In France, we have professional elections, in which we elect the judges who settle disputes between employees and employers (cases are judged by a panel with 50% of representatives of employers and 50% of representatives of employees). This is very nice, but most people don’t think that it is important enough to get out and vote. As a consequence, the government has setup an experimental on-line voting procedure for people working in Paris.

This sounds like a great idea, but their site does not support Firefox 3. You may think that it is just another site that only supports IE, but no, it isn’t. They support IE6 and IE7, as well as Opera 8, Safari 3.1 and above, and Firefox 1.5 and above, except version 3.0. Then, why would they reject over 15% of the people who use Firefox 3.0 in France?

Security, of course.

Cette version de Firefox ne garantit pas, pour les élections prud’homales, la confidentialité des informations, qui doit être assurée sur un site Internet sécurisé.

In english, “This version of Firefox does not guarantee, for professional elections, the confidentiality of information, which must be guaranteed on a secure Internet site”.

Sounds scary, doesn’t it? After all, I am a Firefox 3 user, and I would like to know why my browser is so bad. 01net.com has asked several persons of the reason behind that remark, and they did not get any more information.

Now, let’s get to the fun stuff, and try to speculate on this one:

• The development for this site is likely to have started a while ago, before the final release of Firefox 3.0. At that time, it is quite likely that bugs were to be found in the browser, including security bugs.
• But then, if the developers of this site identified a bad confidentiality bug on Firefox 3, why didn’t they signal the bug to the Firefox developers? At least, they should have done that when noticing that the bug was not fixed when Firefox 3.0 was released.
• The French government has many other sites, including one on which I, among millions of others, file and pay my taxes. For that matter (paying taxes), Firefox 3 looks secure enough, since I have used it just a few days ago with Firefox 3. After all, it’s just my money.
• I am lucky enough to have on my PC a copy of Google Chrome (v0.3.154.9), as well as an iPod Touch, which both identify themselves as “AppleMAC-Safari”, version 5.0, which would allow me to use the site; I could even do it on a mobile device.

This entire story makes me unhappy, and not only because an open source browser is once again ostracized. What worries me more is the (lack of) policies around governmental internet infrastructure, and the way in which the government (and in most cases, its contractors) handle security:

• A contractor who discovers a browser vulnerability that is significant enough to cause significant issues in the application they develop should be forced to notify whoever develops that browser, proprietary or Open Source.
• The government should maintain a consistent security policy across its Web sites. If a vulnerability is significant enough for a given site, it should be considered for all others, even if it means that I can’t use my favorite browser for a while.

Let’s hope that the French government won’t join others in the systematic application of security theater measures everywhere, especially on internet, and that this issue is just due to some contractor not doing his work correctly.