Davey]

I ran Troubleshooting Mode while in my only (Default) profile,
according to the Help procedure. It said that this disabled all add-ons
etc, but it did not get rid of the Error message, which it daid meant
that the problem was not caused by any add-ons. I then exited
Troubleshooting Mode, and later, per your suggestion, created a new
'Test' profile, which is 'naked' and has no add-ons, and works with
the banking site.

The Help process also mentioned Resetting Firefox, but that sounded as
though it would eliminate all my personal data, in effect returning it
to the state of the new profile. Kind of The Nuclear Option.

I am confused, but at least I have, for now anyway, two ways of getting
at my banking.

--
Davey.

[Anton Shepelev]

Davey:

> I managed to talk to a human (!), but she could find no
> reference to anybody else with similar problems reported.

It may be the standard manipulation: to tell everyone in
private that they are the only one experiencing the problem.
This is why commerical providers do not use public issue
trackers or support forums (mailing lists, newsgroups), to
keep the clients isolated as it were in one-man
cells -- divide and conquer. That way, the client cannot
unite to exert any serious and concerted pressure on the
provider.

--
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments

[Davey]

On Mon, 25 Sep 2023 10:49:36 +0300
Anton Shepelev <anton.txt@g{oogle}mail.com> wrote:

> Davey:
>
> > I managed to talk to a human (!), but she could find no
> > reference to anybody else with similar problems reported.
>
> It may be the standard manipulation: to tell everyone in
> private that they are the only one experiencing the problem.
> This is why commerical providers do not use public issue
> trackers or support forums (mailing lists, newsgroups), to
> keep the clients isolated as it were in one-man
> cells -- divide and conquer. That way, the client cannot
> unite to exert any serious and concerted pressure on the
> provider.
>

I agree; but the fact that I can get it to work with a new profile
rather negates that IN THIS CASE.

But then, Chrome failed this morning, with the same Error message, using
the same profile as yesterday, so who knows?

Cheers,

--
Davey,

[Davey]

On Mon, 25 Sep 2023 09:11:19 +0100
Davey <da...@example.invalid> wrote:

> > It may be the standard manipulation: to tell everyone in
> > private that they are the only one experiencing the problem.
> > This is why commerical providers do not use public issue
> > trackers or support forums (mailing lists, newsgroups), to
> > keep the clients isolated as it were in one-man
> > cells -- divide and conquer. That way, the client cannot
> > unite to exert any serious and concerted pressure on the
> > provider.

I once had an issue with Tom Tom directing lorries around a very tight
corner in front of my house, risking damaging the house. I eventually
got on to a Tom Tom Forum, which was stuffed full of people complaining
about the lack of Customer Service. Then suddenly, the forum was
closed, due to "Lack of Interest"! Yeah, right.

--
Davey.

[Anton Shepelev]

Davey to Anton Shepelev:

> > It may be the standard manipulation: to tell everyone in
> > private that they are the only one experiencing the
> > problem.
>

> I agree; but the fact that I can get it to work with a new
> profile rather negates that IN THIS CASE.

Yeah, I have to read some way ahead down the thread before
rushing in with a rant, to which your situation is too rare
an exception!

[Andy Burns]

Anton Shepelev wrote:

> It may be the standard manipulation: to tell everyone in
> private that they are the only one experiencing the problem.
> This is why commerical providers do not use public issue
> trackers or support forums (mailing lists, newsgroups), to
> keep the clients isolated as it were in one-man
> cells -- divide and conquer. That way, the client cannot
> unite to exert any serious and concerted pressure on the
> provider.

Except they all seem to use twitter!

[Richard Kettlewell]

Yes, I don’t think there’s any conscious manipulation here. Desktop
Linux is a niche use case and retail support staff just don’t encounter
it very often.

--
https://www.greenend.org.uk/rjk/

[Martin Gregorie]

Have you got Wireshark installed? Using it to look at the traffic between
Chrome and your bank might suggest fixes.




--

Martin | martin at
Gregorie | gregorie dot org

[Andy Burns]

Martin Gregorie wrote:

> Have you got Wireshark installed? Using it to look at the traffic between
> Chrome and your bank might suggest fixes.

You would hope communication to the bank would encrypted, which somewhat
complicates the process of deciphering https sessions with wireshark

<https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB8gCAG>

[Theo]

Andy Burns <use...@andyburns.uk> wrote:
> Martin Gregorie wrote:
>
> > Have you got Wireshark installed? Using it to look at the traffic between
> > Chrome and your bank might suggest fixes.
>
> You would hope communication to the bank would encrypted, which somewhat
> complicates the process of deciphering https sessions with wireshark

You can use your browser's Developer Tools to see the communication between
the browser and the site inside the HTTPS. But good luck hunting for fixes:
'stuff talks to stuff' is as good as you'll get really - there is too many
layers of Javascript in there to easily determine the problem, unless it's
something very obvious like a webserver taking forever to reply. It's a bit
like trying to debug Microsoft Office using a disassembler.

Theo

[Davey]

On 25 Sep 2023 16:28:01 +0100 (BST)

And all that the three of you have suggested sounds to be beyond my
abilities.
But thank you for the ideas!.

--
Davey.

[Martin Gregorie]

On Mon, 25 Sep 2023 14:56:32 +0100, Andy Burns wrote:

> Martin Gregorie wrote:
>
>> Have you got Wireshark installed? Using it to look at the traffic
>> between Chrome and your bank might suggest fixes.
>
> You would hope communication to the bank would encrypted, which somewhat
> complicates the process of deciphering https sessions with wireshark
>

Agreed, though the earlier parts of the login dialogue, which seem to be
where the OP's problems lie, may be plaintext: after you need to have some
sort of link up and running before you can turn encryption on. If this
initial part of starting an encrypted link is where the OP's problem lies
then I'd expect Wireshark could be quite useful.

[Martin Gregorie]

Wireshark is a standard package for most Linux distros, and is pretty
simple to install and use, since all it does is to show the content of
incoming and outgoing messages and label each message to show which stream
it belongs to and whether its incoming or outgoing. It also lets you
capture the message flow as well as watching it stream past on screen.

[Theo]

There's no plaintext, it's all encrypted. All you can see there are the
connections to various servers (and maybe their DNS) - everything inside
those connections is encrypted.

Theo

[Martin Gregorie]

I would expect the content of the session start/stop messages and
(probably) encryption start/stop messages to be plaintext, not least
because this stuff is public information: it has to be because its the
routing and content type details (msg encrypted or plaintext) needed to
establish the mail transport sessions and would seem to what the OP's
system is complaining about.

Using Wireshark is about the simplest way I can think of to display this
information: if its the same regardless connection success or failure then
the problem is internal to the OP's system.

Similarly, if responses to these messages are error responses, munged or
not being returned, then the problem is internal to the OP's system.

If the problem is with the session establishment then I'd expect Wireshark
to confirm or deny this explanation and nothing more. If the session start
request/response pairs are OK when displayed by Wireshark, that the
problem ir internam the the OP's system and its time to look at his mail
processes's debugging and diagnostic capabilities.

Anyway, the above is why I suggested Wireshark as a readily available and
easy to use way or looking at session start/stop messages: in this case I
don't expect it to do more than that.

[Davey]

I once installed Wireshark on an earlier machine, and I could not make
head or tail of what it was telling me. I could try again now and see
if it makes any mire sense.

--
Davey.

[Richard Kettlewell]

Martin Gregorie <mar...@mydomain.invalid> writes:
> On 25 Sep 2023 18:34:13 +0100 (BST), Theo wrote:
>> There's no plaintext, it's all encrypted. All you can see there are
>> the connections to various servers (and maybe their DNS) - everything
>> inside those connections is encrypted.
>

> I would expect the content of the session start/stop messages and
> (probably) encryption start/stop messages to be plaintext, not least
> because this stuff is public information: it has to be because its the
> routing and content type details (msg encrypted or plaintext) needed
> to establish the mail transport sessions and would seem to what the
> OP's system is complaining about.

The only things that are not encrypted are:
* DNS packets (maybe)
* TCP/IP headers
* The initial TLS key exchange messages (i.e. almost certainly just the
first two packets).

The OP’s report is an HTTP status message, so an https session has been
successfully established and something within that isn’t working. The
handful of unencrypted parts are irrelevant. It also references a
well-known CDN and AWS Lambda: the immediate source of the errors is
inside HSBC and/or their suppliers, though presumably it’s triggered by
some detail of the OP’s configuration.

> Using Wireshark is about the simplest way I can think of to display this
> information: if its the same regardless connection success or failure then
> the problem is internal to the OP's system.
>
> Similarly, if responses to these messages are error responses, munged or
> not being returned, then the problem is internal to the OP's system.
>
> If the problem is with the session establishment then I'd expect
> Wireshark to confirm or deny this explanation and nothing more. If the
> session start request/response pairs are OK when displayed by
> Wireshark, that the problem ir internam the the OP's system and its
> time to look at his mail processes's debugging and diagnostic
> capabilities.

Please read the OP’s original report, it is simply not consistent with
these possibilities.

--
https://www.greenend.org.uk/rjk/

[Davey]

Thank you for that clarification. It makes sense to me.

Some more information:

I tried:
a. Pausing Ghostery. No improvement.
b. AdBlock was not blocking anything, so nothing to do there.
c. Checked cookies, none listed for: HSBC, Lambda, or Cloudfront.
d. Luckily, the Test profile still works (fingers crossed).
e. I installed Wireshark, and again was confused by it. I do not know
it, and I cannot get beyond the Welcome screen with anything useful.
I need "Wireshark for Dummies". But hopefully, I don't need it
anyway.
f. Confirmed that Chrome still fails in the same way.

Hmm.

--
Davey.

[Davey]

In addition, I have gone back to my Chrome browser and cleared
everything that I can think of in there, but it still fails, with the
same Error message,

--
Davey.

[Andy Burns]

Davey wrote:

> I have gone back to my Chrome browser and cleared everything that I
> can think of in there, but it still fails, with the same Error
> message

Killed-off service workers?

<chrome://serviceworker-internals>

[Davey]

You really like sending me down paths of which I have no knowledge,
don't you?

--
Davey.

[Theo]

Davey <da...@example.invalid> wrote:
> I use Online Banking with HSBC on an almost daily basis, using Mozilla
> Firebird on Ubuntu.
> Since Saturday, I only get an error message when I try to go to the
> Sign-up page:
>
> 503 ERROR
> The request could not be satisfied.
> The Lambda function associated with the CloudFront distribution is
> invalid or doesn't have the required permissions. We can't connect to
> the server for this app or website at this time. There might be too
> much traffic or a configuration error. Try again later, or contact the
> app or website owner. If you provide content to customers through
> CloudFront, you can find steps to troubleshoot and help prevent this
> error by reviewing the CloudFront documentation.
>
> I have researched this, and I have no idea what is usually discussed,
> it is in a language level above my pay grade, but seems to say that it
> is probably a problem with CloudFront, whoever they are.
> If I use Chrome, still on Ubuntu, it works fine. That is always
> updating whenever I do an update/upgrade.
>
> What, if anything, can I do about this, apart from trying to contact
> HSBC's annoying chatbot and explaining it to them? There have been no
> recent updates to Mozilla, and there are none ready to download.
>
> Any help gratefully received.

I wonder if your IP has become blacklisted in some way? If a server has
blocked it, that would explain the strange behaviour. It is possible only
one server of many is blocking, which would explain why it sometimes works
and sometimes doesn't. It's deep in the guts of HSBC's infrastructure so
there's not much hope of identifying which server.

Can you try from a different IP? For example if you have access to a VPN
try using that. Or use the portable hotspot feature on your phone to tether
to it and use mobile data.

I had a quick look at 'www.hsbc.co.uk -> Login' in Firefox developer tools -
as expected there's a huge amount of Javascript stuff going back and forth.
It also pings a tracking/logging server about once a second - uBlock Origin
blocks that, but it still seems to work ok (I didn't try logging in).

Theo

[Davey]

On 26 Sep 2023 12:52:45 +0100 (BST)

Briefly, as I'm on my way out to a hospital appointment:
No other IP available.
Never tried tethering to my dumb 'phone, so no idea about that.
Although it might be worth learning!

From my recent experience, if it asks you for your ID, then it's
working fine.

Thanks for digging.

--
Davey.

[Theo]

Davey <da...@example.invalid> wrote:
> Briefly, as I'm on my way out to a hospital appointment:
> No other IP available.

Is it a laptop? You could take it somewhere with free wifi and try there.

> Never tried tethering to my dumb 'phone, so no idea about that.
> Although it might be worth learning!

Not sure if your dumbphone can tether, some don't have wifi.

Theo

[Davey]

On 26 Sep 2023 14:35:10 +0100 (BST)

I'll take a look sometime. It has a lot more abilities than I use, but
I only normally use it for making emergency calls if needed. It will
send and receive texts.

--
Davey.

[Davey]

On Tue, 26 Sep 2023 10:35:25 +0100
Andy Burns <use...@andyburns.uk> wrote:

Returning to my current situation, what can I do with what I have, and
am capable of doing, as a way of eliminating various items to try to
determine what is causing the problem? I have tried, repeatedly,
clearing the cache; Firefox's Troubleshooting procedure disables all
Add-ons, but that makes no difference. Can I temporarily disable some
cookies to try to home in on which one(s), if any, might be causing the
bad log-in? What else can I try?

The answer must be somewhere in the Profile configuration, it is a
question of digging out where it is.

--
Davey.

[Java Jive]

On 27/09/2023 12:51, Davey wrote:
>
> Returning to my current situation, what can I do with what I have, and
> am capable of doing, as a way of eliminating various items to try to
> determine what is causing the problem? I have tried, repeatedly,
> clearing the cache; Firefox's Troubleshooting procedure disables all
> Add-ons, but that makes no difference. Can I temporarily disable some
> cookies to try to home in on which one(s), if any, might be causing the
> bad log-in? What else can I try?
>
> The answer must be somewhere in the Profile configuration, it is a
> question of digging out where it is.

It's been a long thread, and I'm not sure that I can remember all of it,
so apologies if this has been suggested before, but have you tried:

Edit
Settings
Privacy & Security
Cookies & Site Data
Manage Data
Search for and delete the cookies and data for your bank.

--

Fake news kills!

I may be contacted via the contact address given on my website:
www.macfh.co.uk

[Andy Burns]

Davey wrote:

> Andy Burns wrote:
>
>> <chrome://serviceworker-internals>
>
> Returning to my current situation, what can I do with what I have

If using chrome, enter the above URL (you can't click it) at least see
if anything shows up on the list, and if so, is it related to the bank's
domain?

If using firefox, the equivalent URL is

<about:serviceworkers>

if workers are disabled it will say so, or it might show a list, again
does you bank appear?

You don't need to know *too* much about service workers, except they can
be quite powerful, acting as a stand-in for your bank's webserver,
complete with SQL data and their own process

[Davey]

On Wed, 27 Sep 2023 14:13:27 +0100
Andy Burns <use...@andyburns.uk> wrote:

> You don't need to know *too* much about service workers, except they
> can be quite powerful, acting as a stand-in for your bank's
> webserver, complete with SQL data and their own process
>

I know NOTHING abut service workers, except that they look after my
hotel room when I am away from home.
I opened up the Chrome one, but I had no idea how to make it do
anything meaningful, and I don't want to learn a whole new System if I
can help it. I'm too old for that!

--
Davey.

[Davey]

On Wed, 27 Sep 2023 13:32:11 +0100
Java Jive <ja...@evij.com.invalid> wrote:

> On 27/09/2023 12:51, Davey wrote:
> >
> > Returning to my current situation, what can I do with what I have,
> > and am capable of doing, as a way of eliminating various items to
> > try to determine what is causing the problem? I have tried,
> > repeatedly, clearing the cache; Firefox's Troubleshooting procedure
> > disables all Add-ons, but that makes no difference. Can I
> > temporarily disable some cookies to try to home in on which one(s),
> > if any, might be causing the bad log-in? What else can I try?
> >
> > The answer must be somewhere in the Profile configuration, it is a
> > question of digging out where it is.
>
> It's been a long thread, and I'm not sure that I can remember all of
> it, so apologies if this has been suggested before, but have you
> tried:
>
> Edit
> Settings
> Privacy & Security
> Cookies & Site Data
> Manage Data
> Search for and delete the cookies and data for your bank.
>

I searched through my cookies for anything related to: HSBC, Lambda,
CloudFront, but with no joy with any of them.
If I could make head or tail of the service-workers thing, that might
help.

--
Davey.

[Davey]

But just now, I tried again, and found an HSBC cookie from 4 hours ago.
I deleted it, and tried again, and it worked! I needed to Manage the
new cookie, of course, but it now works!
Puzzlingly, it also works on Chrome, but hey, I'll take it. This must
mean that Firefox and Chrome share the same cookies? I would have
thought they had their own cookies.

Thanks to all who have contributed to this, I have no idea about half
of what was described, such as service-workers, but persistence pays
off.

Cheers and thanks, All.

--
Davey.

[Handsome Jack]

Marco Moock <mm+use...@dorfdsl.de> wrote:

> Am 24.09.2023 um 11:10:23 Uhr schrieb Davey:
>
>> I managed to talk to a human (!), but she could find no reference to

>> anybody else with similar problems reported. She suggested I do a
>> Browser Reset.
>
> Did you try it in a fresh firefox profile?
> Go to about:profiles to create it.
>

I did this (having just seen this thread), then pressed the "open Directory" button for the existing profile. Instead of opening the directory, it called up a launcher in my /home/[me]/local/applications directory - as it happens, one that I created myself to encrypt files. I narrowly escaped encrypting my default firefox profile.

Why would it do that?