Google Barks Back At Microsoft Over Chrome Frame Security

CWmike writes "Google hit back at Microsoft on Friday, defending the security of its new Chrome Frame plug-in and claiming that the software actually makes Internet Explorer safer and more secure. 'Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users,' said a Google spokesman today. 'It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP], and defenses from emerging online threats that are available in days rather than months.' On Thursday, Microsoft warned users that they would double their security problems by using Chrome Frame, the plug-in that provides better JavaScript performance and adds support for HTML 5 to Microsoft's browser."

So, which side

[sopssa]

The company is also investigating bugs filed with the Chrome team by Microsoft developers, who reported that Chrome Frame broke IE8's privacy mode.

Why am I not surprised this feature wasn't tested at Google? ;)

But on an interesting note, this seems to be a direct attack against Microsoft by Google. Granted not that many users will probably install it (especially 'normal' users who just dont care), with this and Chrome OS it's clear that Google is going after MS.

Also, this is another avenue for Google to datamine everything about the internet. People dont usually think about it, but Google's analytics traffic code is all over the internet and probably 90% of the sites you visit is known to google. Another interesting thing is that Slashdot used to hide the tracking code under its own domain, so just blocking the analytics domain didn't work.

While I dont like some of the business practices by neither one, its hard to pick sides here. Atleast MS sells the products directly, while Google monetarizes them by ads. And by that very nature you lose lots of privacy.

Earlier there was also discussion that Chrome Frame is mostly provided for corporate users who are required to use IE and cant install other browsers. But how can they install this plugin then? It's normal exe and probably requires even more admin rights to get inside IE than just installing Chrome on your userbase. And other than that I dont see a point in wrapping another browser plugin to work inside browser. If people are knowledge about this plugin, they're knowledge about the actual Chrome browser too. And IE user experience and GUI sucks.

Re:So, which side

[dread]

Ummm. Not many users? Do you completely fail to comprehend how HARD Google could push this on IE6/7 users if they wanted to? And with their allies and partners I think they would have a very good chance of doing an 80-20 conversion on that user base. That's what's up for grabs, not the measly IE8 percentage points. IE6 and IE7 users accessing Youtube, google.com, gmail, google docs et al being gently pushed to install the plugin. Good thing too in my opinion. The sooner we can get that crap out the door and onto the crap heap of history the better for everyone.

Re:So, which side

[sopssa]

Yep, they could push it really hard to users, but what would be the point of that? They're already pushing Chrome on YouTube and other sites and its a better deal for them. Just visit YouTube with IE and you see the advertisement on bottom to test out Chrome browser.

Re:So, which side

[MrCrassic]

Well, from the article, I'm getting the gist that they are only fueling the fire further. IT departments should be doing what they can to GET OFF IE6 instead of using software like this to breathe new life into it!

Upgrading to IE7 and IE8, as specified in the article, makes this add-on irrelevant. On a side note, I'm also concerned about the heavy-handedness Google has nowadays. I understand that their products constitute a LARGE portion of internet traffic, but it's kind of scary to think that their analytics code IS all over the web....

Re:So, which side

[mystik]

I'm from a small org, fully embracing the leading edge.

But I can See the following scenario:

1) Org has large internal App written for IE6 only. Can't upgrade so users are forced to have IE6 on their workstations
2) Org's IT admins are well aware of the security problems IE6 forces them to work around.
3) Roll out the Chrome plugin, and set things up so everything *but* the internal site uses Chrome.

Installing IE upgrades makes it difficult to leave an ie6 & ie_latest deployment side-by-side in a 'supported' fashion (Unless ms has a 'supported' way of doing this?)

Using the Chrome plugin lets the Org upgrade the browser to something maintained & more secure on their deployment, while allowing the archaic app to work as expected.

Re:So, which side

[Jurily]

But how can they install this plugin then? It's normal exe and probably requires even more admin rights to get inside IE than just installing Chrome on your userbase. And other than that I dont see a point in wrapping another browser plugin to work inside browser. If people are knowledge about this plugin, they're knowledge about the actual Chrome browser too.

When company policy or existing contracts force the sysadmins into IE, they might still have the option to install plugins.

And IE user experience and GUI sucks.

Irrelevant when you are verboten to use anything else.

Re:So, which side

[AmberBlackCat]

Everybody I know ends up with the Google toolbar, and most of them don't know how they got it. It's installed the same way as viruses; they just get some software installed, choose typical or default installation, and keep clicking yes till they get to the end. So surely Google could bundle the installer for this thing with the toolbar and everybody will have it. They just won't know what it is, why they have it, or how to get rid of it.

Re:So, which side

[Arancaytar]

And then we could finally stop supporting IE in our web design and move on with the standards.

Hell yes.

Re:So, which side

[Marcika]

I'm from a small org, fully embracing the leading edge.

But I can See the following scenario:

1) Org has large internal App written for IE6 only. Can't upgrade so users are forced to have IE6 on their workstations 2) Org's IT admins are well aware of the security problems IE6 forces them to work around. 3) Roll out the Chrome plugin, and set things up so everything *but* the internal site uses Chrome.

Installing IE upgrades makes it difficult to leave an ie6 & ie_latest deployment side-by-side in a 'supported' fashion (Unless ms has a 'supported' way of doing this?)

Using the Chrome plugin lets the Org upgrade the browser to something maintained & more secure on their deployment, while allowing the archaic app to work as expected.

That's what Firefox with the IE Tab add-in is for. If you have control of your IT infrastructure, why settle for the intrusive kludge of Chrome Frame?

Re:So, which side

[dissy]

That's what Firefox with the IE Tab add-in is for. If you have control of your IT infrastructure, why settle for the intrusive kludge of Chrome Frame?

Because it is very difficult to maintain a firefox deployment on a windows network.

Active directory and Group policy are tied in deep with IE. Firefox, not so much.

There are third parties that make the required MSI installers, at least for the browser.
Settings can not be pushed out through group policy, they have to be configured in advance and placed in the MSI installer.

This basically means you use the same method to push out the software, as you use to push configuration changes.

It does get the job done. It just isn't pretty. It also conflicts with anyone who has installed firefox manually, occasionally just blowing away profiles (only happened 3 times out of 150 workstations, so not too bad really, given firefox has done this by itself to me more than once in the past in a regular install)

Personally, I feel the pain of deployment is well worth the benefits of having firefox for internet browsing and IE only for intranet/webapps.

I'd love to believe Microsoft about the IE8 sandboxing security, but they are not exactly trustworthy at all in that area.
Plus we have the added problem of skipping vista for win7, so are currently still using XP with server 2003 backends.

Props to the maintainers of the MSI versions of firefox for corporate deployment however. Still far to go, but definately lots of progress has already been made.

The point is however, a lot of MS only shops will want to stick with the well integrated MS only tools. These tools exclude most all 3rd party software, so IE it is. And this seems to be a very good way to improve IE's security without resorting to maintaining a painful firefox deployment.

Re:So, which side

[Runaway1956]

Alright, so look at this addon as a tool to encourage MS and it's customers to abandon IE6. One by one, installations of IE6 are "infected" with the Google addon, MS doesn't like it very much, so they make a HUGE push to get rid of IE6.

As for IE7 & 8 - MS can always "update" them to refuse the plugin. Such a move is certainly not unheard of - hence my sig.

No one in the world with half a mind really wants IE6 anyway. Google is just helping those with less than half a mind to move forward! Win - win!

Re:So, which side

[SanityInAnarchy]

Compare that to how hard they push Chrome Frame, and other browsers (Chrome, Firefox, Opera, etc), on anyone wanting to test out Wave. How long until YouTube simply doesn't support IE6?

Re:So, which side

[SanityInAnarchy]

It's installed the same way as viruses

I honestly don't remember any virus being installed this way:

choose typical or default installation, and keep clicking yes till they get to the end.

I mean, I've seen Google Toolbar, OpenOffice, and other bits of software installed this way, but never did I see a checkbox in some installer for "Install virus?"

So surely Google could bundle the installer for this thing with the toolbar and everybody will have it. They just won't know what it is, why they have it, or how to get rid of it.

I can see why they might want to get rid of the toolbar. I have no idea why they'd want to get rid of this. It wouldn't hurt them in any way, it'd arguably make them more secure, and it'd make my life much easier as a web developer.

Re:So, which side

[Runaway1956]

"Irrelevant when you are verboten to use anything else."

I would argue with that. User satisfaction is never irrelevant. I'm doing a job - ANY JOB - and I have dozens of employees. 25% to 50% of my employees tell me that they know a better, faster, easier, more efficient way to do the job, but I insist on doing the job MY WAY, because I'm the boss. I will lose good employees who are dissatisfied, over time. I will attract poorer employees over time - employees who aren't bright enough to see these obviously better ways of doing the job.

Insisting on using outdated methods and/or technology because "I'm the boss!" is a cancer that will eat at the organization.

Verboten? How much do you enjoy working for an organization where improvements are verboten?

Re:So, which side

[SanityInAnarchy]

Any organization smart enough to do that should be smart enough to replace IE6 with Firefox, and configure it to use IE Tab for the internal site.

Re:So, which side

[dontclapthrowmoney]

Active directory and Group policy are tied in deep with IE. Firefox, not so much.

There are third parties that make the required MSI installers, at least for the browser. Settings can not be pushed out through group policy, they have to be configured in advance and placed in the MSI installer.

This basically means you use the same method to push out the software, as you use to push configuration changes.

Has anyone made a custom Group Policy template file (.adm) for Firefox? I've never needed one and I haven't googled for it now - I'd be very surprised if no-one had done this, at the very least for proxy settings etc.

I realise that tools like rsop.msc would show the firefox settings only as custom registry settings - no biggie though, and you would always push the ADM out to workstations if this became a problem (easier than updating the install itself, and I can't really think of a major reason to bother with this - still an option though if necessary for some reason).

Sometimes though it is easier to use a logon script to set up anything that is a preference, if you only have a few settings - for example, block internet except through the proxy, and if the user messes with it/breaks something then they log out/in which we all tell users to try before they call anyway.

Re:So, which side

[amn108]

As much as I would agree with you on the typical Google toolbar installation patterns, it is not Googles fault users have no patience to read anything that they are supposed to when dialog boxes are shown to them. I have personally witnessed how users install software, and they have no clue what they are doing, so saying that "most of them don't know how they got it" is saying nothing at all. We have not had good computer learning in schools, and this is the harvest. I am not saying reading EULAs is a good thing, I am for moderate user interfaces, but then we either forbid third party product installations by law - so that users can click "Install, no questions asked" button without worrying about anything, or we teach them how important it is to actually read dialog boxes. Trouble is, we developers have abused dialog boxes for so long, it is no wonder users have no confidence nor patience to read them anymore. It is like asking them to read commercials, they would honestly ask you "And why would I do that?!"

Re:So, which side

[Eirenarch]

Today it is IE and how long before they decide to push Chrome Frame to Firefox, Opera and Safari users?

Re:So, which side

[lukas84]

Custom ADM templates don't work for Firefox because Firefox doesn't use the registry for most settings, instead the prefs.js in %APPDATA%\Mozilla\.

Enterprise Deployment isn't anything Firefox, Opera or Chrome are aiming for.

Re:So, which side

[lukas84]

You have never worked in a large enterprise, haven't you?

They're as bad as most governments. Sometimes even worse.

Re:So, which side

[Runaway1956]

No, I've been scared off of large organizations ever since I served in the Navy. Are you agreeing that a stifling work environment attracts workers who are mediocrities, or worse? We all know people who show up just to get a paycheck. The guy who comes to work all fresh faced and raring to go doesn't get sucked into an environment where ideas are automagically quashed before he can properly verbalize them.

Re:So, which side

[hairyfeet]

First of all, I think the word the guy is looking for is spyware/malware. Anybody who has had to remove coolwebsearch knows that nobody goes "yes, i would like a buggy, crashy, POS software that follows everything I do and reports it back. Oh yeah, can I have lots of popups and ads too?" so that is what he was going for I think. Most folks I have dealt with have no clue how they got "Googled" or Yahooed or Asked either. Hell even Java now will hit you with a toolbar when you apply an update if you're not careful, so its no wonder why folks look down on those damned toolbars.

Second I honestly don't get how this is supposed to make anyone more secure. Give Google more data to mine? Sure I can see that. But more secure? Lets think about it for a minute: First you have IE, and any and all vulnerabilities for it, and then you add Chrome on top, along with any and all vulnerabilities for it as well. So how exactly does running TWO browsers at the same time make for LESS vulnerabilities than simply running one? Because unless there is some hidden voodoo going on I just don't see it. It seems to me it would simply be better to push to get IE6 users to use ANYTHING other than that old POS, than it would be to add more crap on top of IE and double your attack vector. Or am I missing something?

Re:So, which side

[Bert64]

I don't think they will...
Firefox. Opera and Safari are being actively developed and are all roughly in the same league with chrome when it comes to standards support and performance.. It is just IE that lags so far behind, and breaks support for things so badly that it puts a considerable burden on companies like google having to support it.

Aside from the fact that Safari even uses the same rendering engine as chrome.

Google don't really care what browser you use, they were pushing people to use firefox before chrome came out, they just don't want people using a browser as outdated and broken as ie because it makes their job so much harder and limits some of the things they'd want to do.

Re:So, which side

You're missing the sanboxing chrome frame does in IE on windows XP which count for 72% of all systems worldwide. IE's sanboxing capabilities need integrity levels present only in Vista and forward. That's Google's point and it is a fair one.

Re:So, which side

[Bert64]

In a large corporation, an attitude you describe will result in mediocre and/or lazy workers...
I know several perfectly capable people who work in such environments simply because its easy, they blend into the background and collect their pay without doing very much work at all. Most of their colleagues are as you describe, mediocre or worse and are easily manipulated.
They generally sit around doing their own thing all day, and their colleagues aren't smart enough to challenge them.

Re:So, which side

[tomthegeek]

We use Frontmotion Firefox on our network. From the website:

• Active Directory deployable and upgradeable.
• Active Directory management through Administrative Templates (*.adm).
• Desktop Icon similar to IE.
• Shell integration similar to IE.
• Set Default browser
• Macromedia Flash plug-in preinstalled
• Detect and upgrades non-MSI installs.
• Can upgrade 3rd party MSI's from patpaul/MIT, Webheat.co.uk, and ZettaServe.
• Able to properly perform uninstalls and restores system associations
• Enhanced functionality like disabled profile migration.

Re:So, which side

[SanityInAnarchy]

You're obviously not a web developer.

I can develop a site in Firefox, with Firebug, Firecookie, and all the other nice developer tools. That means I can stay on Linux, OS X, whatever I'm comfortable with.

I can then test it out in Chrome, Opera, Safari, Konqueror, Epiphany -- hell, there's a fair chance it'll work on iCab -- and only require very minor tweaks.

Then I can test it out in IE, and discover I've got a few days of work. Especially if I wanted to target IE6. Easily 20-30% of my time developing a site is spent fighting with IE.

No other browser is that much of a bitch to support.

In other words: Google isn't doing this because they're evil, or because they want everyone to run Chrome. (Even if they did, so what? Chrome is open source.) They're doing it to make life easier on all web developers, including themselves. They're also doing it to make the web better, in general -- faster Javascript, HTML5 support, and better support for web standrads...

So, it really doesn't seem likely Google would care to port this to other browsers that actually work.

Re:So, which side

[SanityInAnarchy]

Anybody who has had to remove coolwebsearch...

And how does that get installed? Is there actually a checkbox somewhere for "install Cool Web Search"?

I honestly don't get how this is supposed to make anyone more secure.

You can argue that it doesn't, but to "not get it" is a bit stupid.

First you have IE, and any and all vulnerabilities for it, and then you add Chrome on top,

In other words, it makes things "less secure" in exactly the same way that Flash, Silverlight, Java, Windows Media Player, and any other plugin does.

Basically, Microsoft's whole argument is a very good argument not to install Silverlight. I don't think that's an argument they want to make.

unless there is some hidden voodoo going on

It's not exactly hidden that Chrome supports sandboxing on Windows XP, while IE requires Vista and above for that. So for anyone who didn't upgrade to Vista or Win7 -- which is probably most of the people who didn't upgrade from IE6 -- Chrome Frame is adding a layer of security on top of IE, for the sites that use it.

Add to this the sheer swiss-cheese that is IE6 already... How shall I put this... It's like wearing boxers and a helmet. No one's going to try to shoot you through the helmet, given that choice.

It seems to me it would simply be better to push to get IE6 users to use ANYTHING other than that old POS,

It would be, and they are doing that. In fact, the page that prompts you to install Chrome Frame also mentions other browsers.

But this helps for people who are reluctant to try a new browser, but certainly less reluctant to try a new plugin. It also helps where people are not allowed to install a new browser, but might be allowed to install a new plugin -- not saying that's sane, but that's a lot of corporate desktops.

Re:So, which side

[Eirenarch]

If I was not a web dev I may have believed your words. However some things in our project stopped working when Chrome was updated to v2 (they used to work in v1). I've seen perfectly valid HTML that renders differently in Firefox, Chrome and Opera (should I even mention IE?). While we all agree that IE6 is pain we should not put the blame on Microsoft. After all if we had to support versions of Netscape from the time of IE6 they would be pain too and I am sure MS want to see IE6 gone more than anyone else. IE8 is as different from the other browsers as they are among themselves. I have as much trouble fixing IE8 quirks as I have fixing Opera, Firefox and Chrome/Safari quirks. And if Google were all about standards then what is Gears? I personally see this Chrome Frame + Gears thing as the next ActiveX.

Re:So, which side

[hairyfeet]

Actually they put a little tiny thing on about page 8 or so of the EULA with language like "In order to give you this awesome shareware title for absolutely free, you agree to install our partners software so they can give you fabulous offers. This software may transmit information in order to better serve you with offers that pertain to your surfing habits" etc. Believe me, as a PC repairman going on 15 years I have run into the "toolbar tango" more times than I can count and it always feels sleazy. Why Google and Yahoo would stoop that low is beyond me.

Now see, you are hitting the nail on the head as to what is confusing me. We all now IE6 equals total swiss cheese that can turn a box into a virus laden whore faster than you can say coolwebsearch, so how exactly is having Chrome Frame for the very limited number of websites that will call it actually helpful? I honestly don't see malware sites calling Chrome Frame, unless they have an exploit, and then like I said running two browsers would be a bad thing, and not of the good.

And I have worked on more than a few corporate desktops in my day, before I got burnt on the PHB Dilbert bullshit keeping me from doing my job and providing a secure workstation, and again this just don't compute to me. Those desktops are usually locked down tighter than a Nun's panties and you usually have to go through an act of congress to get squat installed on those suckers, which is of course why they are still running IE6 and not IE7 or 8 or hell, anything that doesn't blow chunks like IE6. So again this looks like such a minuscule amount of folks that this would supposedly help (Has IE6+can't upgrade or switch to a better browser+has permission to install plugins) that it just doesn't seem worth the development effort to me.

In my mind the only way this makes any sense at all is if Google is hoping to get the "clicks through anything to get the goodies" crowd that are too stupid/lazy to get rid of the POS that is IE6. And if that is the case they would be much better off simply cutting off support for IE6 completely from all Google services and offering a link to Chrome (or FF3 if they are on Win2K) than all the work to build this thing. Because as you said trying to put security on top of IE6 is like wearing a helmet while standing around in your boxers. More than a little bit pointless. And for those not allowed to install anything there is always Pocket Kmeleon, QTWeb (same engine as Safari/Chrome) or Portable Firefox. And that is just the first three I clicked on at random, there are over a dozen including a Portable Chrome. This idea just seems like a solution in search of a problem to me.

Re:So, which side

[SanityInAnarchy]

I've seen perfectly valid HTML that renders differently in Firefox, Chrome and Opera

As have I -- with minor differences that can be fixed in a few minutes, if they were an issue at all.

we all agree that IE6 is pain

I just don't think we agree on how painful it is. Again: The vast majority of what I do "just works", with minor tweaks, in all the browsers I mentioned. Remove IE from the equation, and I'd still have to do cross-browser testing, there'd still be bugs and things to work around, but I'd easily shave off around 20% of my dev time.

we should not put the blame on Microsoft.

Uhm. Why not?

After all if we had to support versions of Netscape from the time of IE6 they would be pain too

That's true. However, Netscape did eventually support the standards. I'm still convinced that Firefox (which came from Netscape) is the whole reason IE7 happened at all.

IE8 is as different from the other browsers as they are among themselves.

That is possible, but I'm skeptical. This certainly wasn't the case back with IE7.

And if Google were all about standards then what is Gears?

An attempt to further standards. Indeed, most of the interesting features of Gears have now been merged into the HTML5 standard, and are now supported natively by other browsers.

I personally see this Chrome Frame + Gears thing as the next ActiveX.

*facepalm*

You really don't see the difference between enabling standard HTML5 (properly sandboxed) and inserting random executable content (with full local rights) into a webpage?

What am I going to hear next, that you can't tell the difference between a web app and an exe?

Re:So, which side

[SanityInAnarchy]

Oh, I forgot to mention: Again, we're talking about standard stuff in HTML5.

So, I can develop something that works in Firefox, Opera, Chrome, and Safari, which uses the video tag. At this point, I can either add a ton of extra work by building a flash player, writing some script to replace the video tag with the flash player when I detect IE (or a simple lack of video tag support), and now do twice as much work any time I want to change anything about the player...

Or I can develop an app that relies on canvas, and try to find some ActiveX control, Flash widget, or other hackery that'll duplicate this -- again, talking about doubling the work -- to implement it on IE...

Or I can just develop in straight HTML5, and use Chrome Frame to support IE.

I'm amazed that, as a web developer, you don't see how that's useful, or how that relates to web standards.

Re:So, which side

[SanityInAnarchy]

We all now IE6 equals total swiss cheese that can turn a box into a virus laden whore faster than you can say coolwebsearch, so how exactly is having Chrome Frame for the very limited number of websites that will call it actually helpful?

That's actually a valid point, and one I thought about pretty much right after I hit submit...

The conclusion I came to was, again, it's not likely that this would be a target for malware authors when IE6 is already such an easier target it's not even funny. As to how it improves things, any content within a site that uses this should be somewhat safer.

Take a contrived example: Suppose I make a photo gallery app. I allow my users to upload photos, among other things. Or maybe it's a forum avatar, whatever. Someone discovers a bug in how IE processes images -- which has happened, at least once -- and embeds some malware in an image. If I've wrapped my app in a Chrome frame, they can't exploit IE -- even if the same exploit worked on the Chrome renderer, it's sandboxed.

Those desktops are usually locked down tighter than a Nun's panties and you usually have to go through an act of congress to get squat installed on those suckers, which is of course why they are still running IE6 and not IE7 or 8 or hell, anything that doesn't blow chunks like IE6.

So, one possibility is, due to a misconfiguration (or maybe it's deliberate, somehow), users are allowed to install plugins.

Another possibility is, that "act of congress" is required for a new app, but not for customizing and configuring an existing app. Installing a plugin might be considered "configuring" IE, and thus legal for IT to do.

just doesn't seem worth the development effort to me.

Maybe not. But I'm not going to complain, now that it works. It's also one way of solving the problem of needing one browser for the Intranet, and another for everything else. Sure, I'd prefer IETab, but this works, too, and requires less configuration.

In my mind the only way this makes any sense at all is if Google is hoping to get the "clicks through anything to get the goodies" crowd that are too stupid/lazy to get rid of the POS that is IE6.

If this is the case, I still applaud them for giving me another reason to not have to support IE6.

And if that is the case they would be much better off simply cutting off support for IE6 completely from all Google services and offering a link to Chrome

That would be nice, sure, but it's understandable that they aren't willing to do that.

Let's consider a few scenarios:

• Google adds a download link to the page, but doesn't prevent it from working. Users ignore it. This is exactly what's happened with YouTube.
• Google stops supporting IE6, allowing some things to break, and adds a more prominent link. Users don't understand what a browser is, and blame Google for not working.
• Google disables tons of features on IE6 -- GMail's "basic HTML" mode, for example. Users don't notice the "you should get a browser" link, and assume Google is slower, and wonder why certain features are broken.
• Google actively blocks the page with a "You should upgrade" page, and a very small "continue anyway" link. Users aren't brave enough to try a new "browser" (whatever that is), and give up on that page. Or, if they really want it, they grumble to themselves about how user-unfriendly Google is, making them download a whole new program to view the page. Then, if their new browser breaks, or does anything wrong, or anything different at all, they blame Google for making them download it.
• Google actively blocks the page with a "You need this plugin" page, and a very small "continue anyway" link. Users react pretty much the way they'd react to the same thing from Flash or Silverlight -- as you say, click-through-to-the-goodies. They hardly notice their browser is different.

Re:So, which side

[PybusJ]

That's what Firefox with the IE Tab add-in is for. If you have control of your IT infrastructure, why settle for the intrusive kludge of Chrome Frame?

You've just decried one 'cludge' then suggested another very similar one. I can't see how embedding chrome's renderer in IE is inherently less cludgy than embedding trident in Firefox.

Re:So, which side

[StuartHankins]

... While we all agree that IE6 is pain we should not put the blame on Microsoft...

IE's been a major fail for so many reasons, it's difficult to understand why you would not blame the company responsible, in this case Microsoft. I develop for a living as well and if IE suddenly disappeared tomorrow (6, 7, 8, whatever, all of it) I would be beside myself with joy.

I don't think that at this point IE can be fixed. They used such poor, incomplete or incorrect parsing of standards for so long that they wasted whatever goodwill was generated in the first years. A site designed for any other browser is not likely to work in IE without workarounds... ugly workarounds as you know. IE8 just brings the level of crapware to a newer version -- now we have four versions of IE to support? (IE 6, IE7, IE8, IE8 in "IE7 compatibility mode" which is NOT the same as IE7).

It's Microsoft's fault, totally.

Re:So, which side

[StuartHankins]

Unfortunately enterprise settings for FireFox are a bit of a PIA to implement.

One of the settings you must have to compete with IE in an enterprise environment is auto-login (network.automatic-ntlm-auth.trusted-uris and related keys). Basically what we did was use Group Policy to launch a custom app at login. The Mozilla profile for the current user is in a random folder and the js file you need to edit is in that folder -- but even though it's randomized, if you know the parent folder's name you can easily find the child folder's name and go from there. The app scans the existing JS file line-by-line, and keeps track of certain settings which may or may not be present in the file. If the settings aren't there, we write them to the file. It's a bit more complicated than it could be.

So why don't we override everyone's JS file? Different users need different settings and nuking this file is the equivalent of losing all your settings. There are quite a few possible settings and defaults are NOT included in this file... so a change to FireFox's defaults can cause issues too. It goes without saying that this JS file is locked by the browser if it's loaded and changes can't be saved.

Like I said, a PIA. I could add/update a registry setting much easier.

Re:So, which side

[BikeHelmet]

It's installed the same way as viruses;

The last virus I got piggy-backed a firefox XPI. But that was Firefox 1.5

Viruses are sneaky. What you're thinking of is called crapware. If you want a fine example of bundled crapware, check out the CCleaner installer, or perhaps the MediaCoder one.

You can uninstall Google Toolbar fully from the control panel. I don't mind it, because it seems to remove that infobar-refreshpage-runaround to download files.

Re:So, which side

I personally fought to get FireFox approved, then keep it, for several years. The last straw was a requirement for Keller Online which required IE / ActiveX. The people working in Help Desk removed the users' FireFox installations without so much as converting user's bookmarks... access was suddenly gone. These are the same Help Desk operators who understand that streaming video to their laptops harms the network but insist on doing it anyway.

Needless to say, there is an almost constant fight between app development (me) and Help Desk (them), mainly because they assume no one monitors their activity.

So long as large corporations insist on using certain products regardless of the cost to security, productivity, and employee costs, we all lose.

Posted anon for obvious reasons. In this economy you can't be too careful.

Re:So, which side

[supernova_hq]

How long until YouTube simply doesn't support IE6?

Soon.

Re:So, which side

Wouldn't it be possible to just send a different page to different browsers? I guess that wouldn't really make things any easier, but it would mean they could provide more features to newer browsers.

Re:So, which side

[Eirenarch]

First of all how is it Microsoft's fault that users do not upgrade their browsers? If users were using Netscape (whatever version it was when IE6 was released) it would be the same. I agree that IE7 is very wrong idea but what is wrong with IE8? And for what reason do you count IE8 in IE7 mode in the list of things you have to support. If you support IE8 then don't support IE7 mode because guess what IE8 mode is present on every browser that supports IE8 in IE7 mode. Also consider that when 60% (for example) of your customers are using IE then the time that is wasted is the time on the other browsers because of the relative value that it brings. You don't count the browsers you count the users. Some websites can happily drop IE support just because the target group does not use IE. I doubt Gentoo's website cares about IE :) I don't know if you are aware but there is not HTML5 standard yet and probably won't be for years. So the browsers that support HTML5 stuff are just supporting some arbitrary wish list and now because of this support HTML5 cannot be changed because someone is using it and changing it even if it is wrong will break exsisting sites. This is exactly why MS struggles with these 4 IE modes (you really need to support 3 and IE7 will go away really soon). To be honest I don't believe in standards. I've never seen them work. It is even more annoying that people accept that what Firefox is doing is the standard. You just need to search the web about why innerHtml cannot be set for tables in the IE to find people complaining that IE didn't implement innerHtml according to the standard when innerHtml is not in the standard at all and what is more it was invented for IE. And then the people who bitch about alt attribute on an img tag not being displayed as a tooltip in IE8 when alt surely should not be displayed as a tooltip in any browser.

Re:So, which side

You know... YouTube no longer supporting IE6 is actually a pretty good idea!

Re:So, which side

[DaVince21]

I mean, I've seen Google Toolbar, OpenOffice, and other bits of software installed this way, but never did I see a checkbox in some installer for "Install virus?"

I have. MSN Plus, for example, asks you to install adware. Irfaview also suggests to install the Google Toolbar for you, even though Irfanview really has nothing to do with Google.

Re:So, which side

Yes, it is possible and has been for a long time. I think it is that they don't (yet) want to offer IE users a crippled experience.

Re:So, which side

[iamacat]

First of all how is it Microsoft's fault that users do not upgrade their browsers?

1. They didn't update IE 6 for 5 years which, coupled with their market dominance, allowed lots of crafty websites to accumulate
2. There is no migration path for users of older, but still common, windows versions
3. There is no way to install IE 6 and IE 8 side by side, let alone specify automatic use of old rendering engine just for specific websites.
4. IE 7 and 8 introduced distributive UI changes with no way to bring back the industry standard menu bar and a normal looking toolbar.

Re:So, which side

[Bert64]

Yes, but the problem is that IE is widespread enough, and its users ignorant enough, that they would assume google was to blame rather than the browser being antiquated.

Re:So, which side

[mark0978]

Have you ever considered the fact that Microsoft has a vested interest in not allowing the browser to become the central focus of the OS. Originally Microsoft brought you active desktop which made the desktop act like a web page and discovered that Google and others could deliver a compelling experience simply within the browser. Then active desktop faded away and IE 6 went through several years without being updated, possibly to hinder this ability. This meant that the web platform could not compete with the desktop applications, which during that same time underwent a massive revision in the form of ribbons and new interaction methods. And are of course the largest money maker for Microsoft.

The Google plug-in essentially takes this path away from Microsoft because even if they stopped updating the browser, failed to enhance it to keep pace with all the others, the plug-in can be updated and the war for the desktop continues and enters a slightly more active phase.

At this point in the game, it's too late for Microsoft to undo this new avenue. Google docs exist and are viable method for doing a fair number of tasks. The Fidelity swap of using a browser-based app instead of the thick client app in many cases is no longer so significant as to discount the web app.

Because of this we see IE7 and IE8 trying to recapture what was once a monumental market share that threatened the core moneymaking product of the desktop OS and applications. Kind of funny when you think about the fact that Microsoft used free software to bankrupt Netscape and is now under threat from other free software. And the other free software that's available doesn't require installation, just decent web browser. My guess is that they did see this one coming and managed to stall it using IE 6 without enhancements, until they had a more mature web platform to deliver their own Web applications.

Re:So, which side

[jhfry]

Earlier there was also discussion that Chrome Frame is mostly provided for corporate users who are required to use IE and cant install other browsers. But how can they install this plugin then? It's normal exe and probably requires even more admin rights to get inside IE than just installing Chrome on your userbase.

I imagine that Google consider this the holy grail. If they can sell a google product to major corporations, have it run smooth and fast like it does in Chrome, and still allow that company to have their managed IE installs... it's an easy sell.

Essentially what they have done is told corporate IT folks that they only need to get management to approve a "plug-in" rather than a replacement web browser. I work for the government and I suspect with a decent business case I could get this to pass, but I know that it would take an act of congress to get Chrome installed on our workstations. So by making chrome a plug in, akin to Adobe Flash, Crystal Reports, and Adobe Reader, it's an easy sell.

Google just Chrome'd the enterprise!

Re:So, which side

[xouumalperxe]

You're missing the sanboxing chrome frame does in IE on windows XP which count for 72% of all systems worldwide. IE's sanboxing capabilities need integrity levels present only in Vista and forward. That's Google's point and it is a fair one.

The Chrome Frame's sandboxing only extends to Chrome Frame itself, it doesn't magically turn the rest of IE safe. In terms of attack vectors, the frame can be launched in two ways. First, a site can request it directly by having a tag ask for it. Second, it can be requested manually through an "open with Chrome Frame" shortcut of some description or another. Now, if I'm a malicious developer, I can either find an exploit for IE, or I can find an exploit for Chrome. If I find the former, I just write my page to abuse it, and any IE user who doesn't explicitly request to open the page through Chrome Frame will be open for attack. If I find the latter, I can specifically request a Chrome Frame and the IE/Chrome Frame user will find himself vulnerable to an attack that plain IE wouldn't be vulnerable to.

At the end of the day, you're only safer with a Chromed IE if you specifically use Chrome Frame to request pages that attack IE but not other browsers. In all other scenarios, it increases the available surface area for attacks.

Re:So, which side

[Eirenarch]

1. I am sure they are the ones that are the most sad about this. I don't see what it has to do with the fact that users are not upgrading it 3 years after an upgrade is available. 2. How is that there is no migration path? You can always buy a newer version of Windows and upgrade. 3. There is a way although not universal. Meta tag for IE7 compatibility and then no doctype which will activate quirks mode. 4. Alt > View > Toolbars > Menu bar.

Google dodged the point

[gcnaddict]

"It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP], and defenses from emerging online threats that are available in days rather than months."

Irrelevant. The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point. There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites), anyplace where IE7 is being used (there's IE8; upgrade to it), and anyplace where IE8 is being used (surface of attack expanded in exchange for little benefit). Downloading Chrome itself is fine, but this is nothing more than a veiled attempt at tricking users into using Chrome instead of legitimately gaining marketshare.

Re:Google dodged the point

It does not break intranet sites... Do you have any idea what you are talking about?

Re:Google dodged the point

[drinkypoo]

Irrelevant. The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point.

Google avoids addressing this point because is a stupid one. An aircraft carrier is more secure than a leaky rowboat in spite of having a greater "surface of attack". It turns out that thick sheets of steel are more resistant to penetration than pieces of wood the same thickness or less. Who knew? IE is kleenex, you could cough a hole in that.

Re:Google dodged the point

[jlp2097]

There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites)

BS! Chrome Frame is entirely opt-in i.e. the website has to include a meta-tag indicating that the site should be displayed in Chrome Frame instead of IE Trident. This is the point of Chrome Frame: allow all these corporations (mostly) to keep their IE6 and maybe IE7 while still having the possibilty to access all these new & shiny ajaxy webapps (like Wave).

Re:Google dodged the point

To enable the plugin you need to alter the html: add some kind of header.

I would like to see an intranet site especially made to work with IE that enables the plugin by inserting html...I do not think there are any.

Re:Google dodged the point

[noidentity]

OK, so your logic is different than installing Chrome on the same machine, because with this plugin, a site can select whether to use it? I was going to rebut your point, but I think I get it now. What if the user could tell this Google plugin to entirely disable IE's native HTML rendering/JavaScript/etc.? I guess that would be somewhat pointless, since you might as well just use Chrome to begin with...

Re:Google dodged the point

Based on what did you just make that assumption? As others have also pointed out, the site has to OPT-IN to enable it to be used by Chrome-frame.

Cut the BS please.

Re:Google dodged the point

[Gothmolly]

"...The point is that it's another exploitable object..."

You've just described the entire Windows operating environment, where everyone runs as Administrator. I don't think MS can make this argument with a straight face.

Re:Google dodged the point

[daniel142005]

Do you have any idea why they released Chrome Frame in the first place? Its because Google got tired of Microsoft not meeting web standards. Google will be releasing Wave soon and the majority of the population would not be able to use it because IE does not support HTML5. Chrome Frame is just as secure as IE if not more, not to mention, if a bug or exploit is found with Chrome or Chrome Frame, it takes Google hours to days to push out a fix.

"There's just no reason to get this installed in corporate networks where IE6 is being used"

Do you have any clue what Chrome Frame even does? It does not force EVERY website to use itself. Only websites that request it or websites that you told to use it. And believe it or not, there are a lot of newer applications in the business environment that do not work with IE6 or even IE7/8.

"anyplace where IE8 is being used (surface of attack expanded in exchange for little benefit)"

I guess you are unaware of exactly how much IE8 does not include compared to Firefox/Safari/Chrome, and your obviously not a web developer. Most of the time websites have to have code dedicated for IE otherwise the website will not work right. Google is sick of Microsoft not following standards and them as well as everyone else having to waste their time to make patches so it will work in IE.

Re:Google dodged the point

[jesser]

Yes, Chrome Frame increases your attack surface, because by default, it lets each site choose whether to use IE's engine or Chrome's engine. But I see Chrome Frame as a temporary measure to allow intranet sites to be updated one at a time. From that perspective, it's safer in the long run than remaining stuck with IE6.

Furthermore, if you configure Chrome Frame to force one engine or the other for all non-intranet sites, it's about as secure as whichever engine you pick. More to the point, it's then safer than having everyone use both IE and Chrome, because a site can encourage users to try opening it in the other browser just by looking broken.

Re:Google dodged the point

The thing is, that it in fact does _not_ break intranet sites (You have to opt-in for using it) and most people are still on XP:

(71.79% according to hitslink.)

Sanboxing features on IE require integrity levels that are present from Vista on (not present in XP). So google makes quite a valid point. Also the surface of attack is also raised with silverlight and flash plugins (or any plugins for that matter), I don't see Microsoft communicating this fact enough. ;)

Re:Google dodged the point

[sopssa]

Welcome to 98. Not everyone runs Windows as admin, especially if its a shared computer (like in family). For that matter, its just aswell possible to run Linux as root to do your everyday things. This has been said countless of times already, but it's not the OS's fault; it's the users fault and how they're using their system. Linux is just as vulnerable to a stupid user than Windows is.

Re:Google dodged the point

I guess you're unaware what "surface of attack" means. Security has nothing to do with meeting web standards, and obviously all you care about is using some new fancy HTML5 feature rather than thinking about what installing software, or making requirements of your users actually entails. One thing you're right on though, Chrome Frame is not an altruistic venture from Google, it's done to support their own software and the expansion of their own market.

Re:Google dodged the point

Whilst I agree with the sentiment, Windows carries a different approach and mindset..

I can happily run everything as admin in windows and never really notice or care, it just happens out of the box, by default, as normal. The instability this can cause is usually considered the 'way its supposed to work'.

Also, for most people, if they are using just userland rights on a windows box, they'll occasionally find themselves jumping through hoops for one (badly written) application or another, just to make it work.

Assuming you ignored the rather common 'omfg dont run stuff as root' messages that most distros provide, after few hours of running everything as root in linux and you'll eventually see the benefit of keeping that log-in for special occasions only.

Hoop jumping in linux for userland stuff still exists but its not as much a hacky workaround as it tends to be in Windows.

Things have been changing in windows land since Vista in this regard, but most 'general users' will tell you those new features are annoying and intrusive.

Re:Google dodged the point

[Runaway1956]

Coming to a community college near you: Reading Comprehension 101

The plugin sits idle UNTIL CALLED by a call ON THE SERVER. If the call isn't made by the intranet server, the plugin doesn't do anything, meaning IEx does what it would have done anyway.

Re:Google dodged the point

[SanityInAnarchy]

The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point.

It didn't stop Microsoft from writing Silverlight -- or ActiveX, for that matter. Seems they're only concerned about "expanding the exposed surface of attack" when it's something they don't like.

There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites)

It's opt-in, by the site. The default IE6 engine will still be used for those intranet sites, unless the intranet sites explicitly ask for Chrome Frame -- and if that ever happens, there's a strong possibility that these intranet sites are ready for other browsers.

Downloading Chrome itself is fine, but this is nothing more than a veiled attempt at tricking users into using Chrome instead of legitimately gaining marketshare.

And bundling IE with the OS wasn't? How about exposing IE's HTML engine as a standard ActiveX component?

I'm not suggesting that either of these things could be reversed now, but understand that at the time this decision was made, Netscape was still being sold in stores, and I believe it did have a majority marketshare.

But you know what? At this point, I don't care if Google has to hire assassins to kill off Microsoft's IE team, as long as the end result is the same: We can finally start developing to web standards, and stop having to spend half our time figuring out how to work around IE's bugs. Hell, it means we can actually use exciting new features like HTML5, and stop using Flash unnecessarily, just because IE doesn't support <video>.

(Ok, yes, it would be very sad if people had to die over this, but you get the point.)

Re:Google dodged the point

[dread]

But seriously, this argument is wholly inane and false.

1: IE6 - it would break intranet sites. NO it wouldn't as it wouldn't get used unless the proper meta tag is IN THE PAGE. Is this insanely hard to understand? IE6 would keep chugging along until a page that asked nicely for the plugin came around. Then it would be used. The intranet would remain untouched.

2: IE7 - upgrade to IE8. Do you have any idea of how many organisations are avoiding upgrading to IE8 specifically because they aren't sure that everything is going to work properly. You are arguing that they have to upgrade (to a product that is measurably worse than the competition at handling new, javascript-heavy web applications) rather than take advantage of a plugin that will solve their immediate pain point (performance for certain apps) while not disturbing their current setup.

3: Veiled attempt at tricking users into using Chrome instead of legitimately gaining marketshare.
Please, enlighten me - exactly how does one "legitimately gain marketshare"? This is just plain old stupid. Market share is built by providing a good product and having people use it. Time will tell if Chrome Frames is a good product and if people will use it. You are not the judge of what is a legitimate route to market or not. Sorry. The arbiter of that is the market.

Re:Google dodged the point

[Runaway1956]

Alright, I'll admit. Outside of the corporate world, at least 3 or 4 percent of users run as a restricted user.

Among the other 95% + we find gamers whose games won't run unless they are Admin, we find people who routinely install apps from the web and can't be bothered to "Run as" Administrator, we find OEM machines with a single default user who has Admin rights - I could go on.

No, you don't get away with pointing to Vista and Win7 - they have NOT been widely adopted by the public. Most of the computing public is still running XP, and are unlikely to upgrade soon. (Recession, remember? A lot of people who MIGHT upgrade to Win7 don't have money to spend on frivolities!)

Re:Google dodged the point

[ClosedSource]

So essentially Google's argument is that you should download and install it because it doesn't do anything for 99.9% of internet sites.

Re:Google dodged the point

[Runaway1956]

That remains to be seen. Web designer people may look at this as salvation from tweaking and retweaking for IE6. Some of them may or may not put a disclaimer on their site, "If you have problems viewing this site with IE6, you should upgrade to a more modern browser, or install Google's addon" complete with links to the addon, as well as the more popular browsers.

If such an approach were taken, who knows? Let's take another look in 3 months, then again in 6 months. Stuff happens, you know?

Re:Google dodged the point

[Bert64]

Silverlight is another exploitable object too...
People concerned about security should probably be using the full blown chrome, which is generally regarded as having a better security model than other browsers.

Re:Google dodged the point

[ClosedSource]

I guess it depends whether the organization thinks the time, cost, and inconvenience involved with supporting IE6 is more significant than the possibility of losing users.

Even if they came to that conclusion, their agenda would be better served by having users update IE or switch to another browser rather than using an untested hybrid solution that Google might get bored with and stop supporting later on (it wouldn't be the first time).

Re:Google dodged the point

[TheRaven64]

Yes, that's the point. A malicious site being visited by someone with IE6 + the Chrome frame can choose to exploit any security hole in IE6, the Chrome frame, or any other plugins that may be installed. This is worse than having just IE (because holes in Chrome can not be exploited while running IE) or just Chrome (because holes in IE can not be exploited while running Chrome).

Microsoft's argument is a good one, but the logical response to it is to run Chrome, rather than IE and the Chrome plugin. Oh, and not install Flash, Silverlight, or any other potentially-exploitable plugin.

Re:Google dodged the point

[superstuntguy]

Windows XP called, they want their security model back.
In Vista and Windows 7, all users are normally regular users, but can run programs as administrators much like sudo.
See http://bit.ly/10KkWr (PDF) for more info.

Re:Google dodged the point

[jonadab]

> For that matter, its just as well possible to run Linux as root to do your
> everyday things ... it's not the OS's fault; it's the users fault

Bunk.

I mean, in theory, yes, that would be true, if Windows had for the last twenty years shipped with an installer and typical OEM OOTB setups that encouraged the creation of a non-admin account for everyday use. If that had been the case, then third-party application developers would have programmed under the assumption that the user might not be admin and would test their junk using non-admin accounts, and so most common applications would work just fine if the user is not admin.

But in fact that is not the case. The advent of UAC in Vista and Seven is helping somewhat, but even now the default setup is wrong (the user has admin privs and only has to frob "yes", not type a password), and an annoyingly high percentage of Windows applications out there simply do not run correctly unless the user either has admin privileges outright (WinXP) or grants them to the app via UAC (Vista/Seven). Some of these applications can be worked around if the admin does peculiar things with access control lists, but others really do want the logged-in user to have full admin privs, or else stuff doesn't work right. The ISVs who are guilty of this include some pretty major names, not least Symantec. Why should antivirus software care whether there even *is* a user logged in when it does a scan or update, much less what the logged-in user's privilege level is? Because earlier versions of the software ran on Win9x, that's why.

And that's why a Linux-based system (or BSD or any Unix-type system really) is different: not because the kernel is different now, but because the application base isn't built on a legacy of decades of complete disregard for the whole concept of security and permissions.

Did I mention too that Windows itself requires the user to have admin privileges for Windows Update to work right? Otherwise, Automatic Updates only work until something with a EULA comes along (every third update, roughly), and then the system gets no further updates until someone logs in as admin. Again, UAC helps somewhat, but somebody with the admin password still has to put in an appearance on every workstation on the network, about once a month, in order to keep all the systems up to date. There's no such thing as putting updates on a cron job and forgetting about them.

Not sure what any of this has to do with Chrome Frame, though.

Re:Google dodged the point

[StuartHankins]

Everyone who uses UPS Worldship runs as an admin. I know, we've had to put up with that -- and I wish I could say it was one of the factors in our switching to FedEx.

Our laptop users must run as admins so they can install whatever print drivers are required when they're on the road at different customer sites. Unless we're missing something really big, there is no "allow user to install printer drivers" security option in XP.

And as far as Linux being as vulnerable to a stupid user, wow you need some more exposure to it. While it may be possible to issue a "rm -rf /" as root, the ways the average user can bork things up -- web browsing allowing malicious code to execute, likelihood of damage via virus, allowing a user to uninstall something that breaks another app -- these just aren't issues with Linux.

Re:Google dodged the point

[jsebrech]

The best way to reduce surface of attack is to abandon IE entirely and switch to chrome, as it was the only browser nobody managed to crack during the Pwn2Own contest earlier this year.

If security trumped all else, everybody would be using chrome. That they aren't shows that functionality does matter. So, yes, sometimes you have to install a plugin to get things done.

Re:Google dodged the point

[jsebrech]

What chrome frame has also demonstrated beyond a doubt is that microsoft could have shipped a solution that preserved IE6 compatibility and upgraded web standards at the same time. They didn't because they didn't want to.

Microsoft is going to keep delaying the web's advance as long as possible. They only way to get things done is to side-step them.

Re:Google dodged the point

[SanityInAnarchy]

What chrome frame has also demonstrated beyond a doubt is that microsoft could have shipped a solution that preserved IE6 compatibility and upgraded web standards at the same time. They didn't because they didn't want to.

I'm not entirely sure about that. Microsoft did try roughly this strategy -- there was a plan to make IE7 (I think?) default to IE6 rendering, unless you sent some header to tell IE to render in "standards-compliant mode".

This is effectively the same thing -- it turns IE6 into a browser that's still IE6 until you do whatever you have to do to enable Chrome Frame, which is roughly like "standards-compliant mode".

The difference is, this isn't meant to be any kind of solution. IETab in Firefox is a solution. Adding an "IE6 Frame" to IE8 would be a solution, but I don't think IE8's "compatibility mode" is quite compatible, or people wouldn't still be using IE6 in these corporate environments.

So, this is more a hack to force the issue than a real solution.

I think the difference is that Microsoft was trying to sell this hack as the next version of IE, while Google isn't trying to sell this as anything other than cleaning up after Microsoft's mistakes.

I don't entirely disagree, though:

Microsoft is going to keep delaying the web's advance as long as possible.

Ever wonder why IE doesn't support the video tag? Or canvas?

Hopefully I'm wrong, and IE will eventually catch up -- at which point, of course, everyone else will have moved on to things like WebGL -- but it seems to me that improving the web in this way would slowly but surely make Silverlight (and Flash) obsolete.

Re:Google dodged the point

BS! Chrome Frame is entirely opt-in i.e. the website has to include a meta-tag indicating that the site should be displayed in Chrome Frame instead of IE Trident.

It doesn't seem to quite as opt-in as it should be:

When I visit the TV guide on sky.com in IE with google frame installed, it tells me that the page can't display because I'm using an unsupported browser.
Before installing google frame, it worked fine !!

Not surprising.

[Capsy]

Despite being a user of Vista, Zune, and a former XBOX owner, I'm not overly fond of Microsoft's stance on software. Zune needs to be open sourced so developers and modders can start creating utilities for it that matter. Microsoft adopted a "we-will-handle-it-ourselves-and-drag-the-competition-under-our-wheels" approach to software and the way the internet should be "browsed." As such, everyone is commiting herecy and blasphemy when they try to make a better program for the same function that Microsoft's software already does. For instance, look at Linux. Although it's not quite as compatible for gaming as Windows is, more and more gamers are turning to Linux, quite simply for the ease of use, and the fact they can modify their installations to fit their needs. Even down to programming something for it. All Google is guilty of, besides being asses about Android, is making a perfectly legitimate program and essentially offering to keep on top of it ("...and defenses from emerging online threats that are available in days rather than months") better than even Microsoft does. Do I smell corporate greed?

Re:Not surprising.

[Capsy]

Not trolling. I USE WINDOWS. What part of this didn't you understand? The point I was making is that Microsoft feels like they have the right to "block out the sun" over all other developers and companies. There's a term for it, and I'm not referring to a monopoly. I'm thinking of Facism.

Re:Not surprising.

[amiga3D]

Wanting all the market for themselves? That's greed. Pure and simple.

Re:Not surprising.

[Capsy]

That's what I'm saying. Microsoft has been a monster ever since Gates decided he could market Microsoft. And by monster, I mean greedy, myopic little worm.

Re:Not surprising.

Are you really a Zune user? I've never seen one of those before.

Re:Not surprising.

[Capsy]

If Zune were to be open sourced, I'm pretty sure the Zune Touch could compete with iPod Touch. And yes, I use Zune.

Does anyone care?

[amiga3D]

I'm thinking that IE users' primary concern is not security or they'd be using something else to begin with.

Re:Does anyone care?

[AmberBlackCat]

I'm thinking that IE users' primary concern is not security or they'd be using something else to begin with.

True, their primary concern is the browser working when they go to the website.

Re:Does anyone care?

[Shikaku]

It doesn't activate on EVERY website. RTFA. It requires a meta tag. Google released this so that IE users can use Google Wave because IE doesn't support HTML5. It can also be used on other websites. I think it's a great move by Google, to smack Microsoft in the face to actually step up to standards.

Re:Does anyone care?

You realise HTML 5 isn't a standard right? It's a wish list, and the last time people started implementing standards early we got layers rather than divs and had to live with that pain for years. MS had the same problem with XML/XSL/XSLT where they implemented a draft standard which then changed, and then they were slagged for implementing early. But then all web designers care about is getting fancy video it seems rather than learning from the mistakes already made.

Re:Does anyone care?

[Shados]

http://www.w3.org/QA/2009/05/_watching_the_google_io.html

Re:Does anyone care?

[mister_playboy]

Right now we are stuck with Flash... so HTML5, standard or not, would be much preferable.

Re:Does anyone care?

I'm thinking that IE users' primary concern is not security or they'd be using something else to begin with.

That's not true. Imagine telling your mother that her browser is "insecure," and that it's putting her computer at risk for "those scary virus things." Everybody knows that security is a good thing; the problem is that most of them aren't aware that IE is insecure.

Re:Does anyone care?

You are willfully misunderstanding the HTML standards process. Any feature not supported by at least two browsers cannot ever be part of a full standard. Saying HTML5 is not a standard, so not supporting it is not a big deal is quite dishonest.

Re:Does anyone care?

[TheRaven64]

You seem to have missed the fact that HTML5 is not following the same standards process as previous versions of HTML. It is being developed incrementally (parts of the spec are in flux, parts are fixed) and it requires two independent implementations to exist (like IETF standards) before any part is finalised.

Re:Does anyone care?

You realize that this plugin fixes every IE css bug since version 6? Who cares about HTML5, it's years away from us. I like the idea of being able to write a page that doesn't require me to spend an equal amount of time making it work in a crappy browser. All I need to do is provide a link to install the plugin if their page is broken. It's beyond the time when developers have to support such an antiquated piece of software, regardless of someone being forced to use it because of their organizations reliance on IE6.

Re:Does anyone care?

[amiga3D]

Sad to see you marked troll. Actually that's exactly true. All they care about is if it works. Security is the very last thing on their mind. Once I move people to Firefox they generally are very happy with it but they are always scared to leave what they know. Once they've used firefox though they never want to use IE again.

fixing that analogy

[RingDev]

To run with your Aircraft Carrier vs Leaky row boat analogy...

This is more akin to putting a nuclear powered steam turbine engine from an air craft carrier into your leaky row boat.

Sure, it'll make your leaky row boat fast as hell and able to pull huge objects, but your leaky row boat is still leaky, over weight, and now requires a constrant stream of fuel.

The GP's point is in part accurate. CF does indeed increase the exposed surface of IE. If you are willing to live with that risk, do it, if not, don't.

I also find it odd that Google was complaring it to IE6. Isn't that kinda like MS comparing IE8 with Chrome Alpha or Fire Fox 1.0? The only option for IE6, IMO, is to get rid of it. Developers need to abandon support for it, force users to upgrade to IE8, or to switch to FF or Chrome. But comparing their plug-in with an 8 year old browser is disengenuous.

-Rick

Re:fixing that analogy

[drinkypoo]

But comparing their plug-in with an 8 year old browser is disengenuous.

It would only be disingenuous if their plug-in didn't plug into that 8-year-old browser, which is still one of the dominant browsers today.

Re:fixing that analogy

[Runaway1956]

"but your leaky row boat is still leaky, over weight, and now requires a constrant stream of fuel."

"Aye, Captain, I'll pull into the next Exxon station for more nuclear rods!"

Alright, asshat comment completed, I agree with "force users to upgrade to IE8, or to switch to FF or Chrome." I'm quite tired of hearing about some lame ass in-house trash that only works in IE6. NO ONE WANTS IT, so dump it!

Re:fixing that analogy

[supernova_hq]

That makes no sense what-so-ever. You have taken the argument about security and turned it to a stability test.

Emergency Security Update

[140Mandak262Jamuna]

Microsoft announced that even though XP, Win97, Win2K, IE5 etc have been end of lifed, and will not be supported anymore, it has issued a special security update that will freeze IE5, IE6, IE7 and IE8 if Google Chrome Frame plug in is detected. After the update IE will first send a browser agent string pretending to be Google Chrome Frame, and if the website responds to it, it will crash IE and the OS with a BSOD with the message, "See? I Told ya, Google Chrome Frame is bad. It crashes everything".

The new motto in Microsoft is "Windows 7 is not done, until Chrome Frame wont run".

Chrome Frame sucks for me

[dword]

I'm a Firefox / Chrome fan and I just installed the Google Chrome Frame to see how it behaves. I installed Windows XP SP2 less than 24 hours ago and since then I've only installed my drivers, Firefox and the Google Chrome Frame; I went to a couple of innocent websites with IE6 and they both crashed the browser.

PS: Web developer here - Yes, IE6 sucks but it is not THAT unstable.

Re:Chrome Frame sucks for me

[JasonBee]

I'm a Firefox / Chrome fan and I just installed the Google Chrome Frame to see how it behaves. I installed Windows XP SP2 less than 24 hours ago and since then I've only installed my drivers, Firefox and the Google Chrome Frame; I went to a couple of innocent websites with IE6 and they both crashed the browser.

PS: Web developer here - Yes, IE6 sucks but it is not THAT unstable.

Which web sites? I'd love to test your observation as I have multiple VMs with various IE versions installed on various WinXP flavours.

Please tell us.

Re:Chrome Frame sucks for me

[IamTheRealMike]

ChromeFrame isn't activated unless the website asks for it. So you were just testing the reliability of IE6, not Chrome.

Re:Chrome Frame sucks for me

[dword]

I guess IE6 is THAT unstable. Thanks :)

Re:Chrome Frame sucks for me

[blackfrancis75]

FFS RTFM, and ppl stop modding this shit up.

Re:Chrome Frame sucks for me

Just to be sure it wasn't CF, try adding the cf: prefix to the URL. This will force IE to use CF for that page. E.G., in your address bar put "cf:http://tech.slashdot.org/story/09/09/26/0257216/Google-Barks-Back-At-Microsoft-Over-Chrome-Frame-Security" (w/o quotes obviously).

Re:Chrome Frame sucks for me

Well actually, any IE plugin that is "active" at all is loaded and could potentially crash your browser.

It might not be hijacking your rendering at that moment but something is listening for a "website asking for it".

Re:Chrome Frame sucks for me

Unless he used the special URI available to test the website rendered in Chrome. Doesn't have to be the meta tag, can be done manually by the user.

Re:Chrome Frame sucks for me

[zuperduperman]

Sorry, it's got to be 'active' to be intercepting headers and page data to look for whether the page has asked to be rendered with chrome. It's entirely possible that it crashes the browser on absolutely any site and even opens brand new security holes.

Re:Chrome Frame sucks for me

There's no such thing today as an "innocent website", only one that hasn't been compromised yet.

Illegal analogy detected. Please fix your posting.

[140Mandak262Jamuna]

Your posting is rejected because you included an aircraft carrier analogies. To be standard compliant for slashdot users, please reframe it as a car analogy.

Microsoft dodged the point

Microsoft: Making that claim - double security issues - in some countries would get you into very hot water. MS has not said much about Adobe, who has a not so good (security) track record.

Clearly any hacker will avoid Google addins like the plauge (because they will be fixed fast), and go for the nice, static, unpatched MS code.

The likely NEW risks are those in the code path of new HTML5 features and functions, and not the plugin.

Whatever MS's whinges, Google will fix it. MS is probably doing a mental, as Yahoo like plugins will come After Chrome. We have seen MS use policy to favor its own product/family before, so Google doing the same is not news - but it is also not a security thing.

Re:Illegal analogy detected. Please fix your posti

Fear not!

Google has released a plug-in that automatically converts non-compliant analogies on Slashdot into either car or house-front-door-unlocked analogies

I believe it can optionally do automated library of congress conversions as well as append random critique regarding the nature of Slashdot's CSS.

Barks back?

[whatajoke]

So Google "barks back" but Microsoft "hits back"?

More Errors

[WED+Fan]

I tested this plug-in:

• On /. without plug-in, using IE8, I get no errors.
• On /. with FF, I get no errors.
• On /. with plug-in, using IE8, I get DEP errors.
• On other sites, with plug-in, using privacy mode, I get multiple IE crashes.
• On the same sites, disable the plug-in, in privacy mode, no errors.

I don't know about making it less secure, but it sure causes a bunch of "recovered" tabs and multiple errors.

Not Ready for Prime Time!

Re:More Errors

[TheRaven64]

Not Ready for Prime Time!

Well, duh. It's a Google product: It will be out of beta in a few years...

Re:More Errors

well geez bob... the plugin doesnt enable on slashdot...

Strategic mistake

[blind+biker]

Microsoft has nothing to gain in this war of wards. They should have known it before they started it: now Google has more than just an excuse to publicize/raise the awareness of IEs security holes, educating the public on phishing, in the process. This will will definitely raise the interest of at least some IE users who would have not otherwise bothered themselves with Google's add-on.

I can see how MS got suckered into this, though: they just can't stand someone walking into their turf. Their predator instinct is just too strong, and makes them do stupid things.

Well played, Google.

Re:Strategic mistake

[at_slashdot]

The more Microsoft makes fuss about Chrome Frame the more people will find out about this options. A negative campaign when it comes from a negative company is positive.

Re:Strategic mistake

[pearl298]

Microsoft is used to dealing with much smaller adversaries who can be intimidated or simply ignored.

I am thinking of the MSWord/XML patent fuss as the latest example.

What is new is that Google is big enough to take on Microsoft and at their own game! Including Microsoft's favourite game of FUDD!

What I am seeing is that Microsoft is being "attacked" on many fronts at once.

Remember IBM and their attempts to kill off the PC not that long ago?

Re:Strategic mistake

That's a logical fallacy.

Re:Strategic mistake

[mister_playboy]

Publicity has nothing to do with logic, smartypants.

Re:Strategic mistake

[westlake]

The more Microsoft makes fuss about Chrome Frame the more people will find out about this options.

The only "fuss" I'm hearing about Chrome Frame is on Slashdot. The geek needs to remember that to almost everyone else Google remains simply a search engine.
 

Re:Strategic mistake

[Shikaku]

It's a validation by contrapositive actually.

Not good software said by not good software company = Good.

Re:Strategic mistake

Actually according to this video to almost everyone else Google is a browser. I guess it just shows how much attention people pay to what they click on to get their web browser and how much they rely on a search engine to browse the web.

Sigh... shortsighted are we?

[SmallFurryCreature]

Google is at war and its goal is the liberate the browsers and allow them to be everything they can be.

Evil Microsoft has poor IE as a hostage and is doing terrible things with it. It could be so much but forced into ghetto conditions it is backwards and idiotic.

Direct war with the evil Microsoft is hard but Google is dropping supplies behind enemy lines to help as much as possible. Luxuries other browsers can take for granted are dropped in the form of javascript libraries so that IE can still at least somewhat come along no matter how slow.

Now with this new weapon of peace the evil Microsoft can be twarthed like never before, every IE that dares can now be free and standup like a real browser with all the features those in the free world have come to taken for granted.

There is not going to be one single succesful strategy to liberate the browser, but liberated it will be. Google needs freedom more then any true american company needs air to breath. The communist Microsoft (All for one OS and one OS for all) shall be vanquished. It will not happen overnight, but it will happen.

For the humor impaired: Google needs fast capable browsers because that is where it does its business. If MS can't produce a capable browser then it got 3 options: advertise other browser (firefox), produce its own to push the cutting edge (Chrome forced firefox to become quicker) and to augment the least capable browsers to support current standards. It will have to push hard from different directions to achieve this but success has already been made. MS has had to work very hard with IE and you can see from their response about this plugin in that they are very scared indeed about the browser becoming more capable.

This battle is NOT about getting people to install Chrome or Firefox, it is about having them surf the web with a capable browser so Google can push new features and not have to constintly cripple their application for an obsolete piece of software.

Re:Sigh... shortsighted are we?

[ToasterMonkey]

I'm back here reporting behind 'enemy lines' and I see the 'repressed' citizenry are enjoying IE8, Safari, Opera, Firefox, and Chrome.. elsewhere IE6 is being enjoyed by people who don't care to know what a browser is. Are there any fronts to this war or is it all made up? *enjoys the local food and moves on*

Re:Sigh... shortsighted are we?

Hey man... are you sure?

Re:Sigh... shortsighted are we?

[blind+biker]

Google is at war and its goal is the liberate the browsers and allow them to be everything they can be.

Evil Microsoft has poor IE as a hostage and is doing terrible things with it. It could be so much but forced into ghetto conditions it is backwards and idiotic.

Direct war with the evil Microsoft is hard but Google is dropping supplies behind enemy lines to help as much as possible. Luxuries other browsers can take for granted are dropped in the form of javascript libraries so that IE can still at least somewhat come along no matter how slow.

Now with this new weapon of peace the evil Microsoft can be twarthed like never before, every IE that dares can now be free and standup like a real browser with all the features those in the free world have come to taken for granted.

There is not going to be one single succesful strategy to liberate the browser, but liberated it will be. Google needs freedom more then any true american company needs air to breath. The communist Microsoft (All for one OS and one OS for all) shall be vanquished. It will not happen overnight, but it will happen.

You, my friend, are truly talented, and could have a career in marketing.

Seriously, I bow before your creativity.

stop pussy-footing around

[RiotingPacifist]

Goggle should stop pussy-footing around and add a warning box to thier mainpage that tells a user how many publicly announced unpatched exploits there are for the users browser & os. or "Microsoft press statement" => did you mean lies?

what did they expect?

[po134]

Did they expect something like "Thank you google for fixing some of the problems we had on a browser we don't want to code for anymore" ?
Cause it's true they face new security problems that won't be fixed by microsoft with monthly critical updates as it is a plugin and not the basic application.

fuck you

what the fuck is Win97, you cocksucker???

Re:fuck you

[TheRaven64]

Windows 97 was the development and beta name for the version of Windows to follow Windows 95, as Windows NT 5 was the pre-release name for Windows 2000. When it was finally marketed, it was renamed Windows 98 to hide how much it had been delayed.

Standards Exist for a Reason

[raftpeople]

It's like you are talking a different language, can you use a car analogy please?

If they want HTML5/Google Apps, they can install

[Ilgaz]

I share everyones passionate hate against IE especially since I have to run a Virtual emulator to run that IE (for testing sites) but entering a browser that way, relying on a meta flag which can be implemented by anyone and trusting users to differentiate between a browser engine and UI sounds too much to me.

I believe users need exact same rights to install a browser rather than a ActiveX control so they better advertise their browser instead of plugging into others. They should also check the market for why exactly their browser isn't that much used, why some users have very serious privacy concerns about them lately and why a certain team at Google insists on driving people and companies nuts by insisting on that absurd "updater" policy.

What if MS plugged into Google browser and enabled IE engine whenever a site looks for IE? This has no end. People can't differentiate between an engine and a UI, even on slashdot you see comments like "but Safari is closed source", think about ordinary users and who will they contact when Google engine fails browser?

Oh please no...

[rmdyer]

... the website has to include a meta-tag indicating that the site should be displayed in Chrome Frame instead of IE ...

The very last thing I want as a system administrator are hundreds of thousands of sites (if not millions, or more) requiring the user to have Google Chrome, or the Chrome Frame plugin, before the site can be used. Web sites should be designed using web standards, and not require specific browsers for use. Talk about pot calling kettle black! Plugins should be handlers for the primary browsers functions, not over reaching take over my browser leaches.

Re:Oh please no...

[TheRaven64]

Web sites should be designed using web standards, and not require specific browsers for use.

That's rather the point. IE6 is not standards-compliant, while the Chrome frame is. If you deploy a standards-compliant web site, it won't work in IE6, but it will work in IE6 with the Chrome Frame Plugin. It provides a way of 'supporting' IE6 without actually having to write a broken web site. Just set the meta tag so that when an IE 6 user comes along they use the plugin and let everyone else use their browser.

There was a similar thing done a few years ago (2002?), where someone made an ActiveX control containing the Gecko engine. It wasn't used much back then because downloading 3MB of plugin for a site was too much effort for most people. Google, however, has a lot more ability to push things like this to end users.

What about Firefox .8 users?

When is google going to come out with "chrome frame for firefox beta"? Or when is goggle going to talk about how firefox .8 does not suport the standerds as well as chrome.

That is what this sounds like to me. this plugin is to help IE 6. that is years old.

Re:If they want HTML5/Google Apps, they can instal

[TheRaven64]

You mean what if Microsoft released a plugin and required it to be installed for some of their sites to work properly? I don't know, I can't think what would happen in that case; probably people would just install the plugin and let it take over running the web app.

Enterprises use IE6 for intranet

[symbolset]

I wish it weren't so, really. It's an abomination and we knew it when the thing was released, but there it is. Friends don't let friends use IE6. It's common and more reasonably secure browsers aren't supported on sites that require IE6. Enterprises need IE6 for intranet sites and they can't afford to or aren't able to rewrite sites to adhere to standards.

They could choose to fix this problem by requiring their development teams to adhere to standards, but that's not the direction they're going -- instead the job ads are full of requirements that for successive iterations of Microsoft deprecated versions of .net. The persistence of stupidity is remarkable, but that's a different topic.

This paradigm is inherently flawed: the network is not a trusted environment and in that environment a Windows server should be the least trusted element. Microsoft themselves admit this when they force you to choose between the latest version of their server operating system or the latest version of their mail server, but not both, putting you in the position of choosing either an OS that's currently as secure as it can be, or a mailserver that is, but not both.

So what can you do? The Google solution actually looks like a good answer at first, but then realize that it enables and empowers people to continue using a browser that's known to be bad. If a server is on the intranet it's presumed to be safe (itself a different problem), if a server self-identifies as being OK for Chrome the user gets a secured sandboxed environment. But on the Internet, where users will go, if a server doesn't self-identify as preferring Chrome the user is browsing a site with a browser that's known to be insecure. So by enabling users to browse in a secure environment when the server offers it, Google is actually enabling people to not update to a more secure browser.

It's a clever hack, but the premise is fatally flawed.

Re:If they want HTML5/Google Apps, they can instal

[jsebrech]

Users don't know what a browser engine is. They don't even know what a browser is. They know that if they click on the big blue e, they can google the internet, and that's pretty much all they know.

The reason they're not switching to chrome is because even if they do manage to click and install it, they won't even realize that they have to click the chrome icon instead of the ie icon to browse the web. And even if they get as far as realizing that, they won't like chrome because it looks too different.

MS has no roon to bitch

I'm surprised no one else has pointed this out. Look at what MS does to firefox. It seems that every time I log on to the Terminal Server at work and run Firefox there is a new damn MS plugin I have to disable and cannot be completely uninstalled. I called MS about this when it first started and they said "Oh no that's not us. Mozilla is installing it." Funny I know the firefox up date had not been run but Patch Tuesday had.

I guess my question to Microsoft is. What about the security problems you are installing without mt permission to software that you do not own like .NET framework and ActiveX controls? I use Firefox when I have to work from a Windows world to get about these security problems. Problems with .NET and ActiveX are very real and there are plenty of citations on the net to back this up.

Microsoft you were the first to piss in someone else's pond. Don't bitch when someone pisses in yours. At least Google really did FIX some of your problems. You should be grateful.

Using Chrome Frame Add-in

[SmearedBlackInk]

For those who don't already know, you can force a page to load with the Chrome Frame (if it's installed of course) even it if it doesn't have the tag embedded in the page by adding "cf:" in front of the address. e.g. cf:http://www.slashdot.org/