Google workspace threatening to block Firefox access(tales.fromprod.com) |
Google workspace threatening to block Firefox access(tales.fromprod.com) |
Some IT departments just see a “more secure” checkbox and will always check it, even if it doesn’t make sense holistically- sometimes compliance incentivises (or forces) this behaviour.
A common example is forcing intune/device enrolment for mobile devices (including ipads)- but not for the infinitely less secure laptops: because no such endpoint enforcement checkbox exists
Those are real, practical reasons. Not just "if I do this I get to check another box".
Yes. I know. It's a pain that when you cannot do what you want to do. But it's not your laptop. It's the company's. Supporting more browsers to the same standard that I just described would take engineering resources, of which I do not have an infinite supply. And the priority goes to keeping the company secure.
If course the reverse can also be argued, for example that Firefox supports proper adblocking.
Of course Google is going to suggest using Chrome, if they detect that the browser might be out of date.
What? Are you serious? An organization has EVERY right to enforce whatever controls they deem appropriate for their environment. Period.
Other way to look at it is, the company is paying for everything, and they get to make decisions based on what suits their security needs.
https://knowledge.workspace.google.com/admin/security/create...
The Org admin can put all sorts of restrictions on who can do what based on the client device setup.
1. Make it ridiculously easy to install hardware vendor keys and register it with OS of choice. (like a standardized dialog box in UEFI and a standardized/regulated IPMI-like interface)
2. Allow for only measured boot on those devices.
3. Provided facility to verify signatures.
Do this on consumer and enterprise laptops and desktops alike and all of these weird set of conditions just go out of play and replaced by something much much simpler.
can you put a restriction to ban Chrome and force Firefox then?
Want to check for DBSC? Enjoy not knowing whether the browser vendor decided to just roll a simple software implementation.
Nothing good comes from browser detection over feature detection anyways. It's time to do away with user-agents and other overt identifying markers, and if we're still not in a better place, aggressively start stubbing features.
* to some degree they still are. Firefox still ships with an user-agent override list for certain websites that have outdated user-agent sniffing for feature detection (and other fixes in about:compat).
At the end of the day user-preference is what dictates which browser is used and how it is configured. Developers will have to deal with what users choose to do on their end.
You can only patronize people for so long before they look for a way around silly restrictions. Trying to keep someone safe by putting up walls, whether the threat is real or imaginary, is pointless when it is in the user's power to trivially defeat those walls - and when extension and browser developers are going to line up to sell them demolition tools (see ad blocking).
Advice is going to go much further than roadblocks, long term.
As we all know we can even pay 10x more for items and get next to no raise in our wages, but because it was done slowly in an "official" and "professional" manner, most folks didn't even complain, they just screamed into the giant pillow we call "the internet".
Corporations of the 2020s love the internet's digital pillow and its magical crowd-quieting capabilities. If only the ancient roman empire had invented the internet they would be ruling the entire planet by now and we could watch gladiators on youtube :P provided we don't stand out too much (then we would be said gladiators)
edit: This title is just incredibly misleading. OP seems to have made a mistake here in thinking that this is something that Google has done when it's just that their corporate IT/ Sec team now enforces using Chrome.
Do your homework before yelling "Fire!".
It will only accelerate moves towards location of data, self-hosting, etc. The technologies to make this possible are much easier than they ever have been.
And good fucking luck getting the FTC to follow monopoly law.
Monopolies aren't a prerequisite for antitrust action, they're the failure state when you should have acted sooner.
You can make Firefox pass CAA if you want. You take the Chrome "SecureConnect Reporting" (Context-Aware Access) plugin, port it to Firefox with some light changes, and you can report whatever you want to CAA.
But who outside of Google is running exclusively ChromeOS? My impression from looking at the JS part is that it's mostly obfuscation, with the possible exception of ChromeOS.
I feel like the secure connect client being closed source would have been an effective deterrent 5 years ago, but these days everyone's throwing LLMs at everything. So an attack that would have taken effort doesn't present nearly as much of a barrier anymore. At least as long as there remain some platforms that don't enforce full attestation...
They've kneecapped ad-blockers, when ad networks are perhaps one of the biggest causes of malware installs/page hijacking/other unwanted behaviour. I'm not sure how you can consider Chrome remotely secure in this light.
I find this incredibly amusing, and at a different point in my life I'd already be gone.
When you outsource IT, there are many, many misaligned incentives.
But really, we have a couple of million enterprise end-users, some of which surely using Edge. If we as much as move a button without telling them about it three months in advance, it's the end of the world. In 10 years time, no customer has raised it.
Sure, which is why you should lock down the laptop. Blocking Firefox in Google Workspace seems like entirely the wrong layer for this.
Being forced to use various tools for compliance is frustrating, doubly so if it helps create a stronger monopoly position, because a monopoly position creates stagnation, which makes worse products.
But those worse products are forced on users, even when better ones start to come about.
This is the crux of my issue, Microsoft is the king of this behaviour, and they are using this a lot which is squeezing the metaphorical testicles of almost all companies in Europe.
The issue presented doesn’t seem to be “an up to date browser check” it seems to be a “is it latest chrome” check, which is a very different thing.
If the organization is indeed enabling a specific check for Chrome that seems a little over the top but they're the ones supporting their users and if they want to make their life easier by only dealing with one browser that's their decision to make. It's like saying that everyone has to use Windows, or a specific line of laptops, or any other standardization to simplify the support workload.
I don’t see why I should give affordances of good will to Google here.
They’re not stupid, they know that this is an effective lever to further cement full-fat chrome as the default browser for the internet.
Why did you even compare it to IE6, out of the curiosity?
I just don't think that matters much. CAA is policy enforcement, it is not a full MDM solution, nor is it antimalware.
I think Chromebooks are pretty common in school settings
When Microsoft did this with Windows, AD, and Internet Explore, it was deemed a breach of anti-trust laws. The question is whether such laws apply to Google given they don’t have a monopoly in the identity services domain.
If you’d asked me 5 years ago, I’d have said “no way”, but recent judgements with Apple and their App Store lead me to think there is still hope. Regardless of how remote that might be.
I absolutely see many problems with this and you really ought to as well.
Two different companies can partner together and release features in both of the company's interests.
Your corporate serfdom is not in question, but I disagree with that notion too.
There is zero problem here guys.
Can you elaborate on why you think that Firefox is inherently insecure in some way for accessing Google workspaces?
> It's a paid product, they are actually allowed to do this.
If that were the only metric, then no monopoly would ever be broken up for any reason (which I guess is the way regulation seems to work nowadays, but at least in theory it's supposed to be possible for it to happen sometimes). The idea that using market pressure from one product a company sells to squeeze out competition in another is totally fine as long as the first product is paid is not a premise I agree with.
The browser is where basically all your work happens, especially as a Workspace customer—think about how much of your work is done in the browser. That makes it a huge, attractive attack surface. And attackers don't even need a browser vulnerability; they can just convince an employee to install a malicious browser extension, and suddenly they can steal passwords, watch everything you do, and hijack your sessions on other sites.
So security teams need visibility into what's happening in the browser. Google does a decent—not great—job of providing this through Managed Chrome: centralized logs, control over which extensions can be installed, even alerts when someone reuses their Workspace password elsewhere.
Firefox, Safari, and most others don't offer these business controls, which means a security team allowing them is flying blind. And a blind security team is gonna have a bad time… mmmkay.
On support: someone mentioned using Firefox to verify their app works across browsers—god's work, truly. But not every vendor does that, so IT ends up fielding "this site just isn't working" tickets that turn out to be browser compatibility issues. Fewer supported browsers means a smaller surface to support and a better experience all around.
This can't be enforced where you're not using your corporate identity. A Dropbox account on your personal email is still accessible from any browser.
Allowing users running who knows what version of Firefox (or any "non-validated"/unmanaged browser, not necessarily just Firefox) browser running who knows what extensions can be pretty unsafe. There are lots of malicious extensions out there that are stupid simple to install.
In the Workspace world, Chrome can be configured and enforced to have certain kinds of settings applied. Only allowing certain extensions. Ensure certain version ranges. That sort of thing.
If you don't want your user to run whatever version with whatever extension you can do that.
Of course, so far the only workable model for web browsers is having a giant megacorp fund their development and maintenance. Which is a huge issue, and we will do basically nothing about it.
(Don't get me wrong. I have high hopes for Ladybird and even Servo, but they may come too late if effectively-proprietary features force most users to stick to Chrome anyways.)
But if either side is close to a monopoly, both cannot be part of the same company, even if that means breaking an existing company up.