Here's what happened with Release #65... (we're NOW at #66!)


Status
Not open for further replies.
Apr 19, 2019
10
0
Hi Steve & Everyone, the latest build is also unable to authenticate as expected on Cellular Hotspot Networks. Is there someone who has it working successfully ?

Apologies if I have bumped in the wrong section. Would appreciate Guidance.
 

Vela Nanashi

Well-known member
May 19, 2018
720
124
That is a really long name you got there 6B...6B :) As to your question I have not tried it, hopefully someone knows something. If this is a new bug it really does need to be figured out and solved.
 

PHolder

Well-known member
May 19, 2018
1,223
204
I'm going to guess that this is like "free WiFi"? If that is the case, the user needs to describe what they mean by "latest build is also unable to authenticate as expected". Does that mean they get a warning and abort? (Which is my guess... they're seeing an IP mismatch and haven't disabled that in the client.)
 
Apr 19, 2019
10
0
That is a really long name you got there 6B...6B :) As to your question I have not tried it, hopefully someone knows something. If this is a new bug it really does need to be figured out and solved.
Hi V, The long name is in conformation to Steve's TNO Philosophy, We took that literally & use RoboForm to make 20 Character ID's :giggle: & Steve's Password Service to make 63 Digit Alpha Numeric Passkeys. All stored Locally with RoboForm :geek:. Super Secured.
 
Apr 19, 2019
10
0
Could you describe what you mean by a Cellular Hotspot Network? What exactly are you using and what did you do? We know of no configuration where it should not work. :)
Hi Steve, Cellular Hotspot is where We use Phone's Cellular Data Network & the Phone as WiFi Router / HotSpot. On Windows Phones it's called Mobile HotSpot & on Android, it is named as HotSpot & Tethering in Network Settings. No idea yet what it's called on iPhones. Sharing a screenshot, that may help.

Trouble is, that on the Clients connected to Internet via that Network, the Authentication always say that the Page needs to be refreshed. We really want to see SQRL in action before implementing it Site-Wide. :)
 

Attachments

Apr 19, 2019
10
0
I'm going to guess that this is like "free WiFi"? If that is the case, the user needs to describe what they mean by "latest build is also unable to authenticate as expected". Does that mean they get a warning and abort? (Which is my guess... they're seeing an IP mismatch and haven't disabled that in the client.)
Hi P, Cellular HotSpot is like using the Phone's Data over Local WiFi where the Phone becomes Wireless Router, sort of. We tried with MITM disabled, still got the same error that the Logon Page has expired. Would greatly help if someone could have run into this issue & resolved it before us.
 

Alan M Cameron

Well-known member
I use Chrome and had problems until I told Windoze to ignore sqrl.exe.
Despite what has been said in another thread I still cannot tell Windows Defender to ignore sqrl.exe.
I get the steps to get to the point of adding an exclusion but what do you add if you say file it asks you for the file and path.
Could you please give step by step on how to add an exclusion when there is no file to identify.
 

Dave

Well-known member
May 19, 2018
486
99
Gardner, MA
Despite what has been said in another thread I still cannot tell Windows Defender to ignore sqrl.exe.
I get the steps to get to the point of adding an exclusion but what do you add if you say file it asks you for the file and path.
Could you please give step by step on how to add an exclusion when there is no file to identify.
Sorry, @Alan M Cameron, I must have been in a state where sqrl.exe had not been removed/quarantined yet. As I posted elsewhere, Microsoft claims (and appears) to have updated Windows Defender definitions so it no longer considers sqrl.exe a threat.
 

Alan M Cameron

Well-known member
This is not what I found when I recently tried, using Edge, to download version #66. It still complained. However without making any changes to the system I tried to download using Chrome and it worked. I have used SQRL to sign in after logging out and was successful.
Now to see if it will object when I use GRC demo site and remove sqrl.exe.
 

Alan M Cameron

Well-known member
This is not what I found when I recently tried, using Edge, to download version #66. It still complained. However without making any changes to the system I tried to download using Chrome and it worked. I have used SQRL to sign in after logging out and was successful.
Now to see if it will object when I use GRC demo site and remove sqrl.exe.
UPDATE All is well so I think I have eventually got #66 installed.
 

Paul F

Well-known member
Apr 11, 2019
96
29
Toronto
UPDATE All is well so I think I have eventually got #66 installed.
I think you have been asking how to get past Windows Defender when downloading a file and you can't exclude it yet because you don't have it. For future reference this should help. I posted it in a different thread. Sorry if it didn't get to you earlier.

For manually downloading sqrl.exe, I don't know the definitive answer but this worked for me (Win 10-32 Ver 1709):
When you get the message "Windows Defender SmartScreen reported sqrl.exe as unsafe", click on "View Downloads" and in the past downloads list right click on sqrl.exe and select "Download unsafe file".

Once it's downloaded you can exclude it.
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
I'm going to guess that this is like "free WiFi"? If that is the case, the user needs to describe what they mean by "latest build is also unable to authenticate as expected". Does that mean they get a warning and abort? (Which is my guess... they're seeing an IP mismatch and haven't disabled that in the client.)
Paul: But he's using the Windows client, so it's same-device and same-IP. It should work fine, right? I think there must be something else going on, likely with his browser.
 

PHolder

Well-known member
May 19, 2018
1,223
204
I think there must be something else going on
Agreed.

Let me try and restate what I think has been communicated:

Using the GRC client on (probably) a laptop, which is connected to the Internet through an Android mobile phone running mobile hotspot mode. This means the client is getting an IP address from the mobile phone (via DHCP) I presume. Any packets sent to the phone are then being "edited" to appear as coming from the phone, using its IP address, and then forwarded on to mobile network.

I believe mobile phones are frequently on IPv6, but I don't know if the mobile hotspot is offering IPv6 to the laptop, or if that is IPv4.

I guess, at this point, we need more information, or we need to know if this configuration has ever worked for anyone, ever.
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
The IP's in question are always those seen by the server. What's being compared is the IP of the browser's initial request for a NUT and the subsequent IP of the Windows SQRL client's interaction with the SQRL server. Both of those are originating from the same laptop and through the same mobile hotspot. So their IPs, as seen by the remotely located SQRL server, should be identical.
 
Apr 19, 2019
10
0
Paul: But he's using the Windows client, so it's same-device and same-IP. It should work fine, right? I think there must be something else going on, likely with his browser.
Hi Steve, We are using FireFox ( The Favorite Browser ) with uBlock & ABP Plugins Installed. Have validated that on LANs the setup works as designed. It's only on the Cell HotSpot that this trouble occurs. Using IPv4 on Laptop ( DHCP - 192 Range ). Phone gets the IP from Cellular Service Provider.
 
Apr 19, 2019
10
0
Agreed.

Let me try and restate what I think has been communicated:

Using the GRC client on (probably) a laptop, which is connected to the Internet through an Android mobile phone running mobile hotspot mode. This means the client is getting an IP address from the mobile phone (via DHCP) I presume. Any packets sent to the phone are then being "edited" to appear as coming from the phone, using its IP address, and then forwarded on to mobile network.

I believe mobile phones are frequently on IPv6, but I don't know if the mobile hotspot is offering IPv6 to the laptop, or if that is IPv4.

I guess, at this point, we need more information, or we need to know if this configuration has ever worked for anyone, ever.
Hi P.

The Client is getting DHCP IP from Phone - True.
Packet Modification by Phone en-route to destination - Not Validated / No Idea Yet.
Cellular Networks has IPv6 & v4 Assigned from Service Provider - To be Validated.
IP on the Laptop is v4 - Confirmed.

Would certainly appreciated if anyone could test the configuration out to help reach a verdict.

Thanks All for being Responsive & Supportive of this anomaly.
 

RobAllen

New member
Mar 4, 2019
3
0
there is little Steve can do to prevent malware cops from assuming his code needs extra inspection. All he can do is make his code work well... and let the chips fall where they may.
Yes, but perhaps I didn't clarify my question sufficiently well. I am asking how we prevent SQRL from failling to auto-update simply because the signing string on the certificate changed. That's something that will almost certainly happen again in the future. Auto-update failure is simply not acceptable for most users.

I totally understand the desire to make auto-update unspoofable, but it *must* work in all circumstances as it is the emergency backup for all other problems.

UPDATE: Steve answered my questions in a prior post.
 
Last edited:

alexT

Member
May 22, 2018
18
3
mauritius island
www.solero.mu
An analogy: cops have been known to frequently target certain people and cars for extra inspection. This is generally unfair, but it's unclear how the targets can do anything about who they are... and it seems unfair to expect them to live a different life just because they may encounter more resistance than others.

In the same vein it seems there is little Steve can do to prevent malware cops from assuming his code needs extra inspection. All he can do is make his code work well... and let the chips fall where they may.
I think Rob was relating to the auto upgrade failure due to the cert issuer having changed.
I'd agree that the client could do better about informing users how to perform a manual download / upgrade in cases like this.
 

PHolder

Well-known member
May 19, 2018
1,223
204
I am asking how we prevent SQRL from failling to auto-update
[in the future]
Understood. And I think all he can do is to be prepared for it in advance, and to add the new info about any future cert [change] to an update before the current cert expires.

But @Steve will need to confirm this is his plan.
 
Status
Not open for further replies.