Google Barks Back At Microsoft Over Chrome Frame Security

CWmike writes "Google hit back at Microsoft on Friday, defending the security of its new Chrome Frame plug-in and claiming that the software actually makes Internet Explorer safer and more secure. 'Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users,' said a Google spokesman today. 'It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP], and defenses from emerging online threats that are available in days rather than months.' On Thursday, Microsoft warned users that they would double their security problems by using Chrome Frame, the plug-in that provides better JavaScript performance and adds support for HTML 5 to Microsoft's browser."

Google dodged the point

[gcnaddict]

"It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP], and defenses from emerging online threats that are available in days rather than months."

Irrelevant. The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point. There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites), anyplace where IE7 is being used (there's IE8; upgrade to it), and anyplace where IE8 is being used (surface of attack expanded in exchange for little benefit). Downloading Chrome itself is fine, but this is nothing more than a veiled attempt at tricking users into using Chrome instead of legitimately gaining marketshare.

Re:So, which side

[mystik]

I'm from a small org, fully embracing the leading edge.

But I can See the following scenario:

1) Org has large internal App written for IE6 only. Can't upgrade so users are forced to have IE6 on their workstations
2) Org's IT admins are well aware of the security problems IE6 forces them to work around.
3) Roll out the Chrome plugin, and set things up so everything *but* the internal site uses Chrome.

Installing IE upgrades makes it difficult to leave an ie6 & ie_latest deployment side-by-side in a 'supported' fashion (Unless ms has a 'supported' way of doing this?)

Using the Chrome plugin lets the Org upgrade the browser to something maintained & more secure on their deployment, while allowing the archaic app to work as expected.

Does anyone care?

[amiga3D]

I'm thinking that IE users' primary concern is not security or they'd be using something else to begin with.

Re:Not surprising.

[amiga3D]

Wanting all the market for themselves? That's greed. Pure and simple.

Re:Does anyone care?

[AmberBlackCat]

I'm thinking that IE users' primary concern is not security or they'd be using something else to begin with.

True, their primary concern is the browser working when they go to the website.

Re:Google dodged the point

[sopssa]

Welcome to 98. Not everyone runs Windows as admin, especially if its a shared computer (like in family). For that matter, its just aswell possible to run Linux as root to do your everyday things. This has been said countless of times already, but it's not the OS's fault; it's the users fault and how they're using their system. Linux is just as vulnerable to a stupid user than Windows is.

Re:fixing that analogy

[drinkypoo]

But comparing their plug-in with an 8 year old browser is disengenuous.

It would only be disingenuous if their plug-in didn't plug into that 8-year-old browser, which is still one of the dominant browsers today.

Re:Does anyone care?

[Anonymous Coward]

You realise HTML 5 isn't a standard right? It's a wish list, and the last time people started implementing standards early we got layers rather than divs and had to live with that pain for years. MS had the same problem with XML/XSL/XSLT where they implemented a draft standard which then changed, and then they were slagged for implementing early. But then all web designers care about is getting fancy video it seems rather than learning from the mistakes already made.

Re:So, which side

[Marcika]

I'm from a small org, fully embracing the leading edge.

But I can See the following scenario:

1) Org has large internal App written for IE6 only. Can't upgrade so users are forced to have IE6 on their workstations 2) Org's IT admins are well aware of the security problems IE6 forces them to work around. 3) Roll out the Chrome plugin, and set things up so everything *but* the internal site uses Chrome.

Installing IE upgrades makes it difficult to leave an ie6 & ie_latest deployment side-by-side in a 'supported' fashion (Unless ms has a 'supported' way of doing this?)

Using the Chrome plugin lets the Org upgrade the browser to something maintained & more secure on their deployment, while allowing the archaic app to work as expected.

That's what Firefox with the IE Tab add-in is for. If you have control of your IT infrastructure, why settle for the intrusive kludge of Chrome Frame?

Re:Google dodged the point

[SanityInAnarchy]

The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point.

It didn't stop Microsoft from writing Silverlight -- or ActiveX, for that matter. Seems they're only concerned about "expanding the exposed surface of attack" when it's something they don't like.

There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites)

It's opt-in, by the site. The default IE6 engine will still be used for those intranet sites, unless the intranet sites explicitly ask for Chrome Frame -- and if that ever happens, there's a strong possibility that these intranet sites are ready for other browsers.

Downloading Chrome itself is fine, but this is nothing more than a veiled attempt at tricking users into using Chrome instead of legitimately gaining marketshare.

And bundling IE with the OS wasn't? How about exposing IE's HTML engine as a standard ActiveX component?

I'm not suggesting that either of these things could be reversed now, but understand that at the time this decision was made, Netscape was still being sold in stores, and I believe it did have a majority marketshare.

But you know what? At this point, I don't care if Google has to hire assassins to kill off Microsoft's IE team, as long as the end result is the same: We can finally start developing to web standards, and stop having to spend half our time figuring out how to work around IE's bugs. Hell, it means we can actually use exciting new features like HTML5, and stop using Flash unnecessarily, just because IE doesn't support <video>.

(Ok, yes, it would be very sad if people had to die over this, but you get the point.)

Re:So, which side

[Eirenarch]

Today it is IE and how long before they decide to push Chrome Frame to Firefox, Opera and Safari users?

Re:Does anyone care?

[mister_playboy]

Right now we are stuck with Flash... so HTML5, standard or not, would be much preferable.

Sigh... shortsighted are we?

[SmallFurryCreature]

Google is at war and its goal is the liberate the browsers and allow them to be everything they can be.

Evil Microsoft has poor IE as a hostage and is doing terrible things with it. It could be so much but forced into ghetto conditions it is backwards and idiotic.

Direct war with the evil Microsoft is hard but Google is dropping supplies behind enemy lines to help as much as possible. Luxuries other browsers can take for granted are dropped in the form of javascript libraries so that IE can still at least somewhat come along no matter how slow.

Now with this new weapon of peace the evil Microsoft can be twarthed like never before, every IE that dares can now be free and standup like a real browser with all the features those in the free world have come to taken for granted.

There is not going to be one single succesful strategy to liberate the browser, but liberated it will be. Google needs freedom more then any true american company needs air to breath. The communist Microsoft (All for one OS and one OS for all) shall be vanquished. It will not happen overnight, but it will happen.

For the humor impaired: Google needs fast capable browsers because that is where it does its business. If MS can't produce a capable browser then it got 3 options: advertise other browser (firefox), produce its own to push the cutting edge (Chrome forced firefox to become quicker) and to augment the least capable browsers to support current standards. It will have to push hard from different directions to achieve this but success has already been made. MS has had to work very hard with IE and you can see from their response about this plugin in that they are very scared indeed about the browser becoming more capable.

This battle is NOT about getting people to install Chrome or Firefox, it is about having them surf the web with a capable browser so Google can push new features and not have to constintly cripple their application for an obsolete piece of software.

Re:So, which side

[Bert64]

I don't think they will...
Firefox. Opera and Safari are being actively developed and are all roughly in the same league with chrome when it comes to standards support and performance.. It is just IE that lags so far behind, and breaks support for things so badly that it puts a considerable burden on companies like google having to support it.

Aside from the fact that Safari even uses the same rendering engine as chrome.

Google don't really care what browser you use, they were pushing people to use firefox before chrome came out, they just don't want people using a browser as outdated and broken as ie because it makes their job so much harder and limits some of the things they'd want to do.

Re:Strategic mistake

[westlake]

The more Microsoft makes fuss about Chrome Frame the more people will find out about this options.

The only "fuss" I'm hearing about Chrome Frame is on Slashdot. The geek needs to remember that to almost everyone else Google remains simply a search engine.
 

Re:So, which side

[Eirenarch]

If I was not a web dev I may have believed your words. However some things in our project stopped working when Chrome was updated to v2 (they used to work in v1). I've seen perfectly valid HTML that renders differently in Firefox, Chrome and Opera (should I even mention IE?). While we all agree that IE6 is pain we should not put the blame on Microsoft. After all if we had to support versions of Netscape from the time of IE6 they would be pain too and I am sure MS want to see IE6 gone more than anyone else. IE8 is as different from the other browsers as they are among themselves. I have as much trouble fixing IE8 quirks as I have fixing Opera, Firefox and Chrome/Safari quirks. And if Google were all about standards then what is Gears? I personally see this Chrome Frame + Gears thing as the next ActiveX.

Re:Oh please no...

[TheRaven64]

Web sites should be designed using web standards, and not require specific browsers for use.

That's rather the point. IE6 is not standards-compliant, while the Chrome frame is. If you deploy a standards-compliant web site, it won't work in IE6, but it will work in IE6 with the Chrome Frame Plugin. It provides a way of 'supporting' IE6 without actually having to write a broken web site. Just set the meta tag so that when an IE 6 user comes along they use the plugin and let everyone else use their browser.

There was a similar thing done a few years ago (2002?), where someone made an ActiveX control containing the Gecko engine. It wasn't used much back then because downloading 3MB of plugin for a site was too much effort for most people. Google, however, has a lot more ability to push things like this to end users.

Re:If they want HTML5/Google Apps, they can instal

[TheRaven64]

You mean what if Microsoft released a plugin [silverlight.net] and required it to be installed for some of their sites to work properly? I don't know, I can't think what would happen in that case; probably people would just install the plugin and let it take over running the web app.