3936489

The shopping pages and shopping basket do not receive SSL protection and so they do not receive the "lock." The check process is protected. This is common among web stores--for example, neither Microsoft nor Amazon provides SSL for the non-checkout pages of their sites. We expect to implement EV certificates (aka the…

in Netsuite shopping cart in Safari has no secured "lock" symbol in status bar Comment by 3936489 Mar 26, 2009 8:02PM

I have a copy of Safari v3.2.2 and I see the lock at the right side of the URL bar, as seen in the attached screenshot. Can you provide a screenshot of v3.2.1 behavior for comparison?

in Netsuite shopping cart in Safari has no secured "lock" symbol in status bar Comment by 3936489 Mar 26, 2009 2:22PM

Attachment was removed. Please see attached.

in Netsuite shopping cart in Safari has no secured "lock" symbol in status bar Comment by 3936489 Mar 26, 2009 2:27PM

Dr. Elaine, We've re-re-re-remediated with them. Inour last conversations with McAfee, we learned that their system is designed so that this warning should be supressed for 6 months after they flag it as a False Positive. They refuse to suppress any vulnerability permanently, since systems tend to change over time.…

in McAfee Alert - Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Comment by 3936489 Oct 19, 2009 11:51AM

The McAfee service referenced in this thread is a subscription service based on HackerSafe. It is not something that can be bundled in an operating system or on a PC. NetSuite and the checkout process have no reported security warnings from Windows 7. -Chris

in McAfee Alert - Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Comment by 3936489 Nov 23, 2009 12:59PM

This asserted vulnerabilitity is a false positive. NetSuite has filed a request for McAfee to remediate this false positive. You may also file a False Positive in your McAfee account for this asedrtion by indicating that "NLShopperID contains no sensitive or private data and is used solely to track anonymous shopper…

in McAfee Alert - Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Comment by 3936489 Mar 19, 2009 6:08PM

McAfee as once again asserted that this cookie is a vulnerabilitity for some sites. It is still a false positive. NetSuite has filed a request for McAfee to remediate this false positive. You may also file a False Positive in your McAfee account for this assertion by indicating that "NLShopperID contains no sensitive or…

in McAfee Alert - Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Comment by 3936489 Dec 16, 2009 12:08PM

blitzsport Let me add that there is no security vulnerability at NetSuite nor at www.blitzsport.com. Furthermore, this topic is not at all related the the McAfee False Positive in any fashion. The Akamai server that is apparently handling these requests does seem allow SSLv2 connections. However, it is not used for secure…

in McAfee Alert - Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Comment by 3936489 Nov 23, 2009 12:49PM

Dr. Elaine, We've responded again to address this particular occurrence to get your site a clean report promptly. We have re-escalated with McAfee to determine if they are capable of eliminating the recurrence of this False Positive as they previously committed. I would encourage you to file False Positive reports with…

in McAfee Alert - Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Comment by 3936489 Sep 16, 2009 10:54AM

The McAfee False Positive has been seen and reported by NetSuite again. I strongly encourage you to file a complaint with your McAfee account manager to have the False Positive permanently removed for the cookie in question: NLShopperID. It is an anonymous cookie used to track clickstream data and it contains no sensitive…

in McAfee Alert - Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Comment by 3936489 Nov 16, 2009 2:13PM

This vulnerability report is a false positive. Below is the information we have provided McAfee. In the past, it has resulted in McAfee removing the vulnerability from each account: "NLShopperId is a persistent cookie that does not contain any personally identifiable information or sensitive data. It is used to track the…

in ScanAlert Vulnerability - Potential Sensitive Persistent Cookie Sent Over a Non-Encry Comment by 3936489 Oct 13, 2008 12:46PM

Do not implement the login page according to this suggestion. The "...?login=T&redirect_count=1&reset=T&did_javascript_redirect=T" suggested solution is insecure due to the lack of SSL protection on the login page. There is an appropriate solution in the NetSuite documentation, and there is a thread located here…

in Customer Center Access Comment by 3936489 Oct 30, 2008 7:14PM

Please review the following thread. It contains information on placing the Trustkeeper logo that certifies NetSuite's PCI compliance on your site. https://usergroup.netsuite.com/users/showthread.php?t=3430&highlight=logo Chris Blum NetSuite

in Netsuite Security Structure Comment by 3936489 Mar 18, 2008 7:28PM

We've got a reproducible case now. We'll provide more information when it becomes available. The initial problem seems contained in how Opera handles the transition of information from the non-secure domain to the secure domain. The warning message about blacklisting is actually false: checkout.netsuite.com is not listed…

in Checkout.Netsuite.Com Blacklisted by Opera! Comment by 3936489 Mar 4, 2008 8:58PM

Yes. We have confirmed that ScanAlert began reporting a false positive cross-site scripting vulnerability based on the existence of HTTP TRACE functionality in our configuration. There is no cross-site scripting vulnerability in NetSuite, and the existence of the HTTP trace functionality does not create an exploitable…

in ScanAlert Vulnerability - WebApp Cross Site Scripting Comment by 3936489 Dec 11, 2007 1:40PM

We have received the alert from ScanAlert. As with all notifications from ScanAlert, we are actively investigating the validity of the claim and will remediate it promptly if it is confirmed. Chris Blum NetSuite, inc

in ScanAlert Vulnerability - WebApp Cross Site Scripting Comment by 3936489 Dec 5, 2007 7:48PM

I received ScanAlert's latest notice. The latest XSS assertion is different from the prior assertion which has yet to resurface. At first glance, the current assertion looks valid and is under active investigation. Chris Blum NetSuite, inc.

in New NS vulnerability warning from scan-alert/Hacker-safe Comment by 3936489 Aug 16, 2007 2:20PM

NetSuite monitors ScanAlert activity and scan results, and coordinates with ScanAlert when potential vulnerabilities are identified. In addition to our internal mechanisms for securing the application, we leverage the value that 3rd parties, including ScanAlert, provide. From time to time, ScanAlert errs on the side of…

in New NS vulnerability warning from scan-alert/Hacker-safe Comment by 3936489 Aug 11, 2007 10:39AM

We reproduced the behavior identified by ScanAlert. Engineering generated a change to prevent the behavior and NetSuite QA has verified the change behaves as expected. The change has been deployed to the production environment. Feel free to schedule a scan for tonight. Chris Blum NetSuite, inc.

in New NS vulnerability warning from scan-alert/Hacker-safe Comment by 3936489 Aug 16, 2007 6:05PM

NetSuite currently offers a one-time password hardware token solution, and we’re moving forward on feature development in 2011 to expand the variety of supported token types. Further, we currently allow for soft second-factor authentication via IP Address Restrictions in all accounts.

in Two-Factor Authentication Comment by 3936489 Jan 19, 2011 12:13PM

This notice was sent to companies who had been identified as hosting pages that login to NetSuite via external, framed sites. If your colleague is operating a page, for example, on http://myloginpage.com/login.html which accepts a username and password and POSTs them directly to NetSuite, it will cease to function after…

in Effective as of October 20, 2008 Comment by 3936489 Sep 22, 2008 11:41AM

Dylan, There is a Help topic called "Customizing Login and Logout" that allows you to setup a portal for your company. See https://system.netsuite.com/app/help/helpcenter.nl?topic=CARD_-29 Take a look and see if it addresses your concern. Chris

in Login borked by another NetSuite customer Comment by 3936489 Mar 25, 2009 3:34PM

Bill, The application does what you want. When a person is on your site and they login using credentials that are associated with multiple sites, the application smartly logs them into your site and they remain looking at your site information. This is true even if they set their default role to some other company. Chris

in Login borked by another NetSuite customer Comment by 3936489 Mar 25, 2009 3:10PM

The NetSuite authentication system is designed to account for the possibility that a user may reuse the same email address to authenticate into multiple accounts. The design is secure. If the user uses the same password for multiple companies, then the Choose Role page (and Change Role dropdown) will display all of the…

in Login borked by another NetSuite customer Comment by 3936489 Mar 25, 2009 12:53PM

Meir: I tried to reproduce the problem as described on www.themedicalsupplydepot.com and was unable to do so. Can you confirm that you removed the problematic link and that the problem is completely resolved? -Chris

in Major Secuirty Issue with NetSuite Website Checkout Comment by 3936489 Sep 2, 2009 10:37AM

Mark, I had a conversation this morning with Avalara executive management where they took full responsibility for failing to provide any notice to NetSuite regarding the certificate change that occurred last night. As soon as we became aware of the scope of the change we engaged our infrastructure team to deploy the new…

in URGENT: Avalara AvaTax Down due to SSL CERT Comment by 3936489 Apr 8, 2009 3:28PM

Norton has correctly remediated the problem and set the status for NetSuite to Safe. There have never been vulnerabilities on the NetSuite site. On a NetSuite customer's website, there were some questionable links that were referenced on a webstore that the customer hosted through NetSuite. We're working with Norton to…

in Netsuite.com -- CAUTION rating by Norton Safe Web Comment by 3936489 Apr 7, 2009 12:51PM

NetSuite's site security is sound. Norton's automated system has made two errors in associating vulnerabilities with netsuite.com. We are working with Norton to assist them in remediating their errors. You can visit the Norton site and drill down on the two sites that are listed as problematic. One is perfectly clean, the…

in Netsuite.com -- CAUTION rating by Norton Safe Web Comment by 3936489 Mar 30, 2009 8:50PM

Sunil, The change that is being deployed will make /dms0 behave exactly like any other nonsense URL. I'm a litttle confused by what you mean by "block" in your question: "Can't we block the /dms0 url for external users even though we reveal nothing." I'll try to provide more detail on what happens and what will happen.…

in McAfee Vulnerability !!! Comment by 3936489 Nov 14, 2008 12:41PM

Sunil, Thank you for your post. There is no vulnerability resulting from this URL. NetSuite completed its investigation of the issue several days ago, and has been working with McAfee on a daily basis to ensure that no NetSuite customers lose their McAfee logos over this non-issue. As you noted in your post, in the DEFAULT…

in McAfee Vulnerability !!! Comment by 3936489 Nov 13, 2008 7:24PM

3936489 Newbie

Comments