Mix and match Web browsers are a bad idea
While it's certainly amusing that Google's Chrome add-on to Internet Explorer can increase its speed by more than ten-times, it's lousy security.
We all know that Internet Explorer, especially the older versions like IE 6, is slow and insecure. You may also have heard that Google released a plug-in, Google Chrome Frame, that essentially lobotomizes IE and replaces its functionality with its much faster Chrome Web browser.
It's a cute trick, and it really does show off just how much faster IE with Chrome Frame is than plain-Jane IE. I've done it myself on my Windows XP and 7 boxes and the results are stunning. I expect it to be faster, but what I got was 'knock your socks off' faster. I saw complicated pages that were fat with JavaScript and took up to 10-seconds to load with IE, explode onto the screen in less than a second.
Microsoft has thrown a fit about this. Amy Bazdukas, Microsoft's general manager for IE, said, "It's not necessarily that plug-ins aren't or can't be secure, but that running a browser within a browser doubles the potential attack surface in a way that we don't see is particularly helpful."
They're not the only ones objecting to Chrome Frame though. Mitchell Baker, the chairman of the Mozilla Foundation, the makers of IE's greatest rival Firefox, also objected strongly to Google Chrome Frame. She wrote, "Once your browser has fragmented into multiple rendering engines, it's very hard to manage information across Web sites. Some information will be manageable from the browser you use and some information from Chrome Frame. This defeats one of the most important ways in which a browser can help people manage their [Web] experience."
Google disagrees. Google claims that Google Chrome's security features to Internet Explorer users," said a Google spokesman today. "It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology [in IE6 and on Windows XP]."
Generally speaking, I like Google and I dislike Microsoft. But, in this go-around, I'm on Microsoft's side.
Yes, Chrome is more secure than Internet Explorer 6, but then, what isn't more secure than IE 6? A better question is: "Is Chrome more secure than the currently shipping Internet Explorer 8?" The answer to that question is 'probably.' But, the best question, the real question that Google is asking is: "Is Internet Explorer 7 or 8 safer with or without Chrome Frame?" The answer to this one's easy.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
CF is a Bold move by Google!
It nice to be able to disagree with you for once :)Lets just savour the moment - Google are going to OWN IE6!
LBH it doesn't get much better than this :)
This is a game changing play by the Google guys as it brings the war to MS's last IE holdout, the IE6 corporate lock-in.
I could not give the Wave team more praise for this move.
Once this plug-in is perfected it will *force* MS's hand.
I love this tactic - work around the problem with a technical fix, its so Google!
The security question is a non-starter.
After all IE6 users _By Definition_ are not security conscious, D'oh! Also better trust Google than MS on security, another D'oh! moment.
Flimsy
I'm surprised you're backing MS on this one, Steven.The "double the attack surface" argument is idiotic at best. It applies only if both Chrome and IE are equally (in)secure in ways that don't overlap each other. Since you've already conceded that Chrome is *more* secure than IE6, probably IE7 and maybe IE8 then adding Chrome can't double the attack surface any more than adding a brick patio to a creaky old wooden house doubles the structural weakness of the house.
The rest of your objections are speculative at best. Maybe, possibly, the IE-to-Chrome interface is vulnerable to something. Maybe, possibly, but isn't that also the same interface IE uses to call any plug-in? So it's an attack vector that's already available with or without Frame.
Speaking of speculation: "the combination of Frame and IE must be more unstable than IE alone." Really? Why, because a Mozilla exec said so? Did Baker examine the code and analyze how the plug-in works, do you think, or is he perhaps reacting to the idea that someone might do the same for Firefox? Seems to me that all Frame is doing is substituting one rendering engine for another, and doing it as a separate thread (Chrome style). It would be hard to get more unstable than IE already is, and the solution to any problem is simply not to use Frame for that page. Why don't we see what real users experience before deciding there's a problem here?
Your Experience?
What is your experience with networking and internet security?Lets start with Google is using open source code as a basis for Chrome, now the code in freely available. So that means anyone with enough knowledge in C++ can read the code and find the weakness. Since the frame operates in IE the hacker now has another path inside of IE and your computer. Double the attack surface with a way to get the key to the back door.