State of Colorado Calls Firefox Insecure, IE6 Safe

linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"

Here's How to contact them

Email:

oit@state.co.us

Phone:

303-866-6060

Fax:

303-866-6454

US Mail:

Governor's Office of Information Technology

1580 Logan St., Suite 200

Denver,CO 80203

PEBKAC

[Devil's+BSD]

Well, they're mostly wrong, but partially right. All things considered, the biggest security risk isn't the web browser used, it's the incompetent organic mass between the keyboard and the chair.

It still amazes me how many people really think they're the 1,000,000th visitor to a site, and that they've actually won something because of it.

Re:But does the site still WORK with Firefox?

[Aelyew]

Actually the site doesn't work whether you're using Internet Explorer or Firefox. It looks worse with Firefox because they are using some of the non-standard display tags that cause components to overlap if using a standards compliant browser. Regardless of the browser used, the result is the same: failure.

Contact info for OIT

[XenonOfArcticus]

http://www.colorado.gov/cs/Satellite?c=Page&cid=1165692953912&pagename=OIT-New%2FOITXLayout
oit@state.co.us

Re:That's just bad

[Gwala]

It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.

Re:The site looks like...

[Camann]

Relevant text in case of site slashdotted:
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0" >
<meta name="ProgId" content="FrontPage.Editor.Document" >
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" >
<title>Welcome to The Colorado Department of Labor and Employment</title>
<link rel=stylesheet href="/commoncomponents/contentstyles.css" type="text/css">
</head>

Re:If I were from colorado..

[Thelasko]

Contact information is here. Don't try to contact them using the link in the summary, it doesn't work.

Re:If I were from colorado..

Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/

While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/

Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.

Message from the State Chief Information Officer

[terminalhype]

Message from the State Chief Information Officer
Michael Locatis, State CIO
"As the Chief Information Officer for the State of Colorado, my role is to provide the momentum and strategy for wide-ranging activities from promoting high end research and development of cutting edge technologies to creating strategies for service delivery supporting the day to day operations for the State of Colorado - thereby making a difference in the lives of the people of Colorado and delivering Governor Ritter's 'Colorado Promise'."

http://www.govtech.com/pcio/articles/386146
Colorado Gov. Bill Ritter and CIO Mike Locatis Launch IT Consolidation
Aug 21, 2008
Before his Cabinet appointment in Colorado, he was CIO of Denver, where he showed his centralization skills (and caught Ritter's attention) by consolidating 20 separate municipal and county departments into a single, citywide IT agency. It's also where Locatis learned how fragmented the state's IT systems were.

"It was while I was working in local government that the issues surrounding state IT were immediately apparent because they impacted how services were delivered at the local level," he said.

Before becoming a public-sector CIO, Locatis was the senior director of enterprise technology strategy for Time Warner Cable Inc., part of Time Warner Inc., a Fortune 50 company and the country's largest entertainment firm. Locatis honed his skills at aligning customer-service delivery systems, standardizing desktop capabilities and managing tech and support teams for huge enterprise resource planning applications.

Despite Locatis' knowledge of the state's IT systems' problems, he wasn't expecting the mammoth job he faced. "It was significantly siloed and fragmented IT delivery, which was a root cause of a lot of the issues - including inefficiencies, a lack of leveraging an enterprise approach and just about every [IT] department in the state doing its own thing," he said.

Where does it say FIrefox is insecure?

[whoever57]

I just looked at the site and I see nothing indicating that FF is insecure. In the FAQ, it does say the IE6 and later are the only supported browsers ("for proper operation"), but "unsupported" is not the smae as "insecure".

Re:Where does it say FIrefox is insecure?

[DanWS6]

They edited the faq and removed that text.

It used to say:

Can I use Firefox or another Browser?

No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later.

Re:Where does it say FIrefox is insecure?

[AKAImBatman]

It looks like they removed the message about Firefox being insecure. Google doesn't have a cache of the page, but you can see it in the summary:

http://www.google.com/search?hl=en&q=http://www.coworkforce.com/Skills/myskills.aspx+Firefox+security&btnG=Search

You can clearly see the text: "DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."

Re:Where does it say FIrefox is insecure?

[totally+bogus+dude]

Well IE still requests the file (it has to, otherwise it doesn't know what the filename or content-type is). Any naive script that flags the downloaded as having commenced when it first starts serving the data will treat an IE click-and-cancel the same as a Firefox click-and-cancel. Even scripts that wait until it's finished sending the data are likely to be allowed to complete by the web server, since aborting scripts in the middle of execution can be problematic. Most servers take the "safe" approach by default: let the script finish running and just throw its output away if the client disappears.

It looks like IE doesn't acknowledge receiving the data at the TCP/IP layer, and instead plays funny games with the TCP window size (setting it to 0) in order to stall the connection until the user decides what to do. It also seems to send 30+ duplicate ACKs for some reason. However all this is transparent to the web application; at best it'd just seem like a lossy TCP connection.

Interesting to see that IE7 still has the "unbelievable transfer speed" bug in that if you click on a link for a file download and take a while to decide where to put it, the initial transfer speed it shows is ridiculously high because it's already downloaded a few hundred kilobytes of the file before it starts the download speed timer.

Add ins

[Philip+K+Dickhead]

These can be insecure. In fact, some were designed as trojans. See the Vladuz saga, who cracked eBay site admin accounts - in part through a Firefox plugin designed to this purpose, and hosted on the firefox plugin site!

When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk. We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default. IE is as bad with their parent.

I do think the warning about FF IS misplaced. Our biggest current risk is simply the Adobe PDF file-format. You don't even need to OPEN the file to execute code! Whee!

Re:Attention all personnel

[GooberToo]

The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)

Its pretty funny what a good slashdotting will do.

Re:That's just bad

[Simetrical]

It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.

I assume that the grandparent thought it was someone's desktop because of the "C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\" path. It looks like a developer is keeping the project in their own documents and running it straight from the source code there.

Re:What do you expect...

[Brandybuck]

Funding has very little correlation with the quality of education. California is bankrupting itself funding education, yet is quite lackluster in its educational quality.