Google Barks Back At Microsoft Over Chrome Frame Security

CWmike writes "Google hit back at Microsoft on Friday, defending the security of its new Chrome Frame plug-in and claiming that the software actually makes Internet Explorer safer and more secure. 'Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users,' said a Google spokesman today. 'It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP], and defenses from emerging online threats that are available in days rather than months.' On Thursday, Microsoft warned users that they would double their security problems by using Chrome Frame, the plug-in that provides better JavaScript performance and adds support for HTML 5 to Microsoft's browser."

So, which side

[sopssa]

The company is also investigating bugs filed with the Chrome team by Microsoft developers, who reported that Chrome Frame broke IE8's privacy mode.

Why am I not surprised this feature wasn't tested at Google? ;)

But on an interesting note, this seems to be a direct attack against Microsoft by Google. Granted not that many users will probably install it (especially 'normal' users who just dont care), with this and Chrome OS it's clear that Google is going after MS.

Also, this is another avenue for Google to datamine everything about the internet. People dont usually think about it, but Google's analytics traffic code is all over the internet and probably 90% of the sites you visit is known to google. Another interesting thing is that Slashdot used to hide the tracking code under its own domain, so just blocking the analytics domain didn't work.

While I dont like some of the business practices by neither one, its hard to pick sides here. Atleast MS sells the products directly, while Google monetarizes them by ads. And by that very nature you lose lots of privacy.

Earlier there was also discussion that Chrome Frame is mostly provided for corporate users who are required to use IE and cant install other browsers. But how can they install this plugin then? It's normal exe and probably requires even more admin rights to get inside IE than just installing Chrome on your userbase. And other than that I dont see a point in wrapping another browser plugin to work inside browser. If people are knowledge about this plugin, they're knowledge about the actual Chrome browser too. And IE user experience and GUI sucks.

Re:So, which side

[dread]

Ummm. Not many users? Do you completely fail to comprehend how HARD Google could push this on IE6/7 users if they wanted to? And with their allies and partners I think they would have a very good chance of doing an 80-20 conversion on that user base. That's what's up for grabs, not the measly IE8 percentage points. IE6 and IE7 users accessing Youtube, google.com, gmail, google docs et al being gently pushed to install the plugin. Good thing too in my opinion. The sooner we can get that crap out the door and onto the crap heap of history the better for everyone.

Re:So, which side

[MrCrassic]

Well, from the article, I'm getting the gist that they are only fueling the fire further. IT departments should be doing what they can to GET OFF IE6 instead of using software like this to breathe new life into it!

Upgrading to IE7 and IE8, as specified in the article, makes this add-on irrelevant. On a side note, I'm also concerned about the heavy-handedness Google has nowadays. I understand that their products constitute a LARGE portion of internet traffic, but it's kind of scary to think that their analytics code IS all over the web....

Re:So, which side

[mystik]

I'm from a small org, fully embracing the leading edge.

But I can See the following scenario:

1) Org has large internal App written for IE6 only. Can't upgrade so users are forced to have IE6 on their workstations
2) Org's IT admins are well aware of the security problems IE6 forces them to work around.
3) Roll out the Chrome plugin, and set things up so everything *but* the internal site uses Chrome.

Installing IE upgrades makes it difficult to leave an ie6 & ie_latest deployment side-by-side in a 'supported' fashion (Unless ms has a 'supported' way of doing this?)

Using the Chrome plugin lets the Org upgrade the browser to something maintained & more secure on their deployment, while allowing the archaic app to work as expected.

Re:So, which side

[AmberBlackCat]

Everybody I know ends up with the Google toolbar, and most of them don't know how they got it. It's installed the same way as viruses; they just get some software installed, choose typical or default installation, and keep clicking yes till they get to the end. So surely Google could bundle the installer for this thing with the toolbar and everybody will have it. They just won't know what it is, why they have it, or how to get rid of it.

Re:So, which side

[Arancaytar]

And then we could finally stop supporting IE in our web design and move on with the standards.

Hell yes.

Re:So, which side

[Marcika]

I'm from a small org, fully embracing the leading edge.

But I can See the following scenario:

1) Org has large internal App written for IE6 only. Can't upgrade so users are forced to have IE6 on their workstations 2) Org's IT admins are well aware of the security problems IE6 forces them to work around. 3) Roll out the Chrome plugin, and set things up so everything *but* the internal site uses Chrome.

Installing IE upgrades makes it difficult to leave an ie6 & ie_latest deployment side-by-side in a 'supported' fashion (Unless ms has a 'supported' way of doing this?)

Using the Chrome plugin lets the Org upgrade the browser to something maintained & more secure on their deployment, while allowing the archaic app to work as expected.

That's what Firefox with the IE Tab add-in is for. If you have control of your IT infrastructure, why settle for the intrusive kludge of Chrome Frame?

Re:So, which side

[Eirenarch]

Today it is IE and how long before they decide to push Chrome Frame to Firefox, Opera and Safari users?

Re:So, which side

[hairyfeet]

First of all, I think the word the guy is looking for is spyware/malware. Anybody who has had to remove coolwebsearch knows that nobody goes "yes, i would like a buggy, crashy, POS software that follows everything I do and reports it back. Oh yeah, can I have lots of popups and ads too?" so that is what he was going for I think. Most folks I have dealt with have no clue how they got "Googled" or Yahooed or Asked either. Hell even Java now will hit you with a toolbar when you apply an update if you're not careful, so its no wonder why folks look down on those damned toolbars.

Second I honestly don't get how this is supposed to make anyone more secure. Give Google more data to mine? Sure I can see that. But more secure? Lets think about it for a minute: First you have IE, and any and all vulnerabilities for it, and then you add Chrome on top, along with any and all vulnerabilities for it as well. So how exactly does running TWO browsers at the same time make for LESS vulnerabilities than simply running one? Because unless there is some hidden voodoo going on I just don't see it. It seems to me it would simply be better to push to get IE6 users to use ANYTHING other than that old POS, than it would be to add more crap on top of IE and double your attack vector. Or am I missing something?

Re:So, which side

[Bert64]

I don't think they will...
Firefox. Opera and Safari are being actively developed and are all roughly in the same league with chrome when it comes to standards support and performance.. It is just IE that lags so far behind, and breaks support for things so badly that it puts a considerable burden on companies like google having to support it.

Aside from the fact that Safari even uses the same rendering engine as chrome.

Google don't really care what browser you use, they were pushing people to use firefox before chrome came out, they just don't want people using a browser as outdated and broken as ie because it makes their job so much harder and limits some of the things they'd want to do.

Re:So, which side

[Eirenarch]

If I was not a web dev I may have believed your words. However some things in our project stopped working when Chrome was updated to v2 (they used to work in v1). I've seen perfectly valid HTML that renders differently in Firefox, Chrome and Opera (should I even mention IE?). While we all agree that IE6 is pain we should not put the blame on Microsoft. After all if we had to support versions of Netscape from the time of IE6 they would be pain too and I am sure MS want to see IE6 gone more than anyone else. IE8 is as different from the other browsers as they are among themselves. I have as much trouble fixing IE8 quirks as I have fixing Opera, Firefox and Chrome/Safari quirks. And if Google were all about standards then what is Gears? I personally see this Chrome Frame + Gears thing as the next ActiveX.

Re:So, which side

[hairyfeet]

Actually they put a little tiny thing on about page 8 or so of the EULA with language like "In order to give you this awesome shareware title for absolutely free, you agree to install our partners software so they can give you fabulous offers. This software may transmit information in order to better serve you with offers that pertain to your surfing habits" etc. Believe me, as a PC repairman going on 15 years I have run into the "toolbar tango" more times than I can count and it always feels sleazy. Why Google and Yahoo would stoop that low is beyond me.

Now see, you are hitting the nail on the head as to what is confusing me. We all now IE6 equals total swiss cheese that can turn a box into a virus laden whore faster than you can say coolwebsearch, so how exactly is having Chrome Frame for the very limited number of websites that will call it actually helpful? I honestly don't see malware sites calling Chrome Frame, unless they have an exploit, and then like I said running two browsers would be a bad thing, and not of the good.

And I have worked on more than a few corporate desktops in my day, before I got burnt on the PHB Dilbert bullshit keeping me from doing my job and providing a secure workstation, and again this just don't compute to me. Those desktops are usually locked down tighter than a Nun's panties and you usually have to go through an act of congress to get squat installed on those suckers, which is of course why they are still running IE6 and not IE7 or 8 or hell, anything that doesn't blow chunks like IE6. So again this looks like such a minuscule amount of folks that this would supposedly help (Has IE6+can't upgrade or switch to a better browser+has permission to install plugins) that it just doesn't seem worth the development effort to me.

In my mind the only way this makes any sense at all is if Google is hoping to get the "clicks through anything to get the goodies" crowd that are too stupid/lazy to get rid of the POS that is IE6. And if that is the case they would be much better off simply cutting off support for IE6 completely from all Google services and offering a link to Chrome (or FF3 if they are on Win2K) than all the work to build this thing. Because as you said trying to put security on top of IE6 is like wearing a helmet while standing around in your boxers. More than a little bit pointless. And for those not allowed to install anything there is always Pocket Kmeleon, QTWeb (same engine as Safari/Chrome) or Portable Firefox. And that is just the first three I clicked on at random, there are over a dozen including a Portable Chrome. This idea just seems like a solution in search of a problem to me.

Does anyone care?

[amiga3D]

I'm thinking that IE users' primary concern is not security or they'd be using something else to begin with.

Re:Does anyone care?

[AmberBlackCat]

I'm thinking that IE users' primary concern is not security or they'd be using something else to begin with.

True, their primary concern is the browser working when they go to the website.

Re:Does anyone care?

[Shikaku]

It doesn't activate on EVERY website. RTFA. It requires a meta tag. Google released this so that IE users can use Google Wave because IE doesn't support HTML5. It can also be used on other websites. I think it's a great move by Google, to smack Microsoft in the face to actually step up to standards.

Re:Does anyone care?

You realise HTML 5 isn't a standard right? It's a wish list, and the last time people started implementing standards early we got layers rather than divs and had to live with that pain for years. MS had the same problem with XML/XSL/XSLT where they implemented a draft standard which then changed, and then they were slagged for implementing early. But then all web designers care about is getting fancy video it seems rather than learning from the mistakes already made.

Re:Does anyone care?

[mister_playboy]

Right now we are stuck with Flash... so HTML5, standard or not, would be much preferable.

Re:Does anyone care?

[TheRaven64]

You seem to have missed the fact that HTML5 is not following the same standards process as previous versions of HTML. It is being developed incrementally (parts of the spec are in flux, parts are fixed) and it requires two independent implementations to exist (like IETF standards) before any part is finalised.

Re:Google dodged the point

[jlp2097]

There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites)

BS! Chrome Frame is entirely opt-in i.e. the website has to include a meta-tag indicating that the site should be displayed in Chrome Frame instead of IE Trident. This is the point of Chrome Frame: allow all these corporations (mostly) to keep their IE6 and maybe IE7 while still having the possibilty to access all these new & shiny ajaxy webapps (like Wave).

Re:Google dodged the point

[daniel142005]

Do you have any idea why they released Chrome Frame in the first place? Its because Google got tired of Microsoft not meeting web standards. Google will be releasing Wave soon and the majority of the population would not be able to use it because IE does not support HTML5. Chrome Frame is just as secure as IE if not more, not to mention, if a bug or exploit is found with Chrome or Chrome Frame, it takes Google hours to days to push out a fix.

"There's just no reason to get this installed in corporate networks where IE6 is being used"

Do you have any clue what Chrome Frame even does? It does not force EVERY website to use itself. Only websites that request it or websites that you told to use it. And believe it or not, there are a lot of newer applications in the business environment that do not work with IE6 or even IE7/8.

"anyplace where IE8 is being used (surface of attack expanded in exchange for little benefit)"

I guess you are unaware of exactly how much IE8 does not include compared to Firefox/Safari/Chrome, and your obviously not a web developer. Most of the time websites have to have code dedicated for IE otherwise the website will not work right. Google is sick of Microsoft not following standards and them as well as everyone else having to waste their time to make patches so it will work in IE.

Re:Google dodged the point

[sopssa]

Welcome to 98. Not everyone runs Windows as admin, especially if its a shared computer (like in family). For that matter, its just aswell possible to run Linux as root to do your everyday things. This has been said countless of times already, but it's not the OS's fault; it's the users fault and how they're using their system. Linux is just as vulnerable to a stupid user than Windows is.

Emergency Security Update

[140Mandak262Jamuna]

Microsoft announced that even though XP, Win97, Win2K, IE5 etc have been end of lifed, and will not be supported anymore, it has issued a special security update that will freeze IE5, IE6, IE7 and IE8 if Google Chrome Frame plug in is detected. After the update IE will first send a browser agent string pretending to be Google Chrome Frame, and if the website responds to it, it will crash IE and the OS with a BSOD with the message, "See? I Told ya, Google Chrome Frame is bad. It crashes everything".

The new motto in Microsoft is "Windows 7 is not done, until Chrome Frame wont run".

Chrome Frame sucks for me

[dword]

I'm a Firefox / Chrome fan and I just installed the Google Chrome Frame to see how it behaves. I installed Windows XP SP2 less than 24 hours ago and since then I've only installed my drivers, Firefox and the Google Chrome Frame; I went to a couple of innocent websites with IE6 and they both crashed the browser.

PS: Web developer here - Yes, IE6 sucks but it is not THAT unstable.

Re:Chrome Frame sucks for me

[JasonBee]

I'm a Firefox / Chrome fan and I just installed the Google Chrome Frame to see how it behaves. I installed Windows XP SP2 less than 24 hours ago and since then I've only installed my drivers, Firefox and the Google Chrome Frame; I went to a couple of innocent websites with IE6 and they both crashed the browser.

PS: Web developer here - Yes, IE6 sucks but it is not THAT unstable.

Which web sites? I'd love to test your observation as I have multiple VMs with various IE versions installed on various WinXP flavours.

Please tell us.

Re:Chrome Frame sucks for me

[IamTheRealMike]

ChromeFrame isn't activated unless the website asks for it. So you were just testing the reliability of IE6, not Chrome.

Re:Chrome Frame sucks for me

[dword]

I guess IE6 is THAT unstable. Thanks :)

Re:fixing that analogy

[drinkypoo]

But comparing their plug-in with an 8 year old browser is disengenuous.

It would only be disingenuous if their plug-in didn't plug into that 8-year-old browser, which is still one of the dominant browsers today.

Re:Google dodged the point

[Runaway1956]

Coming to a community college near you: Reading Comprehension 101

The plugin sits idle UNTIL CALLED by a call ON THE SERVER. If the call isn't made by the intranet server, the plugin doesn't do anything, meaning IEx does what it would have done anyway.

Re:Google dodged the point

[SanityInAnarchy]

The point is that it's another exploitable object, thereby expanding the exposed surface of attack. That's Microsoft's entire point.

It didn't stop Microsoft from writing Silverlight -- or ActiveX, for that matter. Seems they're only concerned about "expanding the exposed surface of attack" when it's something they don't like.

There's just no reason to get this installed in corporate networks where IE6 is being used (breaks most intranet sites)

It's opt-in, by the site. The default IE6 engine will still be used for those intranet sites, unless the intranet sites explicitly ask for Chrome Frame -- and if that ever happens, there's a strong possibility that these intranet sites are ready for other browsers.

Downloading Chrome itself is fine, but this is nothing more than a veiled attempt at tricking users into using Chrome instead of legitimately gaining marketshare.

And bundling IE with the OS wasn't? How about exposing IE's HTML engine as a standard ActiveX component?

I'm not suggesting that either of these things could be reversed now, but understand that at the time this decision was made, Netscape was still being sold in stores, and I believe it did have a majority marketshare.

But you know what? At this point, I don't care if Google has to hire assassins to kill off Microsoft's IE team, as long as the end result is the same: We can finally start developing to web standards, and stop having to spend half our time figuring out how to work around IE's bugs. Hell, it means we can actually use exciting new features like HTML5, and stop using Flash unnecessarily, just because IE doesn't support <video>.

(Ok, yes, it would be very sad if people had to die over this, but you get the point.)

More Errors

[WED+Fan]

I tested this plug-in:

• On /. without plug-in, using IE8, I get no errors.
• On /. with FF, I get no errors.
• On /. with plug-in, using IE8, I get DEP errors.
• On other sites, with plug-in, using privacy mode, I get multiple IE crashes.
• On the same sites, disable the plug-in, in privacy mode, no errors.

I don't know about making it less secure, but it sure causes a bunch of "recovered" tabs and multiple errors.

Not Ready for Prime Time!

Strategic mistake

[blind+biker]

Microsoft has nothing to gain in this war of wards. They should have known it before they started it: now Google has more than just an excuse to publicize/raise the awareness of IEs security holes, educating the public on phishing, in the process. This will will definitely raise the interest of at least some IE users who would have not otherwise bothered themselves with Google's add-on.

I can see how MS got suckered into this, though: they just can't stand someone walking into their turf. Their predator instinct is just too strong, and makes them do stupid things.

Well played, Google.

Re:Strategic mistake

[at_slashdot]

The more Microsoft makes fuss about Chrome Frame the more people will find out about this options. A negative campaign when it comes from a negative company is positive.

Re:Strategic mistake

[mister_playboy]

Publicity has nothing to do with logic, smartypants.

Re:Strategic mistake

[westlake]

The more Microsoft makes fuss about Chrome Frame the more people will find out about this options.

The only "fuss" I'm hearing about Chrome Frame is on Slashdot. The geek needs to remember that to almost everyone else Google remains simply a search engine.
 

Sigh... shortsighted are we?

[SmallFurryCreature]

Google is at war and its goal is the liberate the browsers and allow them to be everything they can be.

Evil Microsoft has poor IE as a hostage and is doing terrible things with it. It could be so much but forced into ghetto conditions it is backwards and idiotic.

Direct war with the evil Microsoft is hard but Google is dropping supplies behind enemy lines to help as much as possible. Luxuries other browsers can take for granted are dropped in the form of javascript libraries so that IE can still at least somewhat come along no matter how slow.

Now with this new weapon of peace the evil Microsoft can be twarthed like never before, every IE that dares can now be free and standup like a real browser with all the features those in the free world have come to taken for granted.

There is not going to be one single succesful strategy to liberate the browser, but liberated it will be. Google needs freedom more then any true american company needs air to breath. The communist Microsoft (All for one OS and one OS for all) shall be vanquished. It will not happen overnight, but it will happen.

For the humor impaired: Google needs fast capable browsers because that is where it does its business. If MS can't produce a capable browser then it got 3 options: advertise other browser (firefox), produce its own to push the cutting edge (Chrome forced firefox to become quicker) and to augment the least capable browsers to support current standards. It will have to push hard from different directions to achieve this but success has already been made. MS has had to work very hard with IE and you can see from their response about this plugin in that they are very scared indeed about the browser becoming more capable.

This battle is NOT about getting people to install Chrome or Firefox, it is about having them surf the web with a capable browser so Google can push new features and not have to constintly cripple their application for an obsolete piece of software.

Re:Oh please no...

[TheRaven64]

Web sites should be designed using web standards, and not require specific browsers for use.

That's rather the point. IE6 is not standards-compliant, while the Chrome frame is. If you deploy a standards-compliant web site, it won't work in IE6, but it will work in IE6 with the Chrome Frame Plugin. It provides a way of 'supporting' IE6 without actually having to write a broken web site. Just set the meta tag so that when an IE 6 user comes along they use the plugin and let everyone else use their browser.

There was a similar thing done a few years ago (2002?), where someone made an ActiveX control containing the Gecko engine. It wasn't used much back then because downloading 3MB of plugin for a site was too much effort for most people. Google, however, has a lot more ability to push things like this to end users.

Re:If they want HTML5/Google Apps, they can instal

[TheRaven64]

You mean what if Microsoft released a plugin and required it to be installed for some of their sites to work properly? I don't know, I can't think what would happen in that case; probably people would just install the plugin and let it take over running the web app.

Re:Google dodged the point

[SanityInAnarchy]

What chrome frame has also demonstrated beyond a doubt is that microsoft could have shipped a solution that preserved IE6 compatibility and upgraded web standards at the same time. They didn't because they didn't want to.

I'm not entirely sure about that. Microsoft did try roughly this strategy -- there was a plan to make IE7 (I think?) default to IE6 rendering, unless you sent some header to tell IE to render in "standards-compliant mode".

This is effectively the same thing -- it turns IE6 into a browser that's still IE6 until you do whatever you have to do to enable Chrome Frame, which is roughly like "standards-compliant mode".

The difference is, this isn't meant to be any kind of solution. IETab in Firefox is a solution. Adding an "IE6 Frame" to IE8 would be a solution, but I don't think IE8's "compatibility mode" is quite compatible, or people wouldn't still be using IE6 in these corporate environments.

So, this is more a hack to force the issue than a real solution.

I think the difference is that Microsoft was trying to sell this hack as the next version of IE, while Google isn't trying to sell this as anything other than cleaning up after Microsoft's mistakes.

I don't entirely disagree, though:

Microsoft is going to keep delaying the web's advance as long as possible.

Ever wonder why IE doesn't support the video tag? Or canvas?

Hopefully I'm wrong, and IE will eventually catch up -- at which point, of course, everyone else will have moved on to things like WebGL -- but it seems to me that improving the web in this way would slowly but surely make Silverlight (and Flash) obsolete.