This is not a Google-wide thing… this is from Google’s Context-Aware Access product, which is configurable in Google Workspace environments. OP should direct their ire at their corporate IT or infosec team.
Some IT departments just see a “more secure” checkbox and will always check it, even if it doesn’t make sense holistically- sometimes compliance incentivises (or forces) this behaviour.
A common example is forcing intune/device enrolment for mobile devices (including ipads)- but not for the infinitely less secure laptops: because no such endpoint enforcement checkbox exists
It's their organization. They are allowed to make decisions about what software their employees use. I'm a die-hard Mozilla fan, but I don't find this unreasonable.
The problem is Google appears to label this as a security feature. I'm fine with the feature existing, but it should say something like "require Chrome" or "block Firefox" not "require a secure browser (wink wink we actually mean Chrome)"
It is a security feature. In a corporate environment, you generally don't want users installing their own software. If it's a remote access thing from a personal device, you still generally want to be able to establish some kind of baseline. I don't like Chrome - not even a little bit - but I will admit that they have a pretty damn good security track record. I'd rather my remote users be on there than some crusty Firefox installation with 40 extensions. Organizations have the right to make these decisions when they are the ones that own the data. For example, when I was still in that world, we required personal phones to be encrypted to access corporate email. This was when a lot of people would still walk around with devices without a pin. People complained, but it was non-negotiable.
The wording here is bad, but basically CAA supports non browser specific policy and, in some cases, browser specific policy (GSuite offers a "Managed Chrome" policy). Firefox users can leverage much of the non browser specific policy, they obviously can not be a part of the "Managed Chrome" offering.
There's no contradiction here; it's totally possible for a company to make a feature configurable so that it doesn't block their competitors but also intentionally design and market it in a way that's misleading in ways that will lead to their competitors getting blocked. When we're talking about a company as large as Google and a product with as much market share as Chrome, I don't think it's that crazy to think that things like this add up to encouraging even more hegemony, and when that happens to align perfectly with the incentives of the company making said product decisions, I also don't think it's crazy to think it's unlikely to be a coincidence.
If the argument is that Google has built a product that encourages use of Google products, of course. The question is whether that's some sort of trickery or odd or bad. "Google offers Managed Chrome as a service" hardly seems controversial to me.
Google offering managed chrome as a service is a completely sensible thing. The problem is that they are nearly a browser monopoly, and making Google Workspace work in such a way with Google Chrome feels to me like anti-competitive practices. If we didn't have one giant megacorp that did both things, it would be different.
Of course, so far the only workable model for web browsers is having a giant megacorp fund their development and maintenance. Which is a huge issue, and we will do basically nothing about it.
(Don't get me wrong. I have high hopes for Ladybird and even Servo, but they may come too late if effectively-proprietary features force most users to stick to Chrome anyways.)
Note that making lock-in features like this effectively proprietary to the Chrome browser is only possible because of the fact that it's the same company making Google Workspace and Google Chrome.
I absolutely see many problems with this and you really ought to as well.
It's a paid product, they are actually allowed to do this. Google is obviously going to focus on security testing with their own browser. It's understandable that organizations want to require chrome for their employees to access their workspace in the interest of security, but it's not the default.
> It's understandable that organizations want to require chrome for their employees to access their workspace in the interest of security, but it's not the default.
Can you elaborate on why you think that Firefox is inherently insecure in some way for accessing Google workspaces?
> It's a paid product, they are actually allowed to do this.
If that were the only metric, then no monopoly would ever be broken up for any reason (which I guess is the way regulation seems to work nowadays, but at least in theory it's supposed to be possible for it to happen sometimes). The idea that using market pressure from one product a company sells to squeeze out competition in another is totally fine as long as the first product is paid is not a premise I agree with.
I don’t think anyone is saying Firefox is inherently bad. What I’m reading, and what I believe, is Google just has a better product for secure enterprise browsing because of the controls they offer
The browser is where basically all your work happens, especially as a Workspace customer—think about how much of your work is done in the browser. That makes it a huge, attractive attack surface. And attackers don't even need a browser vulnerability; they can just convince an employee to install a malicious browser extension, and suddenly they can steal passwords, watch everything you do, and hijack your sessions on other sites.
So security teams need visibility into what's happening in the browser. Google does a decent—not great—job of providing this through Managed Chrome: centralized logs, control over which extensions can be installed, even alerts when someone reuses their Workspace password elsewhere.
Firefox, Safari, and most others don't offer these business controls, which means a security team allowing them is flying blind. And a blind security team is gonna have a bad time… mmmkay.
On support: someone mentioned using Firefox to verify their app works across browsers—god's work, truly. But not every vendor does that, so IT ends up fielding "this site just isn't working" tickets that turn out to be browser compatibility issues. Fewer supported browsers means a smaller surface to support and a better experience all around.
This can't be enforced where you're not using your corporate identity. A Dropbox account on your personal email is still accessible from any browser.
> Can you elaborate on why you think that Firefox is inherently insecure in some way for accessing Google workspaces?
Allowing users running who knows what version of Firefox (or any "non-validated"/unmanaged browser, not necessarily just Firefox) browser running who knows what extensions can be pretty unsafe. There are lots of malicious extensions out there that are stupid simple to install.
In the Workspace world, Chrome can be configured and enforced to have certain kinds of settings applied. Only allowing certain extensions. Ensure certain version ranges. That sort of thing.
If a corporation with my data allowed access to its internal tools using any browser running any arbitrary and possibly compromised third party extensions, that's a data leak and class action lawsuit waiting to happen.
I would say it's common to find dark patterns that involves ambiguity like the discussion we are having here. We can't know for sure but Google can increase the probability of being on their ecosystem.
Well, it could als also be argued that Chrome _is_ more secure, for example because it uses app-bound encryption using Windows DPAPI system, for cookies, so that it at least tries to protect cookies from malicious applications running on the device. Firefox does not do this: https://security.stackexchange.com/questions/279629/are-cook...
If course the reverse can also be argued, for example that Firefox supports proper adblocking.
CAA is one of the most powerful security features you can enable in an org. You can manage browser extensions, device password policy, encryption, configuration, cookie attestation, etc.
CAA is completely based on trust, it's not one of the most powerful security feature. It's completely voluntary reporting by the browser, and any attacker who cares can just lie without issues.
You can make Firefox pass CAA if you want. You take the Chrome "SecureConnect Reporting" (Context-Aware Access) plugin, port it to Firefox with some light changes, and you can report whatever you want to CAA.
That's not entirely true. For example, on ChromeOS CAA is hardware backed. But obviously CAA is not intended to be our entire MDM solution, an attacker in a position to spoof your entire browser can bypass some of the policies on some operating systems. Similarly, attackers in that same position can bypass TLS. An attacker who owns the kernel can bypass much of your MDM. An attacker who owns the hardware can bypass just about anything.
I haven't dug into the native helper to see how much it checks, I can believe that ChromeOS does full remote attestation. If it's anything like Android Play Integrity, there's not a lot of flexibility without hardware exploits.
But who outside of Google is running exclusively ChromeOS?
My impression from looking at the JS part is that it's mostly obfuscation, with the possible exception of ChromeOS.
I feel like the secure connect client being closed source would have been an effective deterrent 5 years ago, but these days everyone's throwing LLMs at everything. So an attack that would have taken effort doesn't present nearly as much of a barrier anymore. At least as long as there remain some platforms that don't enforce full attestation...
My point was that CAA's threat model is flexible based on your requirements. If your requirement is "an attacker with the ability to make arbitrary network requests from the host can not pretend to be Chrome", CAA does not work unless you have OS/Hardware support (which ChromeOS provides).
I just don't think that matters much. CAA is policy enforcement, it is not a full MDM solution, nor is it antimalware.
Understand that, in this conversation, your use of "attacker" is referring to "end user of the hardware". Which might be part of the Chrome team's definition, or might not, but gosh it would be nice to cater to the folks who are using the dang computer.
Well - it does make sense. If an organisation that contracts me has to chose between a) BYOD - but restrict downloads, etc, enforce export control, directly in the browser - I happily take that, vs getting a Windows laptop that is locked down and forced to work with that.
Using a maintained and up-to-date browser is a reasonable requirement for an IT department (should be for anyone really). Would you suggest they should be allowing IE6 just because a user might prefer it?
Of course Google is going to suggest using Chrome, if they detect that the browser might be out of date.
We don't know. The author doesn't mention how current the Firefox browser is/was.
If the organization is indeed enabling a specific check for Chrome that seems a little over the top but they're the ones supporting their users and if they want to make their life easier by only dealing with one browser that's their decision to make. It's like saying that everyone has to use Windows, or a specific line of laptops, or any other standardization to simplify the support workload.
It's not clear to me that Context-Aware Access is as configurable as you're implying. At a glance, the docs seem to suggest that Chrome is the only browser you can force standardization on, which IMO does push this towards being Google's fault.
That's correct, there is no way to say "only allow Firefox" in CAA because the attestations are either browser agnostic or chrome specific (as part of the managed Chrome offering that GSuite supports).
If we are meant to believe that this is a Chrome-invasion-move, it's the least effective lever of all times. Most of the time the more plausible explanations are just the likely ones.
Chrome was created because Google felt that the IE monopoly was hindering the advancement of web standards and improved browser capabilities. I suppose you could argue that was a different Google at a different time, but at one point they did feel that browser diversity was a good thing.
I mean, they claimed to be for browser diversity when it was not them on top lol. Underdogs want the race to tighten up, 85% market leaders want to stay out in front.
Its a normal choice, given a checkbox on page which advertises that checking it would make your security posture more safe. The IT person is safeguarding their own job.
Other way to look at it is, the company is paying for everything, and they get to make decisions based on what suits their security needs.
Unrelated to this news, but this is so rudimentary, when the correct solution instead is:
1. Make it ridiculously easy to install hardware vendor keys and register it with OS of choice. (like a standardized dialog box in UEFI and a standardized/regulated IPMI-like interface)
2. Allow for only measured boot on those devices.
3. Provided facility to verify signatures.
Do this on consumer and enterprise laptops and desktops alike and all of these weird set of conditions just go out of play and replaced by something much much simpler.
It appears website developers desperately want to return to a world where browsers actively pretend to be another browser*.
Want to check for DBSC? Enjoy not knowing whether the browser vendor decided to just roll a simple software implementation.
Nothing good comes from browser detection over feature detection anyways. It's time to do away with user-agents and other overt identifying markers, and if we're still not in a better place, aggressively start stubbing features.
* to some degree they still are. Firefox still ships with an user-agent override list for certain websites that have outdated user-agent sniffing for feature detection (and other fixes in about:compat).
And yet, claiming support for a feature doesn't tell all. Different implementations can have subtle differences. Knowing the browser and version can allow a client to survive that.
Yes, that is the price developers will have to pay. Development will be harder, but users are going to prefer somewhat broken sites over being outright refused entry.
At the end of the day user-preference is what dictates which browser is used and how it is configured. Developers will have to deal with what users choose to do on their end.
You can only patronize people for so long before they look for a way around silly restrictions. Trying to keep someone safe by putting up walls, whether the threat is real or imaginary, is pointless when it is in the user's power to trivially defeat those walls - and when extension and browser developers are going to line up to sell them demolition tools (see ad blocking).
Advice is going to go much further than roadblocks, long term.
It states something about "your organisation's security requirements", do they document what requirements cause this rejection page? Some kind if changed default perhaps?
No, this is easily the biggest flaw in CAA - there is no way to discover which policy broke your access. I have reported this to Google multiple times, even sent this directly to a Google SecEng (a well known one) to route internally. The issue persists and makes configuring CAA extremely painful and error prone.
They wont stop it. They will just slow down a bit if people get ruffled. That's how alphabet has handled everything else. They learned that if they can make changes slowly enough, they can do whatever the hell they want to.
As we all know we can even pay 10x more for items and get next to no raise in our wages, but because it was done slowly in an "official" and "professional" manner, most folks didn't even complain, they just screamed into the giant pillow we call "the internet".
Corporations of the 2020s love the internet's digital pillow and its magical crowd-quieting capabilities. If only the ancient roman empire had invented the internet they would be ruling the entire planet by now and we could watch gladiators on youtube :P provided we don't stand out too much (then we would be said gladiators)
At least you got a heads-up. Few months back GCP "Agent Studio - Build" failed compiling the code in sandbox with a vague error message. Spent weeks troubleshooting, spoke to google engineers and reps, sending code, step by steps, screenshots. No one had a clue, until I switched from Firefox to Chrome out of desperation and it worked without a hitch.
Not defending it, but given that they use the word "secure" three times in two sentences, I'm wondering if it's shown to browsers that don't support DBSC. Google has been really pushing/overselling this as a magical solution to cookie theft.
Is it possible for a non-google browser to be said to meaningfully support this given that implementing the features wouldn't necessarily accomplish anything insofar as it wouldn't let you past the google only security gate and would represent a moving target in any case.
Sounds like you have a device policy configured and you should talk to your internal IT/Security team?
edit: This title is just incredibly misleading. OP seems to have made a mistake here in thinking that this is something that Google has done when it's just that their corporate IT/ Sec team now enforces using Chrome.
Reading the news of EU countries leaving American cloud providers for local cloud solutions including mobile office, it's surprising to see Google doing this.
It will only accelerate moves towards location of data, self-hosting, etc. The technologies to make this possible are much easier than they ever have been.
I use Google as a secondary search and as of roughly last week it gives me a captcha every time I try to do a search. That had never been the case before.
I browse over Tor for most things and most sites give me a captcha or just simply fail to load these days. I just close the window and move on to something else.
That one has been a well-known thing for a decade if not more; it's not just Google, half the Internet will start throwing captchas or denying access once you connect via a VPN (specifically "VPN" as in one of the services you pay to avoid location-based discrimination of media streaming platforms).
I am seeing it a lot more lately with uBlock Origin. I've used DDG for search for a while now, but the last few times I've tried Google I got a captcha within a couple of queries if not immediately.
Some IT departments just see a “more secure” checkbox and will always check it, even if it doesn’t make sense holistically- sometimes compliance incentivises (or forces) this behaviour.
A common example is forcing intune/device enrolment for mobile devices (including ipads)- but not for the infinitely less secure laptops: because no such endpoint enforcement checkbox exists
Of course, so far the only workable model for web browsers is having a giant megacorp fund their development and maintenance. Which is a huge issue, and we will do basically nothing about it.
(Don't get me wrong. I have high hopes for Ladybird and even Servo, but they may come too late if effectively-proprietary features force most users to stick to Chrome anyways.)
I absolutely see many problems with this and you really ought to as well.
Two different companies can partner together and release features in both of the company's interests.
Your corporate serfdom is not in question, but I disagree with that notion too.
There is zero problem here guys.
Can you elaborate on why you think that Firefox is inherently insecure in some way for accessing Google workspaces?
> It's a paid product, they are actually allowed to do this.
If that were the only metric, then no monopoly would ever be broken up for any reason (which I guess is the way regulation seems to work nowadays, but at least in theory it's supposed to be possible for it to happen sometimes). The idea that using market pressure from one product a company sells to squeeze out competition in another is totally fine as long as the first product is paid is not a premise I agree with.
The browser is where basically all your work happens, especially as a Workspace customer—think about how much of your work is done in the browser. That makes it a huge, attractive attack surface. And attackers don't even need a browser vulnerability; they can just convince an employee to install a malicious browser extension, and suddenly they can steal passwords, watch everything you do, and hijack your sessions on other sites.
So security teams need visibility into what's happening in the browser. Google does a decent—not great—job of providing this through Managed Chrome: centralized logs, control over which extensions can be installed, even alerts when someone reuses their Workspace password elsewhere.
Firefox, Safari, and most others don't offer these business controls, which means a security team allowing them is flying blind. And a blind security team is gonna have a bad time… mmmkay.
On support: someone mentioned using Firefox to verify their app works across browsers—god's work, truly. But not every vendor does that, so IT ends up fielding "this site just isn't working" tickets that turn out to be browser compatibility issues. Fewer supported browsers means a smaller surface to support and a better experience all around.
This can't be enforced where you're not using your corporate identity. A Dropbox account on your personal email is still accessible from any browser.
Allowing users running who knows what version of Firefox (or any "non-validated"/unmanaged browser, not necessarily just Firefox) browser running who knows what extensions can be pretty unsafe. There are lots of malicious extensions out there that are stupid simple to install.
In the Workspace world, Chrome can be configured and enforced to have certain kinds of settings applied. Only allowing certain extensions. Ensure certain version ranges. That sort of thing.
If course the reverse can also be argued, for example that Firefox supports proper adblocking.
You can make Firefox pass CAA if you want. You take the Chrome "SecureConnect Reporting" (Context-Aware Access) plugin, port it to Firefox with some light changes, and you can report whatever you want to CAA.
But who outside of Google is running exclusively ChromeOS? My impression from looking at the JS part is that it's mostly obfuscation, with the possible exception of ChromeOS.
I feel like the secure connect client being closed source would have been an effective deterrent 5 years ago, but these days everyone's throwing LLMs at everything. So an attack that would have taken effort doesn't present nearly as much of a barrier anymore. At least as long as there remain some platforms that don't enforce full attestation...
I just don't think that matters much. CAA is policy enforcement, it is not a full MDM solution, nor is it antimalware.
I think Chromebooks are pretty common in school settings
Of course Google is going to suggest using Chrome, if they detect that the browser might be out of date.
The issue presented doesn’t seem to be “an up to date browser check” it seems to be a “is it latest chrome” check, which is a very different thing.
If the organization is indeed enabling a specific check for Chrome that seems a little over the top but they're the ones supporting their users and if they want to make their life easier by only dealing with one browser that's their decision to make. It's like saying that everyone has to use Windows, or a specific line of laptops, or any other standardization to simplify the support workload.
I don’t see why I should give affordances of good will to Google here.
They’re not stupid, they know that this is an effective lever to further cement full-fat chrome as the default browser for the internet.
Why did you even compare it to IE6, out of the curiosity?
Other way to look at it is, the company is paying for everything, and they get to make decisions based on what suits their security needs.
https://knowledge.workspace.google.com/admin/security/create...
The Org admin can put all sorts of restrictions on who can do what based on the client device setup.
1. Make it ridiculously easy to install hardware vendor keys and register it with OS of choice. (like a standardized dialog box in UEFI and a standardized/regulated IPMI-like interface)
2. Allow for only measured boot on those devices.
3. Provided facility to verify signatures.
Do this on consumer and enterprise laptops and desktops alike and all of these weird set of conditions just go out of play and replaced by something much much simpler.
Want to check for DBSC? Enjoy not knowing whether the browser vendor decided to just roll a simple software implementation.
Nothing good comes from browser detection over feature detection anyways. It's time to do away with user-agents and other overt identifying markers, and if we're still not in a better place, aggressively start stubbing features.
* to some degree they still are. Firefox still ships with an user-agent override list for certain websites that have outdated user-agent sniffing for feature detection (and other fixes in about:compat).
At the end of the day user-preference is what dictates which browser is used and how it is configured. Developers will have to deal with what users choose to do on their end.
You can only patronize people for so long before they look for a way around silly restrictions. Trying to keep someone safe by putting up walls, whether the threat is real or imaginary, is pointless when it is in the user's power to trivially defeat those walls - and when extension and browser developers are going to line up to sell them demolition tools (see ad blocking).
Advice is going to go much further than roadblocks, long term.
As we all know we can even pay 10x more for items and get next to no raise in our wages, but because it was done slowly in an "official" and "professional" manner, most folks didn't even complain, they just screamed into the giant pillow we call "the internet".
Corporations of the 2020s love the internet's digital pillow and its magical crowd-quieting capabilities. If only the ancient roman empire had invented the internet they would be ruling the entire planet by now and we could watch gladiators on youtube :P provided we don't stand out too much (then we would be said gladiators)
edit: This title is just incredibly misleading. OP seems to have made a mistake here in thinking that this is something that Google has done when it's just that their corporate IT/ Sec team now enforces using Chrome.
Monopolies aren't a prerequisite for antitrust action, they're the failure state when you should have acted sooner.
It will only accelerate moves towards location of data, self-hosting, etc. The technologies to make this possible are much easier than they ever have been.
And good fucking luck getting the FTC to follow monopoly law.