Closed Bug 213915 Opened 22 years ago Closed 11 years ago

ed.gov - Improper sniffing at fafsa.ed.gov tests for highly specific browser versions.

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: neady, Assigned: neady)

References

(
URL
)

Details

Attachments

(1 file)

Screenshot showing what the warning message looks like now (2012 June) in Firefox 12
180.07 KB, image/png
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030411 For example, Netscape 7.01 is listed as supported, but if you try to access with Netscape 7.1 you get the supported browsers list. Reproducible: Always Steps to Reproduce: 1. Go to fafsa.ed.gov 2. Follow "find my school codes" image link (third from bottom in the left-hand column of bright green links). Actual Results: List of supported browsers appears. User (a library patron) calls over the computer guy to fix this problem. "Can I still fill out this form? How do I get the codes?" Expected Results: Form asks what school year the user is applying for. Reproduced with the following browsers: * Netscape 7.1 Win98 * Mozilla 1.4b Linux 2.4 i686 If I change my UserAgent string (using the Preferences Toolbar), I get the Expected Results. However, requiring users to do browser spoofing in order to use a government website is sick, twisted, and wrong.
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Please ignore that user-agent string; I was spoofing IE to verify that the site works properly under spoofing conditions, to demonstrate that the user-agent string is the only relevant factor and that the sniffing is superfluous. Also: I've discovered that it is actually possible to use the site without the spoofing, but it requires scrolling down past the whole list of supported browsers and clicking on "Next". This action does not occur naturally to a user, since the list of supported browsers looks technical and comes across therefore as an error message. I'm not downgrading every computer in the library back to an obsolete browser version just so this one website will work as it ought. I'm running out of time here today, but I'll plan to contact someone at fafsa.ed.gov next week. You may assign this bug to me if desired.
From my days in Student Systems at UVa, I remember the FAFSA usually has pretty restrictive policies due to the nature of the content being exchanged. They do have a quarterly review policy and we can try to get NS7.1 and Mozilla 1.4 on the list. I would very much appreciate your help and will help them in any way I can.
Assignee: english-us → jonadab
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Improper sniffing at fafsa.ed.gov tests for highly specific browser versions. → ed.gov - Improper sniffing at fafsa.ed.gov tests for highly specific browser versions.
Keywords: evang500
I got busy there; sorry about that. I'm getting back to this now. New information: the sniffing here is really out of control: I get a different list of supported browsers, depending on what browser I use. Here is the list I get using Mozilla 1.3 on Knoppix 2.4.20 x86: ----- Supported Browsers These are all the browsers that are compatible with FAFSA on the Web. The following browsers have been certified for use with FAFSA on the Web. If you choose to use a browser other than the ones listed here, you may encounter problems while entering your application that Customer Service may not be able to resolve. On a quarterly basis, the Department of Education will evaluate new browser versions and certify them for use with FAFSA on the Web. Netscape browsers: * Netscape Navigator 4.76 (Windows 95/98, Windows NT, Windows 2000 and Macintosh) * Netscape Navigator 4.77 (Windows 95/98, Windows NT, Windows 2000 and Macintosh) * Netscape Navigator 4.78 (Windows 95/98, Windows NT, Windows 2000 and Macintosh) * Netscape Navigator 4.79 (Windows 95/98, Windows NT, Windows 2000 and Macintosh) * Netscape Navigator 4.8 (Windows 95/98, Windows NT, Windows 2000 and Macintosh) * Netscape Navigator 6.2 (Windows 95/98, Windows NT, Windows 2000, Windows ME, and Windows XP Home and Professional) * Netscape Navigator 6.2.1 (Windows 95/98, Windows NT, Windows 2000, Windows ME, and Windows XP Home and Professional) * Netscape Navigator 6.2.2 (Windows 95/98, Windows NT, Windows 2000, Windows ME, and Windows XP Home and Professional) * Netscape Navigator 6.2.3 (Windows 95/98, Windows NT, Windows 2000, Windows ME, and Windows XP Home and Professional) * Netscape Navigator 7.01 (Windows 98, Windows NT, Windows 2000, Windows ME, and Windows XP Home and Professional) Microsoft browsers: * 5.00.2014.0216 - Internet Explorer 5.0 (Windows 95/98 and Windows NT) * 5.00.2314.1003 - Internet Explorer 5.0 (Office 2000) * 5.00.2614.3500 - Internet Explorer 5.0 (Windows 98 Second Edition) * 5.00.2919.6307 - Internet Explorer 5.01 and 5.01 with Service Pack 1 (Windows 95/98, Windows NT and Windows 2000) * 5.00.2920.0000 - Internet Explorer 5.01 (Windows 2000, build 5.00.2195) * 5.00.3103.1000 - Internet Explorer 5.01 with Service Pack 1 (Windows 2000) * 5.00.3105.0106 - Internet Explorer 5.01 with Service Pack 1 (Windows 95/98 and Windows NT) * 5.00.3314.2101 - Internet Explorer 5.01 with Service Pack 2 (Windows 95/98 and Windows NT) * 5.00.3315.1000 - Internet Explorer 5.01 with Service Pack 2 (Windows 2000) * 5.50.4134.0100 - Internet Explorer 5.5 (Windows 95/98, Windows NT, Windows 2000 and Windows ME) * 5.50.4522.1800 - Internet Explorer 5.5 with Service Pack 1 (Windows 95/98, Windows NT, Windows 2000 and Windows ME) * 5.50.4807.2300 - Internet Explorer 5.5 with Service Pack 2 (Windows 95/98, Windows NT, Windows 2000 and Windows ME) * 6.0.2600.0000 - Internet Explorer 6.0 (Windows 98, Windows NT, Windows 2000, Windows ME, and Windows XP Home and Professional) * 6.0.2800.1106 - Internet Explorer 6.0 with Service Pack 1 (Windows 98, Windows NT, Windows 2000, Windows ME, and Windows XP Home and Professional) All versions of Internet Explorer 5 or 6 customized with the Internet Explorer Administration Kit (IEAK) include one of the following strings after the version number when you click "About" on the Help menu: * IC = Internet Content Provider * IS = Internet Service Provider * CO = Corporate Administrator America Online default browsers: * AOL 5.0 (Windows 95/98 and Windows NT) * AOL 6.0 (Windows 95/98/ME and Windows 2000) * AOL 7.0 (Windows 95/98/ME, Windows 2000, Windows XP Home and Professional) * AOL 8.0 (Windows 98, Windows 2000, Windows ME, and Windows XP Home and Professional) ----- This list has the "Next" button at the very bottom that does allow the user to continue. However, if I access the page using Konqueror 3.1.1 I get the following list: ----- Incompatible Browser Detected Your browser type is not supported by our web site. The following browsers have been certified for use with FAFSA on the Web. If you choose to use a browser other than the ones listed here, you may encounter problems while entering your application that Customer Service may not be able to resolve. On a quarterly basis, the Department of Education will evaluate new browser versions and certify them for use with FAFSA on the Web. Netscape browsers: Netscape Navigator 4.76 (Windows 95/98, Windows NT, Windows 2000, and Macintosh) Netscape Navigator 6.2 (Windows 98, Windows NT) Microsoft browsers: 5.00.2014.0216 -- Internet Explorer 5.0 (Windows 95/98, and Windows NT) 5.00.2314.1003 -- Internet Explorer 5.0 (Office 2000) 5.00.2614.3500 -- Internet Explorer 5.0 (Windows 98 Second Edition) 5.00.2919.6307 -- Internet Explorer 5.01 and 5.01 with Service Pack 1 (Windows 95/98, and Windows NT, and Windows 2000) 5.00.2920.0000 -- Internet Explorer 5.01 (Windows 2000, build 5.00.2195) 5.00.3103.1000 -- Internet Explorer 5.01 with Service Pack 1 (Windows 2000) 5.00.3105.0106 -- Internet Explorer 5.01 with Service Pack 1 (Windows 95/98 and Windows NT) 5.00.3314.2101 -- Internet Explorer 5.01 with Service Pack 2 (Windows 95/98/ME, and Windows NT) 5.00.3315.1000 -- Internet Explorer 5.01 with Service Pack 2 (Windows 2000) 5.50.4134.0600 -- Internet Explorer 5.5 (Windows 95/98, Windows NT, Windows 2000, and Windows ME) 5.50.4522.1800 -- Internet Explorer 5.5 with Service Pack 1 (Windows 95/98, Windows NT, and Windows 2000, and Windows ME) 6.0.2600.0000 -- Internet Explorer 6.0 (Windows NT, Windows XP Home and Professional) America Online default browsers: AOL 5.0 (Windows 95/98 and Windows NT) AOL 6.0 (Windows 95/98/ME and Windows 2000) AOL 7.0 (Windows 95/98/ME, Windows 2000, Windows XP Home and Professional) To increase the security of your application data, we recommend that you use the domestic version (56-bit and 128-bit encryption) of one of the above browsers. The domestic versions of the browsers have increased encryption features to protect and secure the privacy of your application data. Current laws and regulations allow only U.S. and Canadian citizens to use 128-bit encryption. The amount of time it takes to download one of these browsers varies depending on the speed of your modem, traffic on the Internet, and how busy the web site is at the time. All versions of Internet Explorer 5 or 6 customized with the Internet Explorer Administration Kit (IEAK) include one of the following strings after the version number when you click "About" on the Help menu: IC = Internet Content Provider IS = Internet Service Provider CO = Corporate Administrator Download 128-bit Netscape Download 128-bit Internet Explorer ----- Ack! Which browsers and versions and platforms are really supported? How's a user to know? I'll contact them shortly and attach a copy of the email here.
Status: NEW → ASSIGNED
I sent a message. It's below. On a side note, I normally use Gnus, but am not on my regular system and used Messenger. The message below is _not_ formatted the way it was shown to me while I was composing it, and I come off looking like a buffoon. This does not strengthen our case. Return-Path: <eady@galion.lib.oh.us> Received: from adminsystem.galion.lib.oh.us [66.213.116.7] by xavier.conelec.com; Mon, 11 Aug 2003 15:03:51 -0400 Organization: Galion Public Library User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030327 Debian/1.3-4 X-Accept-Language: us, en Message-Id: <3F37941E.7080602@galion.lib.oh.us> From: Nathan Eady <eady@galion.lib.oh.us> To: fafsaweb@ncs.com, webmaster@fafasa.ed.gov Subject: browser sniffing issues at fafsa.ed.gov Date: Mon, 11 Aug 2003 09:03:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit I've noticed some issues (including some inconsistencies) in the browser sniffing being done at your site. This matter was brought to my attention first by a patron who was attempting to use one of our public internet stations to look up school codes on your site, for the purpose of filling out (a paper copy of) an application. She had clicked on the "Find my school codes" link and received a long list of Supported Browsers, so she came to the desk for support -- "Does this mean I can't fill out this application?" As it turned out, the browser she was using ought to have been supported, but the website is out of date and supports only old versions; the weeks-old current version is unsupported. You can guess how likely I am to downgrade the library's web browsers to an obsolete version to accomodate one site. I understand in general the motivations for browser sniffing, but this is over the top. Not only was she using a browser that ought to have been supported, but also the information she was seeking of a public nature that does not justify any specific browser requirements at all. Additionally, no real security was provided, because the "Next" link at the bottom (which the user did not see, due to understandably being preoccupied with the technical nature of what read to her like an error message) would in fact have permitted her to proceed, has she clicked it. Thus, you are only requiring specific browser versions for users without technical knowledge. Additionally, users with a little more technical knowledge could access the site with any browser, by spoofing the user-agent string, which was the only sniffing mechanism used; I have verified this by using the Preferences Toolbar in Mozilla to spoof MSIE. Similar things can be done with other browsers using proxies, registry settings, and so on and so forth. You really are only locking out non-technical users. This is especially silly, because non-technical users are far less likely than their technically-inclined counterparts to be willing to undertake installing a different browser or upgrading to a newer version. Anyone with enough technical knowledge to install a browser upgrade can just as well install a user-agent spoofing utility. Furthermore, I have subsequently discovered that your policy is not even internally consistent. I get different lists of supported browsers, depending on which browser I use to (try to) access the site. For example, I get one list when I use Mozilla 1.3 on Knoppix 2.4, and another list using Konqueror 3.1.1 on the same platform. The former list indicates that Netscape 7.01 is supported on certain versions of Windows (but not, apparently, on other versions of Windows, as if the specific version of the OS made any difference to the browser), but the latter list does not list any recent versions of Netscape. Which versions are really supported? How's a user supposed to know? Surely you don't expect a user of the latest version of Opera or Konqueror or Mozilla Firebird to go download a three-year-old version of Netscape, only to find out afterward that a more recent (and much better) version would have worked also? Or can your own web development staff not even keep track of all these hyperspecific browser versions that you do and don't support? Quick, off the top of your head, is Netscape 7.01 on Mac OS X 10.1.5 supported by your site? I would urge you to re-evaluate your sniffing techniques and policies. They clearly aren't working as intended or accomplishing what they were supposed to accomplish, but are inconveniencing and turning away legitimate users of your site. Sniffing, when done correctly, can direct to each browser the content most likely to be most viewable in that browser, or can ensure that proper encryption is used for exchanging certain types of content, but that is not what is currently happening at your site. Thank you for your time, Nathan Eady Technology Coordinator, Galion Public Library
setting milestone to show when to follow up. any response?
Target Milestone: --- → Sep
Appears to be resolved.
My mistake, not sure how I ended up posting that comment here, but it is definatitely NOT resolved. Apologies for bugspam.
Still not resolved, I sent a friendly suggestion promoting the support of Mozilla browsers from the form at: http://www.fafsa.ed.gov/contact.htm You could too :-)
This appears to have been fixed sometime in the last 2.5 years; it works in both Camino-trunk and Firefox 2.
Well, It now detects up to Firefox 2.0.x, but will allow you to use with any other version, and works flawlessly. Any progress?
Hardware: x86 → All
It is not obvious to me that any meaningful progress has been made here. Currently (2010 January 12) they're listing the following Mozilla browsers as being supported: * Mozilla Firefox 1.5.x (Windows XP, Windows 2000, Windows Vista; and Macintosh Operating System 10.2 and 10.4) * Mozilla Firefox 2.0.x (Windows 2000, Windows XP, Windows Vista; and Macintosh Operating System 10.2 and 10.4) * Mozilla Firefox 3.5.4 (Windows Vista; and Macintosh Operating System 10.4.x) That last one is especially bizarre. Firefox 3.5.4 only (not 3.5.3 or 3.5.5), and only on Vista or Tiger, not XP or Seven or Panther or Leopard. I also like how Firefox 1.5 and 2.0 are supported on OS X 10.2 Jaguar and 10.4 Tiger but not on 10.3 Panther. Even cheap game software seldom has such sporadic platform support.
OK, well, I just filled out my fafsa with Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20100112 Minefield/3.7a1pre (.NET CLR 3.5.30729) ID:20100112050137. Worked fine. so, I think the only problem is that they are being exclusive with their UA sniffing. So, i think the site works just fine in all versions, but they just have some browsers listed as supported. So, while this is a stupid method they are using (it's the government i guess), not that big of an issue. At least they updated to the 3.5.x branch.
Right, yes, the site works fine, *except*, if your UserAgent string deviates even slightly from the ones on The List, you get a big scary extremely long and technical-looking error message, which you have to scroll all the way past to find the Continue Anyway button. It's a textbook example of how User Agent sniffing shouldn't be done, ever. I'll try dropping them a line again, for all the good it will likely do.
This is hitting Firefox 5 users this week... are we still in contact with them?
fafsa really just needs to stop their gecko version sniffing, they update their sit so painfully late, this makes it very difficult to use either chrome or Firefox on their website with the latest version.
Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20100101 Firefox/7.0 Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20110923 SeaMonkey/2.4 The site fails with Firefox 7 and SeaMonkey 2.4. My input to the only Web page I could find for reporting Web site problems -- a U.S. Department of Education page -- resulted in a reply that effectively said "We don't handle FAFSA Web problems. Report it elsewhere." But no "elsewhere" was suggested. The reply also referred to <https://fafsa.ed.gov/FAFSA/app/errors?page=incompatibleBrowser>, which states that Firefox is recognized only through versions 3.5.x and 3.6.x. Today, I sent a postal letter to Secretary of Education Arne Duncan. Not only did I point out the problem about the FAFSA Web site, but I also noted the totally unacceptable response from the U.S. Department of Education's technical help unit (which I included in my letter).
Today, I received a reply from the Department of Education to the letter I mentioned in comment #16. The reply indicates that users can indeed "use a noncertified [sic] browser to access 'FAFSA on the Web'". I immediately test that assertion and found it to be false. The reply also stated: "The U.S. Department of Education evaluates new browser versions for use with 'FAFSA on the Web' on a quarterly basis." This is not frequent enough under the current Mozilla process of rapid, frequent releases of new versions. There appears to be an alternative Web site <http://federalstudentaid.ed.gov/> that does not have this problem of invalid sniffing with SeaMonkey 2.4. However, I did not navigate throughout that site to make sure all of it can be viewed with SeaMonkey 2.4. I did not even try it with Firefox 7.
"Steps to Reproduce" in the Description now yield an SSL certificate error. The site certificate is valid only for akamai.net and related domains, not for the fafsa.ed.gov domain. Since the link to "School Code Search" in these steps is not for the https protocol, I'm not sure why an SSL certificate is needed. I sent an E-mail to <FederalStudentAidCustomerService@ed.gov>.
Re my comment #18: There is still invalid UA sniffing involved. Using SeaMonkey 2.6.1 but spoofing either IE 7 or Firefox 8.0.1, there is no problem viewing "School Code Search". Yes, there is a redirection from the http URI to the equivalent https URI. The site certificate is okay. Using SeaMonkey 2.6.1 without any spoofing ("Advertise Firefox compatibility" disabled), the wrong site certificate is sent when redirection occurs. This causes an SSL error, blocking the display of the page. E-mail has been sent to <FederalStudentAidCustomerService@ed.gov>.
> There is still invalid UA sniffing involved. There is, but with the warning message being so much smaller now (see screenshot), the fact that you can proceed anyway is a LOT more evident. This is still significantly non-ideal, but it's a large improvement. Incidentally, the latest version of Firefox listed as supported, as of now, is version 9. Version 10 was released in late January, so the claim that they update the list "quarterly" does not fully explain how out of date the list is. If old versions like 2.0 were still supported, we could just figure that they're really slow-moving, but such is not the case. My best guess is that the weird lag results from a process of updating the list that takes some number of weeks each time (perhaps it even takes the whole quarter) and is structured in such a way that no new candidates are added partway through the process. That would be a pathologically horrible way to do browser testing, but it fits the evidence. Following that pattern, we can anticipate that version 11 (but not 12 or 13) may be listed as supported some time in July, assuming that the first quarter starts at the beginning of the year in their reckoning. But like I said, the warning is now confined to a small box (with only a link to the list of supported browsers, rather than the whole list being inlined), and with that change it is now MUCH more evident to the user that they can in fact proceed anyway.
no message about browsers.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Component: English US → Desktop
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: