I ran into a similar problem with the website of my general practitioner. It worked fine in all cases, except when using Firefox on Linux, which I use.<p>After lots of testing and trying to contact whoever built the website I found that it blocked <i>only</i> user-agents which contained this literal string:<p><pre><code> X11; Ubuntu; Linux
</code></pre>
Only when that string was in there verbatim would it fail all requests with a 403 Forbidden.<p>After I saw the same error with some other websites for businesses in my town I started seeing a pattern. The company that hosts/builds this website apparently copy/pastes their basic server set up, and so every website they host works everywhere, except when using Firefox on Linux. So maybe one in a thousand users gets this.<p>I posted my search for the cause of this issue on StackOverflow¹, and even got a reply from (presumably) someone who works for the company that hosts these websites, but alas, the websites remain broken to this day. They suspected a hack to prevent some WordPress exploit…<p>It's frustrating, because a general practitioner's website should not fail like this (it is a point of contact that sits just below emergency services), but the people that work there don't understand the problem, and the company that hosts is can't be arsed to fix the issue.<p>1: <a href="https://stackoverflow.com/questions/66185885/some-websites-return-a-forbidden-response-only-in-firefox-on-linux-changing-the" rel="nofollow">https://stackoverflow.com/questions/66185885/some-websites-r...</a>
Try Japanese business banking - where you have to pick an OS and stick with it when registering (with a paper form), and must use either the ESR release of Firefox or Internet Explorer. If you don't have a user agent of either of those it won't even let you sign in.
Banks do stuff like this all the time - they are always the long tail of security - could be a topic in itself. I contemplated this for a very long time and decided that JP Morgan would rather take the hit for bad security then pay wages and benefits to support people to deal with password resets, lost yubikeys, etc. No other answer makes sense.<p>My advise to OP is to dump Chase, Citibank, Bank Of America, ASAP. Move your money to one of the millennial focused banks, or an ETrade checking account.<p>The big banks hate you, they think your stupid, offering you retail banking services is the bane of their existence. They are going to knock you over with $40 fees because you SHOULD pay them to put up with you — at least that is how they see it.<p>There are much better options these days, just search for zero fee checking.
Dude, all I know is that I was using chase for one of my businesses for 3 years, millions of dollars coming in via Intuit payments -- no problems, then I switched from Intuit for ACH to using Seamlesschex.com, and then after the first batch, they locked up my business bank account, and then after a few months talking to a call center in india, with the bank manager sitting there (there is nothing they can do when they automatically lock your account), the people in india saying they will "never" return the hundreds of thousands in the account they locked up, I filed a lawsuit against Chase in civil court the same day, and then a month later, the attorney representing the case mails me a check for the full amount they stole from the account. I understand risk, but this was months later, all ACH payments, and everyone knew they owed this money. My only regret was not charging them with theft/fraud and 3x the money back for damages. Bottom line -- don't use Chase for anything. They suck.
Blue Cross and Blue Shield of Illinois (I can't vouch for any of the other Blue Cross affiliates) recently redid their website. I was wondering why the hell it was kicking me out after logging in, with a "did you forget your password?" message. Multiple password reset attempts later, I called their tech support and asked what was up. I use Firefox on Linux as my daily driver.<p>What was up was that on their new site, I had to use Google Chrome and <i>only</i> Google Chrome. Not Firefox, not even Chromium. I wonder if Edge even works.<p>I'm seriously considering switching providers over it.
Can anyone confirm this?<p>I don’t have a FreeBSD machine handy right now but I just switched user agent to FreeBSD amd64 on a Linux machine with Chromium 95 and have no issue with the front page or logging into chase.com. I have rarely encountered issues using this Linux/X11 setup on chase.com for years.<p>Is it possible they are using an ancient browser and incorrectly assuming it’s the OS part of the user agent?
My employer for currently blacklists Firefox from being used to launch a session in their 3rd-party remote desktop portal. I use a UA switcher. It works fine. This behavior, while brain-dead, is at least trivial to circumvent. I'm happy to let them continue to check a box on their audit preparation form saying they have control over this, and to continue to have a URL rule to change my UA for the portal, rather than having to hack my client further or keep a separate browser around to launch my daily session.
Downloading, installing and running kernel mode software to prevent cheating is already required for a number of online games.<p>I wonder if/when banks will extend this idea to banking to prevent fraud?<p>Perhaps it'll be merely an optional thing at first, like 2FA.<p>Later it could become something that while optional, does get you a better price of some kind, much like the driving trackers that some auto insurance companies offer.<p>Before long, it could even become mandatory or there could be a penalty or higher price or fee to pay if you don't do it.<p>Just a random idea or conspiracy theory of what's possible I suppose, but it feels like something that could be possible in the not too distant future.
Can confirm it works fine for me under linux firefox. OP, just adjust your user agent string if you're using a weird browser and proceed at your own risk.<p>(I say this because you're dealing with actual money, so incompatibilities from your browser might cause major problems if you're not careful)
For anyone who works at the company who does that: why you do it?<p>Is it to reduce amount of testing, and only have a few "blessed" browsers with guaranteed happy experience? Any other reasons?
As a Firefox/FreeBSD user occasionally annoyed by this nonsense (not Chase but other things), but not being knowledgeable about modern web standards evolution, I wonder if <a href="https://wicg.github.io/ua-client-hints/" rel="nofollow">https://wicg.github.io/ua-client-hints/</a> will fix this by killing User-Agent headers.
> Worse, Chase even openly admits to being hostile to Linux and BSD to someone on Reddit. It’s something even Microsoft, Windows PC/hardware OEMs, or Apple won’t do.<p>If you click through to the link, you will see that this claim is totally made up.
It's not just banks. Google Maps will refuse to work if you're running OS X Lion, even if you're using a fully up-to-date version of Chromium[1] which is just as capable as any other Chromium-based browser on any other operating system.<p>Google Maps work perfectly on Lion if you fake the user agent, because of course it does, it's a web app and the underlying OS is irrelevant.<p>1: <a href="https://github.com/blueboxd/chromium-legacy" rel="nofollow">https://github.com/blueboxd/chromium-legacy</a>
Thanks for the upvotes.<p>I have updated my article. It seems Chase is whitelisting OSes, but they seem to allow Linux and not FreeBSD based on comments and using a Linux user agent.<p>Chase may not block Linux because does Chase exactly want to deal with angry Linux users on the phone, or see Linux die-hards switch to competitors. Even if 1% of customers leave and don't come back, it could anger Chase's investors.<p>They may not officially support Linux but the web developers allow it anyways since it's too big of a minority.<p>They still block FreeBSD. Whether Chase's web developers don't know about BSD or they're willing to let BSD users switch to Citi Bank, I don't know.<p>I mean, they shouldn't whitelist by OS, but I don't know what the reasoning of blacklisting FreeBSD is.
This is interesting to me. I actually left Chase a few years ago over a very similar issue: their statement PDFs would show up blank in all the PDF readers I tested. After contacting support and being told that the only option was for me to install the latest Adobe Acrobat Reader, I told them to close my account.<p>I never even thought about the accessibility requirements. I am sure that relying on PDF features that only the latest Acrobat supports hurts a lot of people on that front too (unless Acrobat happens to be the most accessible of readers?)
I once got denied for a credit card app with a different company even though they pulled my credit because according to the company, quote, my user agent (Chrome on Linux) was suspicious activity.
My advice is to drop the bank now, after testing a replacement- there are plenty of smaller and "neo banks" looking to have your business with real development teams. I use the big, old and stogy bank of America but I have never had a complaint using desktop Linux and Firefox / chrome there.
Has this sort of thing been argued in court as an ADA issue? I could understand why using Linux might be considered legally a "choice", but if there's better ADA compliant tooling in Linux over windows, then a legal argument might just exist..
Interesting. I just tried logging in from PopOS. No issues. Does it only affect FreeBSD?<p>I mean worst case scenario I can always open dedicated Windows VM, but I will admit that the trend is troubling.. especially with Win11 push towards 'trusted computing'.
Huh? I am able to log in to Chase just fine in my banking virtual machine (Ubuntu 20.04 LTS; Firefox 94.0 64-bit). I’m not using User Agent Switcher, and the User agent string shows that I’m using X11/Ubuntu.<p>As an aside, one issue Chase did have, 10 years ago, was that their DNS servers would return “query refused” if you sent them an AAAA (i.e. IPv6 IP) query. This actually caused issues with my recursive DNS server; I had to make AAAA (IPv6) queries handle errors differently than A (IPv4) queries. I just checked, and Chase <i>finally</i> fixed their DNS and IPv6 issues.