State of Colorado Calls Firefox Insecure, IE6 Safe 530
linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"
If I were from colorado.. (Score:3, Informative)
I'd be writing a nasty email right now.
Here's How to contact them (Score:5, Informative)
Email:
oit@state.co.us
Phone:
303-866-6060
Fax:
303-866-6454
US Mail:
Governor's Office of Information Technology
1580 Logan St., Suite 200
Denver,CO 80203
PEBKAC (Score:4, Informative)
Well, they're mostly wrong, but partially right. All things considered, the biggest security risk isn't the web browser used, it's the incompetent organic mass between the keyboard and the chair.
It still amazes me how many people really think they're the 1,000,000th visitor to a site, and that they've actually won something because of it.
Re:But does the site still WORK with Firefox? (Score:5, Informative)
Actually the site doesn't work whether you're using Internet Explorer or Firefox. It looks worse with Firefox because they are using some of the non-standard display tags that cause components to overlap if using a standards compliant browser. Regardless of the browser used, the result is the same: failure.
Contact info for OIT (Score:5, Informative)
oit@state.co.us [mailto]
Re:That's just bad (Score:1, Informative)
The Skills IT developer is staying more true to form and using VB.
See: Suggestion.aspx.vb
Re:That's just bad (Score:5, Informative)
It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.
Re:The site looks like... (Score:5, Informative)
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0" >
<meta name="ProgId" content="FrontPage.Editor.Document" >
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" >
<title>Welcome to The Colorado Department of Labor and Employment</title>
<link rel=stylesheet href="/commoncomponents/contentstyles.css" type="text/css">
</head>
Re:If I were from colorado.. (Score:5, Informative)
Re:Contact info for OIT (Score:1, Informative)
Re:If I were from colorado.. (Score:5, Informative)
Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/ [secunia.com]
While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/ [secunia.com]
http://secunia.com/advisories/product/12366/ [secunia.com]
Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.
Message from the State Chief Information Officer (Score:3, Informative)
Message from the State Chief Information Officer
Michael Locatis, State CIO
"As the Chief Information Officer for the State of Colorado, my role is to provide the momentum and strategy for wide-ranging activities from promoting high end research and development of cutting edge technologies to creating strategies for service delivery supporting the day to day operations for the State of Colorado - thereby making a difference in the lives of the people of Colorado and delivering Governor Ritter's 'Colorado Promise'."
http://www.govtech.com/pcio/articles/386146 [govtech.com]
Colorado Gov. Bill Ritter and CIO Mike Locatis Launch IT Consolidation
Aug 21, 2008
Before his Cabinet appointment in Colorado, he was CIO of Denver, where he showed his centralization skills (and caught Ritter's attention) by consolidating 20 separate municipal and county departments into a single, citywide IT agency. It's also where Locatis learned how fragmented the state's IT systems were.
"It was while I was working in local government that the issues surrounding state IT were immediately apparent because they impacted how services were delivered at the local level," he said.
Before becoming a public-sector CIO, Locatis was the senior director of enterprise technology strategy for Time Warner Cable Inc., part of Time Warner Inc., a Fortune 50 company and the country's largest entertainment firm. Locatis honed his skills at aligning customer-service delivery systems, standardizing desktop capabilities and managing tech and support teams for huge enterprise resource planning applications.
Despite Locatis' knowledge of the state's IT systems' problems, he wasn't expecting the mammoth job he faced. "It was significantly siloed and fragmented IT delivery, which was a root cause of a lot of the issues - including inefficiencies, a lack of leveraging an enterprise approach and just about every [IT] department in the state doing its own thing," he said.
Where does it say FIrefox is insecure? (Score:4, Informative)
Re:Where does it say FIrefox is insecure? (Score:5, Informative)
It used to say:
Re:Where does it say FIrefox is insecure? (Score:5, Informative)
It looks like they removed the message about Firefox being insecure. Google doesn't have a cache of the page, but you can see it in the summary:
http://www.google.com/search?hl=en&q=http://www.coworkforce.com/Skills/myskills.aspx+Firefox+security&btnG=Search [google.com]
You can clearly see the text: "DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."
Re:That's just bad (Score:3, Informative)
But they do have a production server that's printing detailed error messages on the HTTP response. That's a misconfiguration, and an active choice at some point. Presumably debugging system - maybe they don't have test or staging servers.
Add ins (Score:4, Informative)
These can be insecure. In fact, some were designed as trojans. See the Vladuz saga, who cracked eBay site admin accounts - in part through a Firefox plugin designed to this purpose, and hosted on the firefox plugin site!
When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk. We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default. IE is as bad with their parent.
I do think the warning about FF IS misplaced. Our biggest current risk is simply the Adobe PDF file-format. You don't even need to OPEN the file to execute code! Whee!
Re:Attention all personnel (Score:5, Informative)
The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)
Its pretty funny what a good slashdotting will do.
Re:What do you expect... (Score:3, Informative)
I've lived here for over a decade and have never seen one of those. Moreover, the numbers [ed.gov] show that's clearly not the case.
Re:Attention all personnel (Score:2, Informative)
Re:That's just bad (Score:3, Informative)
It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.
I assume that the grandparent thought it was someone's desktop because of the "C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\" path. It looks like a developer is keeping the project in their own documents and running it straight from the source code there.
Re:firefox and mac (Score:3, Informative)
about:config
network.automatic-ntlm-auth.trusted-uris
Yup, firefox supports NTLM authentication, and has for a long time, and it works for me.
Re:What do you expect... (Score:4, Informative)
Funding has very little correlation with the quality of education. California is bankrupting itself funding education, yet is quite lackluster in its educational quality.
Re:Where does it say FIrefox is insecure? (Score:1, Informative)
Re:Where does it say FIrefox is insecure? (Score:4, Informative)
Well IE still requests the file (it has to, otherwise it doesn't know what the filename or content-type is). Any naive script that flags the downloaded as having commenced when it first starts serving the data will treat an IE click-and-cancel the same as a Firefox click-and-cancel. Even scripts that wait until it's finished sending the data are likely to be allowed to complete by the web server, since aborting scripts in the middle of execution can be problematic. Most servers take the "safe" approach by default: let the script finish running and just throw its output away if the client disappears.
It looks like IE doesn't acknowledge receiving the data at the TCP/IP layer, and instead plays funny games with the TCP window size (setting it to 0) in order to stall the connection until the user decides what to do. It also seems to send 30+ duplicate ACKs for some reason. However all this is transparent to the web application; at best it'd just seem like a lossy TCP connection.
Interesting to see that IE7 still has the "unbelievable transfer speed" bug in that if you click on a link for a file download and take a while to decide where to put it, the initial transfer speed it shows is ridiculously high because it's already downloaded a few hundred kilobytes of the file before it starts the download speed timer.
Re:Add ins (Score:2, Informative)
A username/password pair on the screen helps a little to prevent automated abuse of the system, although it's still essentially anonymous ftp upload.
Re:Attention all personnel (Score:2, Informative)