Slashdot Mirror

← Back to Stories (view on slashdot.org)

State of Colorado Calls Firefox Insecure, IE6 Safe

Posted by timothy on from the sheeps'-bladders-may-be-used-to-prevent-earthquakes dept.

linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"

10 of 530 comments (clear)

  1. That's just bad by AKAImBatman · · Score: 5, Interesting

    Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:

    Server Error in '/SKILLS' Application.

    Object reference not set to an instance of an object.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [NullReferenceException: Object reference not set to an instance of an object.]
          Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
          Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
          System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
          System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
          System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
          System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
          System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
          System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746

    Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

    I love how the site is:

    A) Being run off of someone's desktop. Out of their My Documents folder, no less.
    B) Gives up the username of the machine without so much as a "how do you do"
    C) Shows the world that our amazing admin can't even hack it at C#

    I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site. :-/

    --
    Javascript + Nintendo DSi = DSiCade
  2. Re:Attention all personnel by amclay · · Score: 3, Interesting

    I just tried in all sections. I ended up leaving a message with the Gov. Perhaps the webmaster didn't know anything about web programming?

    --
    It's all fun and games till someone divides by 0. Then it's hilarious.
  3. Mozilla by zogger · · Score: 5, Interesting

    Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.

  4. That's the opposite of what the DHS said by Anonymous Coward · · Score: 4, Interesting

    So now Colorado thinks they're smarter than the feds?

    Not long ago the DHS said to avoid IE and use firefox for security reasons.
    http://www.google.com/search?q=dhs+avoid+ie

  5. Re:firefox and mac by Qzukk · · Score: 4, Interesting

    The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.

    I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  6. the sad truth of the matter by Joe+Snipe · · Score: 3, Interesting

    The state of colorado made attempts to be "ahead" of the curve when it came to an online presence (see also denvergov.com and the atrocity that is netfile; we were one of the first states to have online tax filing). Unfortunately they hired people who knew ass all about javascript (or proper DB handling) and no one knew enough to stop it in it's infancy. Now it has snowballed into something too costly to replace and too borked to simply repair.
    I imagine someone told some user that ff was a security risk, rather than go into the technical details of why the site falls to crap on browser it was never tested for. Eventually, through what I like to call "the wiki effect" that same information got passed back as fact to the current web coders who promptly put up a notice to inform their end users.

    Even still, fail.

    --
    Sometimes, life itself is sarcasm...
  7. Re:firefox and mac by Tubal-Cain · · Score: 3, Interesting

    One of them is a statement of fact that they do nothing to back up, the other one is an opinion...

    ...stated as fact.

  8. Re:If I were from colorado.. by dotancohen · · Score: 4, Interesting

    And what should that email say, exactly? More specifically, to what URLs could I point the devs to an _unbiased_source_ that IE is insecure and Firefox is secure?

    I have this problem with Hebrew websites constantly, in fact, about two hours ago I wrote to a local news website about their IE-only policy. Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.

    --
    It is dangerous to be right when the government is wrong.
  9. Re:The site looks like... by a_nonamiss · · Score: 4, Interesting

    I'm laughing my ass off. I've worked with enough government (specifically state) agencies to know that this is not hyperbole. This is probably what actually happened.

    --
    -Arthur
    Cave ne ante ullas catapultas ambules
  10. Re:Add ins by zanybrainy941 · · Score: 4, Interesting

    When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk.

    Any goof can create them, but *not* any goof can *publish* them on the Mozilla site. Mozilla has over the last couple years instituted a number of strict review guidelines and tests that an add-on must pass before it's published by Mozilla. Every add-on and add-on update is code-inspected line-by-line by a human editor. Mozilla has staffed up specifically in support of the add-ons site, and the number of code reviewers has grown dramatically in recent months. Reviewers keep a sharp eye out for remote code execution, violations of user expectations of privacy, and anything that detracts from user experience. Additionally, automated red-flag detection tools are now in the works.

    Bottom line: do not install plugins and extensions in Firefox from sites other than addons.mozilla.org. With AMO, every single extension and extension update is inspected and reviewed before being published on the site. It's the only way to be sure.