State of Colorado Calls Firefox Insecure, IE6 Safe

linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"

If I were from colorado..

[Hatta]

I'd be writing a nasty email right now.

Re:If I were from colorado..

[Thelasko]

Contact information is here. Don't try to contact them using the link in the summary, it doesn't work.

Re:If I were from colorado..

Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/

While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/

Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.

Here's How to contact them

Email:

oit@state.co.us

Phone:

303-866-6060

Fax:

303-866-6454

US Mail:

Governor's Office of Information Technology

1580 Logan St., Suite 200

Denver,CO 80203

PEBKAC

[Devil's+BSD]

Well, they're mostly wrong, but partially right. All things considered, the biggest security risk isn't the web browser used, it's the incompetent organic mass between the keyboard and the chair.

It still amazes me how many people really think they're the 1,000,000th visitor to a site, and that they've actually won something because of it.

Re:But does the site still WORK with Firefox?

[Aelyew]

Actually the site doesn't work whether you're using Internet Explorer or Firefox. It looks worse with Firefox because they are using some of the non-standard display tags that cause components to overlap if using a standards compliant browser. Regardless of the browser used, the result is the same: failure.

Contact info for OIT

[XenonOfArcticus]

http://www.colorado.gov/cs/Satellite?c=Page&cid=1165692953912&pagename=OIT-New%2FOITXLayout
oit@state.co.us

Re:Contact info for OIT

you don't need to go that far ... just click "need help" and see all the pretty email addresses in the drop down boxes - i guess they weren't getting enough spam already ...

Re:That's just bad

The Skills IT developer is staying more true to form and using VB.

See: Suggestion.aspx.vb

Re:That's just bad

[Gwala]

It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.

Re:The site looks like...

[Camann]

Relevant text in case of site slashdotted:
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0" >
<meta name="ProgId" content="FrontPage.Editor.Document" >
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" >
<title>Welcome to The Colorado Department of Labor and Employment</title>
<link rel=stylesheet href="/commoncomponents/contentstyles.css" type="text/css">
</head>

Message from the State Chief Information Officer

[terminalhype]

Message from the State Chief Information Officer
Michael Locatis, State CIO
"As the Chief Information Officer for the State of Colorado, my role is to provide the momentum and strategy for wide-ranging activities from promoting high end research and development of cutting edge technologies to creating strategies for service delivery supporting the day to day operations for the State of Colorado - thereby making a difference in the lives of the people of Colorado and delivering Governor Ritter's 'Colorado Promise'."

http://www.govtech.com/pcio/articles/386146
Colorado Gov. Bill Ritter and CIO Mike Locatis Launch IT Consolidation
Aug 21, 2008
Before his Cabinet appointment in Colorado, he was CIO of Denver, where he showed his centralization skills (and caught Ritter's attention) by consolidating 20 separate municipal and county departments into a single, citywide IT agency. It's also where Locatis learned how fragmented the state's IT systems were.

"It was while I was working in local government that the issues surrounding state IT were immediately apparent because they impacted how services were delivered at the local level," he said.

Before becoming a public-sector CIO, Locatis was the senior director of enterprise technology strategy for Time Warner Cable Inc., part of Time Warner Inc., a Fortune 50 company and the country's largest entertainment firm. Locatis honed his skills at aligning customer-service delivery systems, standardizing desktop capabilities and managing tech and support teams for huge enterprise resource planning applications.

Despite Locatis' knowledge of the state's IT systems' problems, he wasn't expecting the mammoth job he faced. "It was significantly siloed and fragmented IT delivery, which was a root cause of a lot of the issues - including inefficiencies, a lack of leveraging an enterprise approach and just about every [IT] department in the state doing its own thing," he said.

Where does it say FIrefox is insecure?

[whoever57]

I just looked at the site and I see nothing indicating that FF is insecure. In the FAQ, it does say the IE6 and later are the only supported browsers ("for proper operation"), but "unsupported" is not the smae as "insecure".

Re:Where does it say FIrefox is insecure?

[DanWS6]

They edited the faq and removed that text.

It used to say:

Can I use Firefox or another Browser?

No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later.

Re:Where does it say FIrefox is insecure?

[AKAImBatman]

It looks like they removed the message about Firefox being insecure. Google doesn't have a cache of the page, but you can see it in the summary:

http://www.google.com/search?hl=en&q=http://www.coworkforce.com/Skills/myskills.aspx+Firefox+security&btnG=Search

You can clearly see the text: "DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."

Re:Where does it say FIrefox is insecure?

Still there: http://74.125.47.132/search?q=cache:www.coworkforce.com/Skills/myskills.aspx

Re:Where does it say FIrefox is insecure?

[totally+bogus+dude]

Well IE still requests the file (it has to, otherwise it doesn't know what the filename or content-type is). Any naive script that flags the downloaded as having commenced when it first starts serving the data will treat an IE click-and-cancel the same as a Firefox click-and-cancel. Even scripts that wait until it's finished sending the data are likely to be allowed to complete by the web server, since aborting scripts in the middle of execution can be problematic. Most servers take the "safe" approach by default: let the script finish running and just throw its output away if the client disappears.

It looks like IE doesn't acknowledge receiving the data at the TCP/IP layer, and instead plays funny games with the TCP window size (setting it to 0) in order to stall the connection until the user decides what to do. It also seems to send 30+ duplicate ACKs for some reason. However all this is transparent to the web application; at best it'd just seem like a lossy TCP connection.

Interesting to see that IE7 still has the "unbelievable transfer speed" bug in that if you click on a link for a file download and take a while to decide where to put it, the initial transfer speed it shows is ridiculously high because it's already downloaded a few hundred kilobytes of the file before it starts the download speed timer.

Re:That's just bad

[Malc]

But they do have a production server that's printing detailed error messages on the HTTP response. That's a misconfiguration, and an active choice at some point. Presumably debugging system - maybe they don't have test or staging servers.

Add ins

[Philip+K+Dickhead]

These can be insecure. In fact, some were designed as trojans. See the Vladuz saga, who cracked eBay site admin accounts - in part through a Firefox plugin designed to this purpose, and hosted on the firefox plugin site!

When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk. We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default. IE is as bad with their parent.

I do think the warning about FF IS misplaced. Our biggest current risk is simply the Adobe PDF file-format. You don't even need to OPEN the file to execute code! Whee!

Re:Add ins

[andy.ruddock]

With the appropriate permissions set on the server there's no reason why ftp can't be used as a valid method of sending information and uploading files.
A username/password pair on the screen helps a little to prevent automated abuse of the system, although it's still essentially anonymous ftp upload.

Re:Attention all personnel

[GooberToo]

The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)

Its pretty funny what a good slashdotting will do.

Re:What do you expect...

[Bob+Uhl]

Teachers here in CO often have bumper stickers proclaiming: Welcome to Colorado, 49th in funding for schools.

I've lived here for over a decade and have never seen one of those. Moreover, the numbers show that's clearly not the case.

Re:Attention all personnel

[yachius]

VB.NET and C#.NET produce identical code once compiled. That may not be a good thing in and of itself but I use VB.NET for small modules myself when getting it done fast is more important than clean, compact code (one time use scripts, reports, etc). Whoever did this is clearly an amateur, but not because they use VB.

Re:That's just bad

[Simetrical]

It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.

I assume that the grandparent thought it was someone's desktop because of the "C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\" path. It looks like a developer is keeping the project in their own documents and running it straight from the source code there.

Re:firefox and mac

[prandal]

about:config

network.automatic-ntlm-auth.trusted-uris

Yup, firefox supports NTLM authentication, and has for a long time, and it works for me.

Re:What do you expect...

[Brandybuck]

Funding has very little correlation with the quality of education. California is bankrupting itself funding education, yet is quite lackluster in its educational quality.

Re:Attention all personnel

[tritohc]

Slashdot is hosted in Cook County.