Ch
October 12, 2008
After lots of speculation, Google has been working on a browser (for a number of years). All very cool and slickly done, from the comic-book user-guide to the "look" of the browser to the long piece in Wired all coinciding with the release.
Usually, I like competition, especially in the technology marketplace – the more people offering products/technology, (generally) the better those things have to be to survive and gain users – modern day Darwinism. However, in this case I’m quite apposed to another browser out there for various reasons.
I didn’t know this proverb until Jeremiah shared it, but it makes sense…
"There is a proverb that illustrates the way to quickly determine whether or not someone is sane. The individual is shown a river flowing into a pond. He is given a bucket and asked to drain the pond. If he walks to the stream to dam the inflow into the pond he will be considered sane. If, instead, he decides to empty the pond with his bucket without first stopping the in-flow then he would be considered insane."
If I can use the analogy, what we have here in Google Chrome is adding more water into the pond we are trying to drain. The water, if you want to follow the analogy, are the vulnerabilities in web browsers, badly written or just plain malicious websites that users are trying to protect themselves from (often via plug-ins), and the usual issues with web development we all have when trying to get a site to "just work" simply with all the current versions of browsers that are already out there. With Internet Explorer and Firefox slugging it out, Safari and Opera distant runners up, we were sort of, slowly, gaining ground on addressing the issues. Between IE and FF, lots of good security work was being done making these browsers more resilient and we were getting a good handle on the overall problem. An additional browser, with what one expects to be a growing market share just because "it’s Google", puts a hole in the dam and water is filling up the pond again.
I understand the monopoly argument, and buy why it’s not always such a good thing, but there are exceptions. Office/Word is one exception – the ubiquity of Microsoft Word, either the product itself, or that many other bits of software can read it’s file format, is good – I can send a document to someone and know with a very high probability that they can do something with it. With two (plus change) browsers out there, we know what "issues" each have and ways to mitigate/work around them. Granted, Chrome is based on a common and open-source rendering engine (same one used in Safari), but it’s another platform that a site or security issues need to be tested on.
So that’s one point. The other point is that it seems that all the mistakes that other browser vendors have been through haven’t been learnt in the development of Chrome. In the first few weeks, numerous vulnerabilities were reported (which should be listed here, but I don’t see a "security" tag, so this list will have to suffice), many of which have been previous issues with IE/FF. I think this is common with Google, as IMHO they still have a "start up" mindset instead of one of a mature software company where the quality of what they put out really matters. Thankfully, I’m not the first to say this – David LeBlanc says pretty much the same, RSnake takes it further. Rushing to market is one thing, but it’s totally different when you make more work for people (and potentially the web a more dangerous place to those not expecting it).
The flip side is that it’s "beta software", and releasing it now exposes it to the world so we can tear into it, finding the bugs/issues/vulnerabilities, and the software gets better. That’s good – it’s a common way of releasing software. However, track records need to speak for themselves where almost half of all Google products are (still) in beta. Until something becomes a full product (and often even-numbered versions – apparently it works for films as well) they shouldn’t be considered "fit for everyday use".
The main reason for these problems though is I feel an underlying reason that many people forget about Google – they aren’t a software company, but an advertising company – pretty much all of the money they make is via pushing out ads, which has very little relevance to the quality of their software. That’s not to say that the guys writing and testing the software there really don’t care – I know that they do after being invited up to do a talk – but it has very little relevance to the bottom line. Just ask Microsoft on how even the perception of a buggy/bloated bit of software can affect them – it slows down sales and adoption. Microsoft’s money is made off software (and predominantly just a few titles) so they have to be good at that. I can’t help feeling that in Google’s case their software is a side distraction – a stepping stone to another goal. As long as people are still hitting their search engine and embedding ads with adsense, I fear the worst kind of "good enough" software development, as evidenced to some degree by the continued "beta" status.
I really try to like Google, and have even toyed with joining them a few times – the people there are really smart, some of the most friendly guys in the industry, and they have huge reach with interesting problems to address. I also thing that the web is the operating platform of the future, and therefore all the software/technology they are developing is the way to go. With Chrome they have architected security principals into the system which will I’m sure pay off later, and it’s clearly a technology base for future things. When it comes down to it though their objective is gathering information from as many different places as they can and using it for their main business purpose – pushing ad’s. Finding things in the EULA (even if by mistake), and a potential prospect to use the browser to access even more of the web (although the toolbar does much the same job), doesn’t make me feel all that comfortable and instead reaching for my tin-foil hat.
Perhaps I’m being way too harsh here (Matt Cutts gives his take here), but I feel that this is a step backwards for web security (in the short-term at least) more than anything else.
Posted in 
