Standards out the Windows

I’ve been trying to come to terms with a vendor that we’ve been using at work, and they are really making some sorry excuses. The site is a company that we use to run background checks on all employees that we hire. Their web portal requires the use of IE, and it’s just silly. I don’t want to bore you non-technical folks, but if you’re at all interested in learning about a company who doesn’t embrace web standards and doesn’t care to extend a nice gesture to their good-paying customers, click through and keep reading.

After hearing about the problem, I sent them this message yesterday:

Throughout our branch offices, we use Mozilla Firefox [www.mozilla.com] as our web browser and I have disabled Internet Explorer. Since we implemented this, our problems with pop ups, spyware, and other sorts of malware has decreased from four or five calls per week to our help desk to only one or two calls over a two month period.

When trying to login at https://rapidxxxxx.com/getsec/index.cfm using Firefox, we current see the following error:

====================
BROWSER ERROR:
To login to our system you must be using Internet Explorer 5.0 or greater. You may not login to our system using Netscape Navigator.
====================

However, by installing the “User Agent Switcher” extension [https://addons.mozilla.org/firefox/59/] for Firefox and changing my browser’s User-Agent to Microsoft Internet Explorer, I was able to login to rapidxxxxx.com without any issues. All this does is make your web server ‘think’ that I’m using IE. Your website works perfectly fine under any recent versions of the Mozilla family of web browsers that I tested with.

I would strongly encourage your IT staff to add the Mozilla Firefox user agent to your allowed browser list. Mozilla Firefox has reduced Internet Explorer’s market share from around 85% to less than 60% in just two years and it’s adoption rate is skyrocketing as virus/spyware become more and more of a problem. As I said, your site works great in Firefox – the only thing stopping it is the browser check when trying to log in.

A few moments ago, I received a rather lengthy response, but here’s the “meat and potatos” of it:

Our websites require the use of Internet Explorer 5.5 or greater. Several of our site functions are specifically designed to take advantage of technologies integrated into IE, that other browsers such as the Mozilla (including Firefox) and Netscape (including AOL) series of browsers do not support, or provide limited tolerances for.

We have tested with Firefox since their first non-beta release. We are still dealing with some tolerance issues, and some memory management issues regarding very large html files that are created when dealing with large result sets on our site. Overall, the impact of Rapidxxxxx.Com is minimal. However, we currently have no scheduled plans to allow access to our site using browsers other than IE. If our client chooses to modify their encoding type to “trick” the system, they may lose certain functionality.

I want to pick this apart, and then I’ll post the rest of their inane excuses. First of all – what ‘technologies’ is it that IE5.5+ has that Firefox doesn’t and what technologies that both have does IE ‘tolerate’ better? ActiveX controls may have been your first though, but Rapidxxxxx.com doesn’t use ActiveX, so move on and try to come up with something else, because I’m dying to know. Besides, ActiveX is one reason we’ve decided to disable access to IE in the first place. Next up is the time issue. If they really have been testing with Firefox since it’s 1.0 debut, they need to fire their programmers and find some new ones. It’s been over a year and a half since Firefox came out of beta. I’ll give them the edge when they say that Firefox has memory problems. No one in the world can argue against that, but I seriously doubt that those datasets they are talking about are no larger than some of the sites I view on a daily basis. Finally – it’s not the encoding type – it’s a User-Agent. I think I used the term “user-agent” several times in my first message – but I can understand their confusion. It would be an easy enough mistake to make for anyone as technically incompetent as these programmers apparently are.

At this point, the unnamed “IT Guy” digressed into a full out discussion about IE vs. Other Browsers and the security model surrounding them both. For those still reading:

In the past, the differences between all web browsers were much larger than today, and the complications of supporting multiple platforms were unrealistic. Since IE integrates with Active Directory, and most corporate networks run a Windows software model, we chose to support IE.

It may help to note that Firefox has a very tight security model, while IE provides for greater customization in security. IE versions under 6 had a very lax out of the box security model that required a bit of admin work to get them “locked-down”. However recent versions of IE (6.0 latest service pack and 7.0) provide the same “out-of-the-box” enabled security features and options as Firefox (including Pop-Up-Blocker, Scripting Lockdown, Malicious software detection for Malware). There is now very little difference between the two (in relation to security), except that the level of security control (the ability to open holes when necessary) in IE is greater than Firefox. Nearly all Spyware is application based, and as such requires a valid installation process for updated versions of Windows to process related dll’s. Therefore it has to be blocked at the system installer level to prevent infection. Each copy of Windows should have Windows Installer 3.1 or later, which integrates with the Windows Malicious Software Tool. (Installer 3.1 is a manual update to XP, since it requires the Genuine Advantage Tool to ascertain that you are running a valid copy of Windows. It will not process during automatic updates.)

I really fail to see the connection between Windows Installer 3.1 and keeping spyware at bay. I’m also trying to decide if he was insinuating that we run jacked copies of Windows (we don’t – every copy is legit – I promise!). Just like Stephen Colbert – I’m breaking out my “big board” and putting Rapidxxxxx.com on notice. At the very least, they could’ve said “we hope to support it by _____ or offer some other gesture of hope. Instead, they basically said that our security model is flawed and that they didn’t care enough about our business to help make their site work for us.

Well, I’m off to compose my reply – something to the effect of “This greatly concerns us as we have plans to completely phase out our Windows-based PC’s totally within the next 8-12 months with more robust and secure Linux-based desktop computers.” I wonder how they’ll respond to that? (And no – we really aren’t planning that – at least not yet.)

Note: Rapidxxxxx.com is not the real company name and/or website. Name changed to protect the innocent ignorant company.