State of Colorado Calls Firefox Insecure, IE6 Safe

linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"

That's just bad

[AKAImBatman]

Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:

Server Error in '/SKILLS' Application.

Object reference not set to an instance of an object.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[NullReferenceException: Object reference not set to an instance of an object.]
      Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
      Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
      System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
      System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
      System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
      System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
      System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
      System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746

Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

I love how the site is:

A) Being run off of someone's desktop. Out of their My Documents folder, no less.
B) Gives up the username of the machine without so much as a "how do you do"
C) Shows the world that our amazing admin can't even hack it at C#

I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site. :-/

Mozilla

[zogger]

Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.

That's the opposite of what the DHS said

So now Colorado thinks they're smarter than the feds?

Not long ago the DHS said to avoid IE and use firefox for security reasons.
http://www.google.com/search?q=dhs+avoid+ie

Re:firefox and mac

[Qzukk]

The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.

I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".

Re:If I were from colorado..

[dotancohen]

And what should that email say, exactly? More specifically, to what URLs could I point the devs to an _unbiased_source_ that IE is insecure and Firefox is secure?

I have this problem with Hebrew websites constantly, in fact, about two hours ago I wrote to a local news website about their IE-only policy. Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.

Re:The site looks like...

[a_nonamiss]

I'm laughing my ass off. I've worked with enough government (specifically state) agencies to know that this is not hyperbole. This is probably what actually happened.

Re:Add ins

[zanybrainy941]

When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk.

Any goof can create them, but *not* any goof can *publish* them on the Mozilla site. Mozilla has over the last couple years instituted a number of strict review guidelines and tests that an add-on must pass before it's published by Mozilla. Every add-on and add-on update is code-inspected line-by-line by a human editor. Mozilla has staffed up specifically in support of the add-ons site, and the number of code reviewers has grown dramatically in recent months. Reviewers keep a sharp eye out for remote code execution, violations of user expectations of privacy, and anything that detracts from user experience. Additionally, automated red-flag detection tools are now in the works.

Bottom line: do not install plugins and extensions in Firefox from sites other than addons.mozilla.org. With AMO, every single extension and extension update is inspected and reviewed before being published on the site. It's the only way to be sure.