It’s kicking-off! Microsoft is recommending that users avoid Google Chrome Frame because it’s a “security risk.” A company spokesperson issued the following statement:
With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers.
Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take.
Google quickly retaliated:
Accessing sites using Google Chrome Frame brings Google Chrome’s security features to Internet Explorer users.
It provides strong phishing and malware protection, absent in IE6, robust sandboxing technology, and defenses from emerging online threats that are available in days rather than months.
Is there any substance to Microsoft’s claims?
Quoting security possibly isn’t the best angle they could have taken; Microsoft lives in a big glass house and shouldn’t throw boulders. IE may now be more secure than any other browser but that’s not always been the case. Google has experienced a few security issues with Chrome but they have been dealt with quickly.
Also, how many virus and malware developers are specifically targeting Chrome? I suspect it’s a small number compared to those attacking IE — it has a far larger market share. When you’re fishing (or phishing), it’s logical to go for the big sharks rather than the small minnows.
Even if the Chrome browser was compromised, there’s no guarantee that Chrome Frame would be affected. As I recently reported, the plugin runs within Microsoft’s own sandboxed BHO environment. Are Microsoft saying that Chrome Frame could neutralize IE’s internal security? If so, it’s a good reason to block IE plugins or stop using IE altogether.
Finally, it’s interesting that Microsoft only mention IE8. Chrome Frame probably wouldn’t exist if everyone upgraded to that browser, but many users are stuck with IE6 and IE7. Microsoft could have solved the problem if they had implemented an IE6 compatibility mode to the newer browsers, but that never happened and they’ve left Google to provide a solution.
Of course, Microsoft had to say something and they are unlikely to be complimentary about a Google product. Quoting security concerns is a cheap tactic; adding any plugin undoubtedly imposes a security risk. However, Microsoft should have removed their BHO system if those risks were anything other than negligible.
Come on Microsoft — stop wasting time berating Google and inadvertently giving more free publicity to Chrome Frame. Provide your own innovative solutions to encourage IE upgrades rather than letting competitors do it for you!
Craig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.