Google Barks Back At Microsoft Over Chrome Frame Security 150
CWmike writes "Google hit back at Microsoft on Friday, defending the security of its new Chrome Frame plug-in and claiming that the software actually makes Internet Explorer safer and more secure. 'Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users,' said a Google spokesman today. 'It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP], and defenses from emerging online threats that are available in days rather than months.' On Thursday, Microsoft warned users that they would double their security problems by using Chrome Frame, the plug-in that provides better JavaScript performance and adds support for HTML 5 to Microsoft's browser."
So, which side (Score:3, Interesting)
The company is also investigating bugs filed with the Chrome team by Microsoft developers, who reported that Chrome Frame broke IE8's privacy mode.
Why am I not surprised this feature wasn't tested at Google? ;)
But on an interesting note, this seems to be a direct attack against Microsoft by Google. Granted not that many users will probably install it (especially 'normal' users who just dont care), with this and Chrome OS it's clear that Google is going after MS.
Also, this is another avenue for Google to datamine everything about the internet. People dont usually think about it, but Google's analytics traffic code is all over the internet and probably 90% of the sites you visit is known to google. Another interesting thing is that Slashdot used to hide the tracking code under its own domain, so just blocking the analytics domain didn't work.
While I dont like some of the business practices by neither one, its hard to pick sides here. Atleast MS sells the products directly, while Google monetarizes them by ads. And by that very nature you lose lots of privacy.
Earlier there was also discussion that Chrome Frame is mostly provided for corporate users who are required to use IE and cant install other browsers. But how can they install this plugin then? It's normal exe and probably requires even more admin rights to get inside IE than just installing Chrome on your userbase. And other than that I dont see a point in wrapping another browser plugin to work inside browser. If people are knowledge about this plugin, they're knowledge about the actual Chrome browser too. And IE user experience and GUI sucks.
Re: (Score:3, Interesting)
Ummm. Not many users? Do you completely fail to comprehend how HARD Google could push this on IE6/7 users if they wanted to? And with their allies and partners I think they would have a very good chance of doing an 80-20 conversion on that user base. That's what's up for grabs, not the measly IE8 percentage points. IE6 and IE7 users accessing Youtube, google.com, gmail, google docs et al being gently pushed to install the plugin. Good thing too in my opinion. The sooner we can get that crap out the door and
Re: (Score:2)
Yep, they could push it really hard to users, but what would be the point of that? They're already pushing Chrome on YouTube and other sites and its a better deal for them. Just visit YouTube with IE and you see the advertisement on bottom to test out Chrome browser.
Re: (Score:2)
Compare that to how hard they push Chrome Frame, and other browsers (Chrome, Firefox, Opera, etc), on anyone wanting to test out Wave. How long until YouTube simply doesn't support IE6?
Re: (Score:2, Insightful)
Re:So, which side (Score:4, Insightful)
I don't think they will...
Firefox. Opera and Safari are being actively developed and are all roughly in the same league with chrome when it comes to standards support and performance.. It is just IE that lags so far behind, and breaks support for things so badly that it puts a considerable burden on companies like google having to support it.
Aside from the fact that Safari even uses the same rendering engine as chrome.
Google don't really care what browser you use, they were pushing people to use firefox before chrome came out, they just don't want people using a browser as outdated and broken as ie because it makes their job so much harder and limits some of the things they'd want to do.
Re: (Score:2)
Yes, but the problem is that IE is widespread enough, and its users ignorant enough, that they would assume google was to blame rather than the browser being antiquated.
Re: (Score:2, Insightful)
Re: (Score:2)
I've seen perfectly valid HTML that renders differently in Firefox, Chrome and Opera
As have I -- with minor differences that can be fixed in a few minutes, if they were an issue at all.
we all agree that IE6 is pain
I just don't think we agree on how painful it is. Again: The vast majority of what I do "just works", with minor tweaks, in all the browsers I mentioned. Remove IE from the equation, and I'd still have to do cross-browser testing, there'd still be bugs and things to work around, but I'd easily shave off around 20% of my dev time.
we should not put the blame on Microsoft.
Uhm. Why not?
After all if we had to support versions of Netscape from the time of IE6 they would be pain too
That's true. However, Netscape did eventually support the standards
Re: (Score:2)
Oh, I forgot to mention: Again, we're talking about standard stuff in HTML5.
So, I can develop something that works in Firefox, Opera, Chrome, and Safari, which uses the video tag. At this point, I can either add a ton of extra work by building a flash player, writing some script to replace the video tag with the flash player when I detect IE (or a simple lack of video tag support), and now do twice as much work any time I want to change anything about the player...
Or I can develop an app that relies on canv
Re: (Score:2)
... While we all agree that IE6 is pain we should not put the blame on Microsoft...
IE's been a major fail for so many reasons, it's difficult to understand why you would not blame the company responsible, in this case Microsoft. I develop for a living as well and if IE suddenly disappeared tomorrow (6, 7, 8, whatever, all of it) I would be beside myself with joy.
I don't think that at this point IE can be fixed. They used such poor, incomplete or incorrect parsing of standards for so long that they wasted whatever goodwill was generated in the first years. A site designed for any other b
Re: (Score:2)
First of all how is it Microsoft's fault that users do not upgrade their browsers?
1. They didn't update IE 6 for 5 years which, coupled with their market dominance, allowed lots of crafty websites to accumulate
2. There is no migration path for users of older, but still common, windows versions
3. There is no way to install IE 6 and IE 8 side by side, let alone specify automatic use of old rendering engine just for specific websites.
4. IE 7 and 8 introduced distributive UI changes with no way to bring back the industry standard menu bar and a normal looking toolbar.
Re: (Score:2)
How long until YouTube simply doesn't support IE6?
Soon. [techcrunch.com]
Enterprises use IE6 for intranet (Score:2)
I wish it weren't so, really. It's an abomination and we knew it when the thing was released, but there it is. Friends don't let friends use IE6. It's common and more reasonably secure browsers aren't supported on sites that require IE6. Enterprises need IE6 for intranet sites and they can't afford to or aren't able to rewrite sites to adhere to standards [w3.org].
They could choose to fix this problem by requiring their development teams to adhere to standards, but that's not the direction they're going -- inste
Re:So, which side (Score:4, Informative)
Re: (Score:3, Funny)
And then we could finally stop supporting IE in our web design and move on with the standards.
Hell yes.
Re: (Score:2)
It's installed the same way as viruses
I honestly don't remember any virus being installed this way:
choose typical or default installation, and keep clicking yes till they get to the end.
I mean, I've seen Google Toolbar, OpenOffice, and other bits of software installed this way, but never did I see a checkbox in some installer for "Install virus?"
So surely Google could bundle the installer for this thing with the toolbar and everybody will have it. They just won't know what it is, why they have it, or how to get rid of it.
I can see why they might want to get rid of the toolbar. I have no idea why they'd want to get rid of this. It wouldn't hurt them in any way, it'd arguably make them more secure, and it'd make my life much easier as a web developer.
Re: (Score:3, Informative)
Re: (Score:2)
Anybody who has had to remove coolwebsearch...
And how does that get installed? Is there actually a checkbox somewhere for "install Cool Web Search"?
I honestly don't get how this is supposed to make anyone more secure.
You can argue that it doesn't, but to "not get it" is a bit stupid.
First you have IE, and any and all vulnerabilities for it, and then you add Chrome on top,
In other words, it makes things "less secure" in exactly the same way that Flash, Silverlight, Java, Windows Media Player, and any other plugin does.
Basically, Microsoft's whole argument is a very good argument not to install Silverlight. I don't think that's an argument they want to make.
unless there is some hidden voodoo going on
It's not exactly hidden that Chrome supports sandboxi
Re: (Score:3, Informative)
Re: (Score:2)
We all now IE6 equals total swiss cheese that can turn a box into a virus laden whore faster than you can say coolwebsearch, so how exactly is having Chrome Frame for the very limited number of websites that will call it actually helpful?
That's actually a valid point, and one I thought about pretty much right after I hit submit...
The conclusion I came to was, again, it's not likely that this would be a target for malware authors when IE6 is already such an easier target it's not even funny. As to how it improves things, any content within a site that uses this should be somewhat safer.
Take a contrived example: Suppose I make a photo gallery app. I allow my users to upload photos, among other things. Or maybe it's a forum avatar, whatever. S
Re: (Score:2)
You're missing the sanboxing chrome frame does in IE on windows XP which count for 72% of all systems worldwide. IE's sanboxing capabilities need integrity levels present only in Vista and forward. That's Google's point and it is a fair one.
The Chrome Frame's sandboxing only extends to Chrome Frame itself, it doesn't magically turn the rest of IE safe. In terms of attack vectors, the frame can be launched in two ways. First, a site can request it directly by having a tag ask for it. Second, it can be requested manually through an "open with Chrome Frame" shortcut of some description or another. Now, if I'm a malicious developer, I can either find an exploit for IE, or I can find an exploit for Chrome. If I find the former, I just write my pag
Re: (Score:2)
As much as I would agree with you on the typical Google toolbar installation patterns, it is not Googles fault users have no patience to read anything that they are supposed to when dialog boxes are shown to them. I have personally witnessed how users install software, and they have no clue what they are doing, so saying that "most of them don't know how they got it" is saying nothing at all. We have not had good computer learning in schools, and this is the harvest. I am not saying reading EULAs is a good
Re: (Score:2)
It's installed the same way as viruses;
The last virus I got piggy-backed a firefox XPI. But that was Firefox 1.5
Viruses are sneaky. What you're thinking of is called crapware. If you want a fine example of bundled crapware, check out the CCleaner installer, or perhaps the MediaCoder one.
You can uninstall Google Toolbar fully from the control panel. I don't mind it, because it seems to remove that infobar-refreshpage-runaround to download files.
Re: (Score:3, Interesting)
Well, from the article, I'm getting the gist that they are only fueling the fire further. IT departments should be doing what they can to GET OFF IE6 instead of using software like this to breathe new life into it!
Upgrading to IE7 and IE8, as specified in the article, makes this add-on irrelevant. On a side note, I'm also concerned about the heavy-handedness Google has nowadays. I understand that their products constitute a LARGE portion of internet traffic, but it's kind of scary to think that their analyt
Re: (Score:2)
Alright, so look at this addon as a tool to encourage MS and it's customers to abandon IE6. One by one, installations of IE6 are "infected" with the Google addon, MS doesn't like it very much, so they make a HUGE push to get rid of IE6.
As for IE7 & 8 - MS can always "update" them to refuse the plugin. Such a move is certainly not unheard of - hence my sig.
No one in the world with half a mind really wants IE6 anyway. Google is just helping those with less than half a mind to move forward! Win - win!
Re:So, which side (Score:5, Insightful)
I'm from a small org, fully embracing the leading edge.
But I can See the following scenario:
1) Org has large internal App written for IE6 only. Can't upgrade so users are forced to have IE6 on their workstations
2) Org's IT admins are well aware of the security problems IE6 forces them to work around.
3) Roll out the Chrome plugin, and set things up so everything *but* the internal site uses Chrome.
Installing IE upgrades makes it difficult to leave an ie6 & ie_latest deployment side-by-side in a 'supported' fashion (Unless ms has a 'supported' way of doing this?)
Using the Chrome plugin lets the Org upgrade the browser to something maintained & more secure on their deployment, while allowing the archaic app to work as expected.
Re: (Score:3, Insightful)
I'm from a small org, fully embracing the leading edge.
But I can See the following scenario:
1) Org has large internal App written for IE6 only. Can't upgrade so users are forced to have IE6 on their workstations 2) Org's IT admins are well aware of the security problems IE6 forces them to work around. 3) Roll out the Chrome plugin, and set things up so everything *but* the internal site uses Chrome.
Installing IE upgrades makes it difficult to leave an ie6 & ie_latest deployment side-by-side in a 'supported' fashion (Unless ms has a 'supported' way of doing this?)
Using the Chrome plugin lets the Org upgrade the browser to something maintained & more secure on their deployment, while allowing the archaic app to work as expected.
That's what Firefox with the IE Tab add-in is for. If you have control of your IT infrastructure, why settle for the intrusive kludge of Chrome Frame?
Re: (Score:2)
That's what Firefox with the IE Tab add-in is for. If you have control of your IT infrastructure, why settle for the intrusive kludge of Chrome Frame?
Because it is very difficult to maintain a firefox deployment on a windows network.
Active directory and Group policy are tied in deep with IE. Firefox, not so much.
There are third parties that make the required MSI installers, at least for the browser.
Settings can not be pushed out through group policy, they have to be configured in advance and placed in the MSI installer.
This basically means you use the same method to push out the software, as you use to push configuration changes.
It does get the job done
Re: (Score:2)
One of the settings you must have to compete with IE in an enterprise environment is auto-login (network.automatic-ntlm-auth.trusted-uris and related keys). Basically what we did was use Group Policy to launch a custom app at login. The Mozilla profile for the current user is in a random folder and the js file you need to edit is in that folder -- but even though it's randomized, if you know the parent folder's name you can easil
Re: (Score:2)
Any organization smart enough to do that should be smart enough to replace IE6 with Firefox, and configure it to use IE Tab [mozilla.org] for the internal site.
Re: (Score:2)
But how can they install this plugin then? It's normal exe and probably requires even more admin rights to get inside IE than just installing Chrome on your userbase. And other than that I dont see a point in wrapping another browser plugin to work inside browser. If people are knowledge about this plugin, they're knowledge about the actual Chrome browser too.
When company policy or existing contracts force the sysadmins into IE, they might still have the option to install plugins.
And IE user experience and GUI sucks.
Irrelevant when you are verboten to use anything else.
Re: (Score:2)
"Irrelevant when you are verboten to use anything else."
I would argue with that. User satisfaction is never irrelevant. I'm doing a job - ANY JOB - and I have dozens of employees. 25% to 50% of my employees tell me that they know a better, faster, easier, more efficient way to do the job, but I insist on doing the job MY WAY, because I'm the boss. I will lose good employees who are dissatisfied, over time. I will attract poorer employees over time - employees who aren't bright enough to see these obvio
Re: (Score:2)
No, I've been scared off of large organizations ever since I served in the Navy. Are you agreeing that a stifling work environment attracts workers who are mediocrities, or worse? We all know people who show up just to get a paycheck. The guy who comes to work all fresh faced and raring to go doesn't get sucked into an environment where ideas are automagically quashed before he can properly verbalize them.
Re: (Score:2)
In a large corporation, an attitude you describe will result in mediocre and/or lazy workers...
I know several perfectly capable people who work in such environments simply because its easy, they blend into the background and collect their pay without doing very much work at all. Most of their colleagues are as you describe, mediocre or worse and are easily manipulated.
They generally sit around doing their own thing all day, and their colleagues aren't smart enough to challenge them.
More Errors (Score:5, Interesting)
I tested this plug-in:
I don't know about making it less secure, but it sure causes a bunch of "recovered" tabs and multiple errors.
Not Ready for Prime Time!
Re: (Score:2)
Not Ready for Prime Time!
Well, duh. It's a Google product: It will be out of beta in a few years...
Sigh... shortsighted are we? (Score:5, Insightful)
Google is at war and its goal is the liberate the browsers and allow them to be everything they can be.
Evil Microsoft has poor IE as a hostage and is doing terrible things with it. It could be so much but forced into ghetto conditions it is backwards and idiotic.
Direct war with the evil Microsoft is hard but Google is dropping supplies behind enemy lines to help as much as possible. Luxuries other browsers can take for granted are dropped in the form of javascript libraries so that IE can still at least somewhat come along no matter how slow.
Now with this new weapon of peace the evil Microsoft can be twarthed like never before, every IE that dares can now be free and standup like a real browser with all the features those in the free world have come to taken for granted.
There is not going to be one single succesful strategy to liberate the browser, but liberated it will be. Google needs freedom more then any true american company needs air to breath. The communist Microsoft (All for one OS and one OS for all) shall be vanquished. It will not happen overnight, but it will happen.
For the humor impaired: Google needs fast capable browsers because that is where it does its business. If MS can't produce a capable browser then it got 3 options: advertise other browser (firefox), produce its own to push the cutting edge (Chrome forced firefox to become quicker) and to augment the least capable browsers to support current standards. It will have to push hard from different directions to achieve this but success has already been made. MS has had to work very hard with IE and you can see from their response about this plugin in that they are very scared indeed about the browser becoming more capable.
This battle is NOT about getting people to install Chrome or Firefox, it is about having them surf the web with a capable browser so Google can push new features and not have to constintly cripple their application for an obsolete piece of software.
Re: (Score:2)
I'm back here reporting behind 'enemy lines' and I see the 'repressed' citizenry are enjoying IE8, Safari, Opera, Firefox, and Chrome.. elsewhere IE6 is being enjoyed by people who don't care to know what a browser is. Are there any fronts to this war or is it all made up? *enjoys the local food and moves on*
Re: (Score:2)
Google is at war and its goal is the liberate the browsers and allow them to be everything they can be.
Evil Microsoft has poor IE as a hostage and is doing terrible things with it. It could be so much but forced into ghetto conditions it is backwards and idiotic.
Direct war with the evil Microsoft is hard but Google is dropping supplies behind enemy lines to help as much as possible. Luxuries other browsers can take for granted are dropped in the form of javascript libraries so that IE can still at least somewhat come along no matter how slow.
Now with this new weapon of peace the evil Microsoft can be twarthed like never before, every IE that dares can now be free and standup like a real browser with all the features those in the free world have come to taken for granted.
There is not going to be one single succesful strategy to liberate the browser, but liberated it will be. Google needs freedom more then any true american company needs air to breath. The communist Microsoft (All for one OS and one OS for all) shall be vanquished. It will not happen overnight, but it will happen.
You, my friend, are truly talented, and could have a career in marketing.
Seriously, I bow before your creativity.
Re: (Score:2)
Earlier there was also discussion that Chrome Frame is mostly provided for corporate users who are required to use IE and cant install other browsers. But how can they install this plugin then? It's normal exe and probably requires even more admin rights to get inside IE than just installing Chrome on your userbase.
I imagine that Google consider this the holy grail. If they can sell a google product to major corporations, have it run smooth and fast like it does in Chrome, and still allow that company to have their managed IE installs... it's an easy sell.
Essentially what they have done is told corporate IT folks that they only need to get management to approve a "plug-in" rather than a replacement web browser. I work for the government and I suspect with a decent business case I could get this to pass, but I know t
Google dodged the point (Score:1, Insightful)
Irrelevant. The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point. There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites), anyplace where IE7 is being u
Re: (Score:2)
Irrelevant. The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point.
Google avoids addressing this point because is a stupid one. An aircraft carrier is more secure than a leaky rowboat in spite of having a greater "surface of attack". It turns out that thick sheets of steel are more resistant to penetration than pieces of wood the same thickness or less. Who knew? IE is kleenex, you could cough a hole in that.
fixing that analogy (Score:2)
To run with your Aircraft Carrier vs Leaky row boat analogy...
This is more akin to putting a nuclear powered steam turbine engine from an air craft carrier into your leaky row boat.
Sure, it'll make your leaky row boat fast as hell and able to pull huge objects, but your leaky row boat is still leaky, over weight, and now requires a constrant stream of fuel.
The GP's point is in part accurate. CF does indeed increase the exposed surface of IE. If you are willing to live with that risk, do it, if not, don't.
I
Re: (Score:3, Insightful)
But comparing their plug-in with an 8 year old browser is disengenuous.
It would only be disingenuous if their plug-in didn't plug into that 8-year-old browser, which is still one of the dominant browsers today.
Re: (Score:2)
"but your leaky row boat is still leaky, over weight, and now requires a constrant stream of fuel."
"Aye, Captain, I'll pull into the next Exxon station for more nuclear rods!"
Alright, asshat comment completed, I agree with "force users to upgrade to IE8, or to switch to FF or Chrome." I'm quite tired of hearing about some lame ass in-house trash that only works in IE6. NO ONE WANTS IT, so dump it!
Re: (Score:2)
Illegal analogy detected. Please fix your posting. (Score:1, Offtopic)
Re: (Score:1, Funny)
Fear not!
Google has released a plug-in that automatically converts non-compliant analogies on Slashdot into either car or house-front-door-unlocked analogies
I believe it can optionally do automated library of congress conversions as well as append random critique regarding the nature of Slashdot's CSS.
Standards Exist for a Reason (Score:2)
Re:Google dodged the point (Score:5, Informative)
There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites)
BS! Chrome Frame is entirely opt-in i.e. the website has to include a meta-tag indicating that the site should be displayed in Chrome Frame instead of IE Trident. This is the point of Chrome Frame: allow all these corporations (mostly) to keep their IE6 and maybe IE7 while still having the possibilty to access all these new & shiny ajaxy webapps (like Wave).
Oh please no... (Score:2)
... the website has to include a meta-tag indicating that the site should be displayed in Chrome Frame instead of IE ...
The very last thing I want as a system administrator are hundreds of thousands of sites (if not millions, or more) requiring the user to have Google Chrome, or the Chrome Frame plugin, before the site can be used. Web sites should be designed using web standards, and not require specific browsers for use. Talk about pot calling kettle black! Plugins should be handlers for the primary browsers functions, not over reaching take over my browser leaches.
Re:Oh please no... (Score:4, Insightful)
Web sites should be designed using web standards, and not require specific browsers for use.
That's rather the point. IE6 is not standards-compliant, while the Chrome frame is. If you deploy a standards-compliant web site, it won't work in IE6, but it will work in IE6 with the Chrome Frame Plugin. It provides a way of 'supporting' IE6 without actually having to write a broken web site. Just set the meta tag so that when an IE 6 user comes along they use the plugin and let everyone else use their browser.
There was a similar thing done a few years ago (2002?), where someone made an ActiveX control containing the Gecko engine. It wasn't used much back then because downloading 3MB of plugin for a site was too much effort for most people. Google, however, has a lot more ability to push things like this to end users.
Re: (Score:1)
Re: (Score:2)
Yes, that's the point. A malicious site being visited by someone with IE6 + the Chrome frame can choose to exploit any security hole in IE6, the Chrome frame, or any other plugins that may be installed. This is worse than having just IE (because holes in Chrome can not be exploited while running IE) or just Chrome (because holes in IE can not be exploited while running Chrome).
Microsoft's argument is a good one, but the logical response to it is to run Chrome, rather than IE and the Chrome plugin. Oh, a
Re: (Score:2)
"...The point is that it's another exploitable object..."
You've just described the entire Windows operating environment, where everyone runs as Administrator. I don't think MS can make this argument with a straight face.
Re: (Score:3, Insightful)
Welcome to 98. Not everyone runs Windows as admin, especially if its a shared computer (like in family). For that matter, its just aswell possible to run Linux as root to do your everyday things. This has been said countless of times already, but it's not the OS's fault; it's the users fault and how they're using their system. Linux is just as vulnerable to a stupid user than Windows is.
Re: (Score:2)
Alright, I'll admit. Outside of the corporate world, at least 3 or 4 percent of users run as a restricted user.
Among the other 95% + we find gamers whose games won't run unless they are Admin, we find people who routinely install apps from the web and can't be bothered to "Run as" Administrator, we find OEM machines with a single default user who has Admin rights - I could go on.
No, you don't get away with pointing to Vista and Win7 - they have NOT been widely adopted by the public. Most of the computing
Re: (Score:2)
Our laptop users must run as admins so they can install whatever print drivers are required when they're on the road at different customer sites. Unless we're missing something really big, there is no "allow user to install printer drivers" security option in XP.
And as far as Linux being as vulnerable to a stupid user, wow you need some more
Re:Google dodged the point (Score:4, Informative)
Do you have any idea why they released Chrome Frame in the first place? Its because Google got tired of Microsoft not meeting web standards. Google will be releasing Wave soon and the majority of the population would not be able to use it because IE does not support HTML5. Chrome Frame is just as secure as IE if not more, not to mention, if a bug or exploit is found with Chrome or Chrome Frame, it takes Google hours to days to push out a fix.
"There's just no reason to get this installed in corporate networks where IE6 is being used"
Do you have any clue what Chrome Frame even does? It does not force EVERY website to use itself. Only websites that request it or websites that you told to use it. And believe it or not, there are a lot of newer applications in the business environment that do not work with IE6 or even IE7/8.
"anyplace where IE8 is being used (surface of attack expanded in exchange for little benefit)"
I guess you are unaware of exactly how much IE8 does not include compared to Firefox/Safari/Chrome, and your obviously not a web developer. Most of the time websites have to have code dedicated for IE otherwise the website will not work right. Google is sick of Microsoft not following standards and them as well as everyone else having to waste their time to make patches so it will work in IE.
Re: (Score:2)
The best way to reduce surface of attack is to abandon IE entirely and switch to chrome, as it was the only browser nobody managed to crack during the Pwn2Own contest earlier this year.
If security trumped all else, everybody would be using chrome. That they aren't shows that functionality does matter. So, yes, sometimes you have to install a plugin to get things done.
Re: (Score:2)
Yes, Chrome Frame increases your attack surface, because by default, it lets each site choose whether to use IE's engine or Chrome's engine. But I see Chrome Frame as a temporary measure to allow intranet sites to be updated one at a time. From that perspective, it's safer in the long run than remaining stuck with IE6.
Furthermore, if you configure Chrome Frame to force one engine or the other for all non-intranet sites, it's about as secure as whichever engine you pick. More to the point, it's then safer
Re: (Score:3, Insightful)
The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point.
It didn't stop Microsoft from writing Silverlight -- or ActiveX, for that matter. Seems they're only concerned about "expanding the exposed surface of attack" when it's something they don't like.
There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites)
It's opt-in, by the site. The default IE6 engine will still be used for those intranet sites, unless the intranet sites explicitly ask for Chrome Frame -- and if that ever happens, there's a strong possibility that these intranet sites are ready for other browsers.
Downloading Chrome itself is fine, but this is nothing more than a veiled attempt at tricking users into using Chrome instead of legitimately gaining marketshare.
And bundling IE with the OS wasn't? How about exposi
Re: (Score:2)
What chrome frame has also demonstrated beyond a doubt is that microsoft could have shipped a solution that preserved IE6 compatibility and upgraded web standards at the same time. They didn't because they didn't want to.
Microsoft is going to keep delaying the web's advance as long as possible. They only way to get things done is to side-step them.
Re: (Score:3, Interesting)
What chrome frame has also demonstrated beyond a doubt is that microsoft could have shipped a solution that preserved IE6 compatibility and upgraded web standards at the same time. They didn't because they didn't want to.
I'm not entirely sure about that. Microsoft did try roughly this strategy -- there was a plan to make IE7 (I think?) default to IE6 rendering, unless you sent some header to tell IE to render in "standards-compliant mode".
This is effectively the same thing -- it turns IE6 into a browser that's still IE6 until you do whatever you have to do to enable Chrome Frame, which is roughly like "standards-compliant mode".
The difference is, this isn't meant to be any kind of solution. IETab in Firefox is a solution. A
Re: (Score:2)
Silverlight is another exploitable object too...
People concerned about security should probably be using the full blown chrome, which is generally regarded as having a better security model than other browsers.
Re: (Score:1, Interesting)
To enable the plugin you need to alter the html: add some kind of header.
I would like to see an intranet site especially made to work with IE that enables the plugin by inserting html...I do not think there are any.
Re:Google dodged the point (Score:4, Informative)
Coming to a community college near you: Reading Comprehension 101
The plugin sits idle UNTIL CALLED by a call ON THE SERVER. If the call isn't made by the intranet server, the plugin doesn't do anything, meaning IEx does what it would have done anyway.
Re: (Score:2)
So essentially Google's argument is that you should download and install it because it doesn't do anything for 99.9% of internet sites.
Re: (Score:2)
That remains to be seen. Web designer people may look at this as salvation from tweaking and retweaking for IE6. Some of them may or may not put a disclaimer on their site, "If you have problems viewing this site with IE6, you should upgrade to a more modern browser, or install Google's addon" complete with links to the addon, as well as the more popular browsers.
If such an approach were taken, who knows? Let's take another look in 3 months, then again in 6 months. Stuff happens, you know?
Re: (Score:2)
I guess it depends whether the organization thinks the time, cost, and inconvenience involved with supporting IE6 is more significant than the possibility of losing users.
Even if they came to that conclusion, their agenda would be better served by having users update IE or switch to another browser rather than using an untested hybrid solution that Google might get bored with and stop supporting later on (it wouldn't be the first time).
Not surprising. (Score:1)
Re: (Score:1)
Re: (Score:2, Insightful)
Re: (Score:1)
Re: (Score:1)
Does anyone care? (Score:5, Insightful)
Re: (Score:3, Insightful)
I'm thinking that IE users' primary concern is not security or they'd be using something else to begin with.
True, their primary concern is the browser working when they go to the website.
Re:Does anyone care? (Score:4, Informative)
It doesn't activate on EVERY website. RTFA. It requires a meta tag. Google released this so that IE users can use Google Wave because IE doesn't support HTML5. It can also be used on other websites. I think it's a great move by Google, to smack Microsoft in the face to actually step up to standards.
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Right now we are stuck with Flash... so HTML5, standard or not, would be much preferable.
Re: (Score:3, Informative)
Re: (Score:2)
http://www.w3.org/QA/2009/05/_watching_the_google_io.html [w3.org]
Re: (Score:2)
Emergency Security Update (Score:3, Funny)
The new motto in Microsoft is "Windows 7 is not done, until Chrome Frame wont run".
Re: (Score:2)
Chrome Frame sucks for me (Score:4, Interesting)
I'm a Firefox / Chrome fan and I just installed the Google Chrome Frame to see how it behaves. I installed Windows XP SP2 less than 24 hours ago and since then I've only installed my drivers, Firefox and the Google Chrome Frame; I went to a couple of innocent websites with IE6 and they both crashed the browser.
PS: Web developer here - Yes, IE6 sucks but it is not THAT unstable.
Re:Chrome Frame sucks for me (Score:4, Interesting)
I'm a Firefox / Chrome fan and I just installed the Google Chrome Frame to see how it behaves. I installed Windows XP SP2 less than 24 hours ago and since then I've only installed my drivers, Firefox and the Google Chrome Frame; I went to a couple of innocent websites with IE6 and they both crashed the browser.
PS: Web developer here - Yes, IE6 sucks but it is not THAT unstable.
Which web sites? I'd love to test your observation as I have multiple VMs with various IE versions installed on various WinXP flavours.
Please tell us.
Re:Chrome Frame sucks for me (Score:5, Informative)
Re:Chrome Frame sucks for me (Score:5, Informative)
I guess IE6 is THAT unstable. Thanks :)
Re: (Score:2)
Sorry, it's got to be 'active' to be intercepting headers and page data to look for whether the page has asked to be rendered with chrome. It's entirely possible that it crashes the browser on absolutely any site and even opens brand new security holes.
Strategic mistake (Score:4, Interesting)
Microsoft has nothing to gain in this war of wards. They should have known it before they started it: now Google has more than just an excuse to publicize/raise the awareness of IEs security holes, educating the public on phishing, in the process. This will will definitely raise the interest of at least some IE users who would have not otherwise bothered themselves with Google's add-on.
I can see how MS got suckered into this, though: they just can't stand someone walking into their turf. Their predator instinct is just too strong, and makes them do stupid things.
Well played, Google.
Re:Strategic mistake (Score:4, Interesting)
The more Microsoft makes fuss about Chrome Frame the more people will find out about this options. A negative campaign when it comes from a negative company is positive.
Re:Strategic mistake (Score:4, Insightful)
The more Microsoft makes fuss about Chrome Frame the more people will find out about this options.
The only "fuss" I'm hearing about Chrome Frame is on Slashdot. The geek needs to remember that to almost everyone else Google remains simply a search engine.
Re:Strategic mistake (Score:4, Funny)
Publicity has nothing to do with logic, smartypants.
Re: (Score:2)
It's a validation by contrapositive actually.
Not good software said by not good software company = Good.
stop pussy-footing around (Score:2)
Goggle should stop pussy-footing around and add a warning box to thier mainpage that tells a user how many publicly announced unpatched exploits there are for the users browser & os. or "Microsoft press statement" => did you mean lies?
If they want HTML5/Google Apps, they can install (Score:2)
I share everyones passionate hate against IE especially since I have to run a Virtual emulator to run that IE (for testing sites) but entering a browser that way, relying on a meta flag which can be implemented by anyone and trusting users to differentiate between a browser engine and UI sounds too much to me.
I believe users need exact same rights to install a browser rather than a ActiveX control so they better advertise their browser instead of plugging into others. They should also check the market for w
Re:If they want HTML5/Google Apps, they can instal (Score:3, Insightful)
Re: (Score:2)
Users don't know what a browser engine is. They don't even know what a browser is. They know that if they click on the big blue e, they can google the internet, and that's pretty much all they know.
The reason they're not switching to chrome is because even if they do manage to click and install it, they won't even realize that they have to click the chrome icon instead of the ie icon to browse the web. And even if they get as far as realizing that, they won't like chrome because it looks too different.