Its not about difficult vs. hard. It is about cost. Offering end users a choice of browser just because is a waste of time and money. Unless there's a business case for it, wasting time and money just because is not a real intelligent thing to do.
Nah, we just blocked IE9 from the couple of PCs that need it. Pretty much everything is on Win7 x64/IE9 at the moment, testing IE11/Win8.1 at the moment as the PHBs are wanting to "run office on my tablet" (excel mostly, and numbers won't do it). Looked into doing it with View + iPad, but it obviously wont work without connectivity. So currently evaluating Windows tablets. Possibly something like a Lenovo Helix which can replace their laptop as well.
Interesting times, I really do wish for the day when everything is written in standards-compliant HTML and we can just make the end device irrelevant, but we've got far too much legacy bullshit that "works" and thus won't get funding to change.
I'm not just talking about apps within my walls. Exhibit a: we are a mining contractor, and we need to fly staff to and from remote sites. A number of our clients use a min-site management system that does accomation bookings, flight bookings, etc. To get on/off site we need to use it. It runs in IE only.
We don't use it, we don't get on site. We don't get on site, we don't earn any money.
It's not our app. We have no control over it and no ability to make decisions regarding it.
Don't get me wrong, I'm all for web standards and ripping out broken crap, but you don't always have a choice, and you play the hand you're dealt.
Haha i forgot about that. Yes, Firefox has a number of areas where they have decided against using the OS-provided method of doing things, and invented their own way of doing it. From network proxy settings, to certificate store, etc. At least both Safari and Chrome appear to try and make use of the existing configuration within the host OS.
This is pretty much the underlying case, yes. However I would add to this: additional complexity in your environment is bad, and should be avoided if possible.
Whether you decide to standardize on Linux + Firefox or Windows + IE or whatever your platform is - keep the absolute minimum of items required to do the job you need it to do.
Every additional item you add to your platform is another round of testing, another set of patch maintenance, another threat surface to secure, etc. Even if the program is FREE, supporting it will cost you time and therefore money.
In my case, for example (and I suspect we are not unusual as far as enterprise customers go) we have to deal with several applications (both inside and outside of the company) which are supported in IE, and actually break in Chrome or Firefox. We have zero business applications which we can not make work in IE, so for us it is a no brainer.
Good for you. however I would wager that your case is pretty atypical vs. the rest of the business world. Any reason you didn't go for chrome-frame instead?
So now I am relying on a login script to be run to push any changes, which may or may not happen if the user does the typical thing of powering up their laptop, logging in, realizing they forgot to plug the lan cable in and then plugging into the network.
And it is still 2x the work, because IE needs to be configured/secured irrespective of whether it is the default browser because it is installed on every box.
And now I need to test all of our apps against 2 browsers, and every support call related to browsers must establish whether the user is running IE or Browser X.
I'm not saying any of this is impossible or even exceptionally difficult. I'm saying it is needless additional complexity and a waste of time and money. EVEN IF THE BROWSER IS FREE, the cost to the company of supporting it is not.
Security zones allow you to lock the browser down tighter for all sites that are not trusted. Chrome and Firefox do not have anywhere near the flexibility in terms of per-zone or per-site configuration that IE does.
And like it or not, business are built on, and depend on shitty web apps. Both shitty web apps that are written in house, shitty web apps that are used in house, and shitty web apps that are required to interact with third parties that you have zero control over and were not selected based on any metric the IT department cares about.
Chrome less so, at least they provide ADM templates. But you still need to deal with automatic updates breaking your certification process (again, IE = easy via WSUS) and the fact that IE is already there. If there is a BUSINESS NEED for Google apps, then maybe the sensible thing to do is to run IE 10 for those users who need it. If there is no business need for an app that WILL NOT RUN in IEx then there's very little sense in deploying an additional browser.
And no, you can't just secure IE by pointing it at a dummy proxy - because the components in it are used throughout Windows and Office for rendering HTML and other stuff. So you need to secure it properly. Adding another browser on top is just adding complexity and additional workload. Unless there is a valid business case for it (I'm yet to see one in the real world) then it is a waste of time (and thus, the company's money) going there.
Add ons? Why would I want to: roll add-ons to thousands of machines, deal with the breakage when the browser is upgraded, add another fucking configuration tool other than group policy and deal with the associated replication issues between my 60 site multinational network?
Never mind re-testing every application in the enterprise for compatibility with the additional browser, and dealing with 2 configuration items instead of one?
When I can just not deploy another browser, secure the one I have and configure it via policy along with everything else?
It's a non-starter mate. I hate windows as much as anyone, but there are things you can reasonably do, and things that are just a fucking waste of time.
Securing IE, which is on every box by default, so needs to be secured anyway, is not rocket science. Like it or not, many line of business applications are only tested or supported in IE. Does it suck? Sure. But it is the reality we face.
Well in business land, no other browser is actually supportable. Want reliable proxy autodetect? Most other browsers break on DHCP based WPAD. Want to deploy links, manage security zones, etc via group policy? Good luck. IE runs in the business world because it is actually administer-able via group policy. Mozilla is not.
Not quite that bad here, i've gotten rid of almost all of our XP, but we have apps that work in IE9, but not IE10. One app won't work in IE9 yet, and unfortunately it's not our app - we're a contractor and the customer's flight booking app is IE8 or previous only.
Nah, of course it's not a panacea, but it does provide reliable "whitelisting" If you were to combine it with application sandboxing, then at least any vulnerability in the app is contained within the sandbox, and you know the code hasn't changed since it was signed.
Some of the more advanced malware inspection engines now (e.g., FireEye) do full VM execution of incoming content and post-mortem analysis before giving a pass or fail.
Slashdot Mirror
Its not about difficult vs. hard. It is about cost. Offering end users a choice of browser just because is a waste of time and money. Unless there's a business case for it, wasting time and money just because is not a real intelligent thing to do.
Who is going to pay for the complexity, and is there a business case for spending the money to support it is the question.
... so yes, i've seen it before...
Nah, we just blocked IE9 from the couple of PCs that need it. Pretty much everything is on Win7 x64/IE9 at the moment, testing IE11/Win8.1 at the moment as the PHBs are wanting to "run office on my tablet" (excel mostly, and numbers won't do it). Looked into doing it with View + iPad, but it obviously wont work without connectivity. So currently evaluating Windows tablets. Possibly something like a Lenovo Helix which can replace their laptop as well.
Interesting times, I really do wish for the day when everything is written in standards-compliant HTML and we can just make the end device irrelevant, but we've got far too much legacy bullshit that "works" and thus won't get funding to change.
red/green colorblind? :D
If you think security zones are only about activex controls, you are mistaken.
Sounds like you need to change the users.
Oh neat. Another "fuck you, enterprise customers" from google then.
I'm not just talking about apps within my walls. Exhibit a: we are a mining contractor, and we need to fly staff to and from remote sites. A number of our clients use a min-site management system that does accomation bookings, flight bookings, etc. To get on/off site we need to use it. It runs in IE only.
We don't use it, we don't get on site. We don't get on site, we don't earn any money.
It's not our app. We have no control over it and no ability to make decisions regarding it.
Don't get me wrong, I'm all for web standards and ripping out broken crap, but you don't always have a choice, and you play the hand you're dealt.
Haha i forgot about that. Yes, Firefox has a number of areas where they have decided against using the OS-provided method of doing things, and invented their own way of doing it. From network proxy settings, to certificate store, etc. At least both Safari and Chrome appear to try and make use of the existing configuration within the host OS.
This is pretty much the underlying case, yes. However I would add to this: additional complexity in your environment is bad, and should be avoided if possible.
Whether you decide to standardize on Linux + Firefox or Windows + IE or whatever your platform is - keep the absolute minimum of items required to do the job you need it to do.
Every additional item you add to your platform is another round of testing, another set of patch maintenance, another threat surface to secure, etc. Even if the program is FREE, supporting it will cost you time and therefore money.
In my case, for example (and I suspect we are not unusual as far as enterprise customers go) we have to deal with several applications (both inside and outside of the company) which are supported in IE, and actually break in Chrome or Firefox. We have zero business applications which we can not make work in IE, so for us it is a no brainer.
Good for you. however I would wager that your case is pretty atypical vs. the rest of the business world. Any reason you didn't go for chrome-frame instead?
Zero days aren't exclusive to IE.
So now I am relying on a login script to be run to push any changes, which may or may not happen if the user does the typical thing of powering up their laptop, logging in, realizing they forgot to plug the lan cable in and then plugging into the network.
And it is still 2x the work, because IE needs to be configured/secured irrespective of whether it is the default browser because it is installed on every box.
And now I need to test all of our apps against 2 browsers, and every support call related to browsers must establish whether the user is running IE or Browser X.
I'm not saying any of this is impossible or even exceptionally difficult. I'm saying it is needless additional complexity and a waste of time and money. EVEN IF THE BROWSER IS FREE, the cost to the company of supporting it is not.
Security zones allow you to lock the browser down tighter for all sites that are not trusted. Chrome and Firefox do not have anywhere near the flexibility in terms of per-zone or per-site configuration that IE does.
And like it or not, business are built on, and depend on shitty web apps. Both shitty web apps that are written in house, shitty web apps that are used in house, and shitty web apps that are required to interact with third parties that you have zero control over and were not selected based on any metric the IT department cares about.
Deal with it.
Chrome less so, at least they provide ADM templates. But you still need to deal with automatic updates breaking your certification process (again, IE = easy via WSUS) and the fact that IE is already there. If there is a BUSINESS NEED for Google apps, then maybe the sensible thing to do is to run IE 10 for those users who need it. If there is no business need for an app that WILL NOT RUN in IEx then there's very little sense in deploying an additional browser.
And no, you can't just secure IE by pointing it at a dummy proxy - because the components in it are used throughout Windows and Office for rendering HTML and other stuff. So you need to secure it properly. Adding another browser on top is just adding complexity and additional workload. Unless there is a valid business case for it (I'm yet to see one in the real world) then it is a waste of time (and thus, the company's money) going there.
WPAD over DNS is a lot more INSECURE than via DHCP, if you have machines that roam from your network.
Add ons? Why would I want to: roll add-ons to thousands of machines, deal with the breakage when the browser is upgraded, add another fucking configuration tool other than group policy and deal with the associated replication issues between my 60 site multinational network?
Never mind re-testing every application in the enterprise for compatibility with the additional browser, and dealing with 2 configuration items instead of one?
When I can just not deploy another browser, secure the one I have and configure it via policy along with everything else?
It's a non-starter mate. I hate windows as much as anyone, but there are things you can reasonably do, and things that are just a fucking waste of time.
Securing IE, which is on every box by default, so needs to be secured anyway, is not rocket science. Like it or not, many line of business applications are only tested or supported in IE. Does it suck? Sure. But it is the reality we face.
If by recently you mean in say, 2004 then you would be correct.
Given that IE10 and up are Windows 7 onwards only, I suspect a large proportion of the XP diehards will "GTFO".
Sometimes it isn't YOUR company's app you need to use. In the real world, businesses deal with OTHER BUSINESSES.
Well in business land, no other browser is actually supportable. Want reliable proxy autodetect? Most other browsers break on DHCP based WPAD. Want to deploy links, manage security zones, etc via group policy? Good luck. IE runs in the business world because it is actually administer-able via group policy. Mozilla is not.
Not quite that bad here, i've gotten rid of almost all of our XP, but we have apps that work in IE9, but not IE10. One app won't work in IE9 yet, and unfortunately it's not our app - we're a contractor and the customer's flight booking app is IE8 or previous only.
Nah, of course it's not a panacea, but it does provide reliable "whitelisting" If you were to combine it with application sandboxing, then at least any vulnerability in the app is contained within the sandbox, and you know the code hasn't changed since it was signed.
Some of the more advanced malware inspection engines now (e.g., FireEye) do full VM execution of incoming content and post-mortem analysis before giving a pass or fail.
Well that's a flaw then. If i modify anything in a Mac OS X application bundle i need to re-sign it.
Its even worse than that, adobe are sticking all sorts of "Active" content in them now which is no doubt ripe for exploitation.