bgc
2 hours ago
This is not a Google-wide thing… this is from Google’s Context-Aware Access product, which is configurable in Google Workspace environments. OP should direct their ire at their corporate IT or infosec team.
dijit
2 hours ago
it shouldn’t be an option.
Some IT departments just see a “more secure” checkbox and will always check it, even if it doesn’t make sense holistically- sometimes compliance incentivises (or forces) this behaviour.
A common example is forcing intune/device enrolment for mobile devices (including ipads)- but not for the infinitely less secure laptops: because no such endpoint enforcement checkbox exists
ktm5j
an hour ago
It's their organization. They are allowed to make decisions about what software their employees use. I'm a die-hard Mozilla fan, but I don't find this unreasonable.
cmeacham98
an hour ago
The problem is Google appears to label this as a security feature. I'm fine with the feature existing, but it should say something like "require Chrome" or "block Firefox" not "require a secure browser (wink wink we actually mean Chrome)"
insanitybit
an hour ago
The wording here is bad, but basically CAA supports non browser specific policy and, in some cases, browser specific policy (GSuite offers a "Managed Chrome" policy). Firefox users can leverage much of the non browser specific policy, they obviously can not be a part of the "Managed Chrome" offering.
saghm
a minute ago
There's no contradiction here; it's totally possible for a company to make a feature configurable so that it doesn't block their competitors but also intentionally design and market it in a way that's misleading in ways that will lead to their competitors getting blocked. When we're talking about a company as large as Google and a product with as much market share as Chrome, I don't think it's that crazy to think that things like this add up to encouraging even more hegemony, and when that happens to align perfectly with the incentives of the company making said product decisions, I also don't think it's crazy to think it's unlikely to be a coincidence.
jchw
38 minutes ago
Note that making lock-in features like this effectively proprietary to the Chrome browser is only possible because of the fact that it's the same company making Google Workspace and Google Chrome.
I absolutely see many problems with this and you really ought to as well.
dijit
an hour ago
Google and Microsoft shouldn’t be giving levers that bake you more into their ecosystem regardless.
Your corporate serfdom is not in question, but I disagree with that notion too.
ktm5j
31 minutes ago
It's a paid product, they are actually allowed to do this. Google is obviously going to focus on security testing with their own browser. It's understandable that organizations want to require chrome for their employees to access their workspace in the interest of security, but it's not the default.
There is zero problem here guys.
lern_too_spel
43 minutes ago
If a corporation with my data allowed access to its internal tools using any browser running any arbitrary and possibly compromised third party extensions, that's a data leak and class action lawsuit waiting to happen.
wslh
an hour ago
I would say it's common to find dark patterns that involves ambiguity like the discussion we are having here. We can't know for sure but Google can increase the probability of being on their ecosystem.
Doohickey-d
28 minutes ago
Well, it could als also be argued that Chrome _is_ more secure, for example because it uses app-bound encryption using Windows DPAPI system, for cookies, so that it at least tries to protect cookies from malicious applications running on the device. Firefox does not do this: https://security.stackexchange.com/questions/279629/are-cook...
If course the reverse can also be argued, for example that Firefox supports proper adblocking.
farbklang
42 minutes ago
Well - it does make sense. If an organisation that contracts me has to chose between a) BYOD - but restrict downloads, etc, enforce export control, directly in the browser - I happily take that, vs getting a Windows laptop that is locked down and forced to work with that.
insanitybit
an hour ago
CAA is one of the most powerful security features you can enable in an org. You can manage browser extensions, device password policy, encryption, configuration, cookie attestation, etc.
tux3
30 minutes ago
CAA is completely based on trust, it's not one of the most powerful security feature. It's completely voluntary reporting by the browser, and any attacker who cares can just lie without issues.
You can make Firefox pass CAA if you want. You take the Chrome "SecureConnect Reporting" (Context-Aware Access) plugin, port it to Firefox with some light changes, and you can report whatever you want to CAA.
insanitybit
21 minutes ago
That's not entirely true. For example, on ChromeOS CAA is hardware backed. But obviously CAA is not intended to be our entire MDM solution, an attacker in a position to spoof your entire browser can bypass some of the policies on some operating systems. Similarly, attackers in that same position can bypass TLS. An attacker who owns the kernel can bypass much of your MDM. An attacker who owns the hardware can bypass just about anything.
tux3
6 minutes ago
I haven't dug into the native helper to see how much it checks, I can believe that ChromeOS does full remote attestation. If it's anything like Android Play Integrity, there's not a lot of flexibility without hardware exploits.
But who outside of Google is running exclusively ChromeOS? My impression from looking at the JS part is that it's mostly obfuscation, with the possible exception of ChromeOS.
I feel like the secure connect client being closed source would have been an effective deterrent 5 years ago, but these days everyone's throwing LLMs at everything. So an attack that would have taken effort doesn't present nearly as much of a barrier anymore. At least as long as there remain some platforms that don't enforce full attestation...
tadfisher
9 minutes ago
Understand that, in this conversation, your use of "attacker" is referring to "end user of the hardware". Which might be part of the Chrome team's definition, or might not, but gosh it would be nice to cater to the folks who are using the dang computer.
insanitybit
2 minutes ago
We're talking about a device managed by a corporation. I have no idea what your point is.
SoftTalker
2 hours ago
Using a maintained and up-to-date browser is a reasonable requirement for an IT department (should be for anyone really). Would you suggest they should be allowing IE6 just because a user might prefer it?
Of course Google is going to suggest using Chrome, if they detect that the browser might be out of date.
dijit
2 hours ago
Is the implication that Firefox is not maintained or?
The issue presented doesn’t seem to be “an up to date browser check” it seems to be a “is it latest chrome” check, which is a very different thing.
SoftTalker
2 hours ago
We don't know. The author doesn't mention how current the Firefox browser is/was.
If the organization is indeed enabling a specific check for Chrome that seems a little over the top but they're the ones supporting their users and if they want to make their life easier by only dealing with one browser that's their decision to make. It's like saying that everyone has to use Windows, or a specific line of laptops, or any other standardization to simplify the support workload.
rpdillon
an hour ago
> This was for a Google Workspace Business Plus account and workspace, from an up to date browser and OS.
kolinko
an hour ago
Not a little over the top, it is anticompetitive behavior.
SpicyLemonZest
2 hours ago
It's not clear to me that Context-Aware Access is as configurable as you're implying. At a glance, the docs seem to suggest that Chrome is the only browser you can force standardization on, which IMO does push this towards being Google's fault.
insanitybit
2 minutes ago
That's correct, there is no way to say "only allow Firefox" in CAA because the attestations are either browser agnostic or chrome specific (as part of the managed Chrome offering that GSuite supports).
michaelmrose
an hour ago
It's not a little over the top its an antitrust issue and clearly and obviously wrong.
ibejoeb
43 minutes ago
No, not at all. The implication is that the organization is dictating the software that employees are to use. There's nothing unusual about this.
jstummbillig
an hour ago
If we are meant to believe that this is a Chrome-invasion-move, it's the least effective lever of all times. Most of the time the more plausible explanations are just the likely ones.
dijit
an hour ago
you’d probably say something different if it were microsoft.
I don’t see why I should give affordances of good will to Google here.
They’re not stupid, they know that this is an effective lever to further cement full-fat chrome as the default browser for the internet.
SoftTalker
an hour ago
Chrome was created because Google felt that the IE monopoly was hindering the advancement of web standards and improved browser capabilities. I suppose you could argue that was a different Google at a different time, but at one point they did feel that browser diversity was a good thing.
sandeepkd
18 minutes ago
Its a normal choice, given a checkbox on page which advertises that checking it would make your security posture more safe. The IT person is safeguarding their own job.
Other way to look at it is, the company is paying for everything, and they get to make decisions based on what suits their security needs.