State of Colorado Calls Firefox Insecure, IE6 Safe

linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"

The site looks like...

[Anonymous Coward]

something i made back in middle school with Frontpage. Credible sources spouting uneducated banter about things they SHOULD know about and having a website look like THAT? they should be ashamed

That's just bad

[AKAImBatman]

Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:

Server Error in '/SKILLS' Application.

Object reference not set to an instance of an object.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[NullReferenceException: Object reference not set to an instance of an object.]
      Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
      Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
      System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
      System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
      System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
      System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
      System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
      System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746

Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

I love how the site is:

A) Being run off of someone's desktop. Out of their My Documents folder, no less.
B) Gives up the username of the machine without so much as a "how do you do"
C) Shows the world that our amazing admin can't even hack it at C#

I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks [xkcd.com] at the site. :-/

Re:Attention all personnel

[amclay]

I just tried in all sections. I ended up leaving a message with the Gov. Perhaps the webmaster didn't know anything about web programming?

"It has been decided"

[Banichi]

I love seeing statements like this from nominal authority figures.

'Look on my works, ye Mighty, and despair!'

Mozilla

[zogger]

Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.

That's the opposite of what the DHS said

[Anonymous Coward]

So now Colorado thinks they're smarter than the feds?

Not long ago the DHS said to avoid IE and use firefox for security reasons.
http://www.google.com/search?q=dhs+avoid+ie

Re:firefox and mac

[Qzukk]

The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.

I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".

the sad truth of the matter

[Joe Snipe]

The state of colorado made attempts to be "ahead" of the curve when it came to an online presence (see also denvergov.com [denvergov.com] and the atrocity that is netfile [state.co.us]; we were one of the first states to have online tax filing). Unfortunately they hired people who knew ass all about javascript (or proper DB handling) and no one knew enough to stop it in it's infancy. Now it has snowballed into something too costly to replace and too borked to simply repair.
I imagine someone told some user that ff was a security risk, rather than go into the technical details of why the site falls to crap on browser it was never tested for. Eventually, through what I like to call "the wiki effect" that same information got passed back as fact to the current web coders who promptly put up a notice to inform their end users.

Even still, fail.

HTML compliance

[Tubal-Cain]

That site looks horrible. Ironically, according to the W3C's "Markup Validation Service" it has 21 errors [w3.org] with it's HTML. Less than Google's homepage [w3.org].

Re:firefox and mac

[Tubal-Cain]

One of them is a statement of fact that they do nothing to back up, the other one is an opinion...

...stated as fact.

Re:If I were from colorado..

[dotancohen]

And what should that email say, exactly? More specifically, to what URLs could I point the devs to an _unbiased_source_ that IE is insecure and Firefox is secure?

I have this problem with Hebrew websites constantly, in fact, about two hours ago I wrote to a local news website about their IE-only policy. Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.

Re:The site looks like...

[a_nonamiss]

I'm laughing my ass off. I've worked with enough government (specifically state) agencies to know that this is not hyperbole. This is probably what actually happened.

You mean MS?

[zogger]

Let them try! I don't think it would be hard at all to find at least *one million people* who have had their machines compromised over really insecure IE code, and maybe even lost money and had to go through and repair their credit when their logins or CC details were compromised.

Besides, that isn't the issue here, this is a set of state flunkies who are labeling a corporation's products as insecure, so bad that they dont allow access for official purposes from tax paying citizens of that state, and saying this other corporations products are secure, or secure enough to use, and their choice of what is or isn't "secure enough" is freaking LAUGHABLE. I mean, WTF?? It is bogus on so many levels it ain't funny.

Let me fix that

[ohxten]

DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers do not properly work with our website, and we don't feel like modifying our code to support other browsers.

Fixed!

I think both of you are correct...

[Grog6]

It took two years of meetings, executive staff luncheons, and similar BS; someone got a nice raise...

Then one of the the IT guys was told "have a web page up by monday." (for nothing extra.) So he hacks it out in 10 minutes with frontpage; We are talking MS types, after all.

THAT's how it usually goes.

Wonder who gets reamed after the slashdotting fried their server? (It's currently choking on any browser I use)

Re:Add ins

[zanybrainy941]

When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk.

Any goof can create them, but *not* any goof can *publish* them on the Mozilla site. Mozilla has over the last couple years instituted a number of strict review guidelines and tests that an add-on must pass before it's published by Mozilla. Every add-on and add-on update is code-inspected line-by-line by a human editor. Mozilla has staffed up specifically in support of the add-ons site, and the number of code reviewers has grown dramatically in recent months. Reviewers keep a sharp eye out for remote code execution, violations of user expectations of privacy, and anything that detracts from user experience. Additionally, automated red-flag detection tools are now in the works.

Bottom line: do not install plugins and extensions in Firefox from sites other than addons.mozilla.org. With AMO, every single extension and extension update is inspected and reviewed before being published on the site. It's the only way to be sure.

Re:If I were from colorado..

[slim]

Secunia states that Firefox3 has less critical issues

Sometimes I correct people on 'less' vs 'fewer', and I get the response that it's obvious what was meant.

This is one of those occasions when using the wrong word really does change the meaning. And by golly, I checked the page, and you really did not mean 'fewer' as I had expected.

What Secunia says about Firefox is that the most severe unpatched Firefox bug they know of, they rate as 'less critical'. Whatever that means.