[omh]

Google have made many attempts to sell Google services, and Chrome in particular[1], as professional software that businesses can rely on.

I've been at conferences where senior Google staff went to great lengths to present the benefits of switching to Chrome.

> The experiments are not exactly a secret program and have existed for a while

I've been responsible for managing Chrome in a professional environment for several years and looked in detail at many Chrome management settings. I was not aware of the experiments. They don't seem to be mentioned in the Chrome Enterprise documentation or policies.

> Both can be disabled

How can we disable them? This is on my to-do list for today, so would genuinely appreciate your help!

[1] https://cloud.google.com/chrome-enterprise/

[Slartie]

Whoa, I just set out to find the way to disable them. I thought it was possible, but I seem to have confused that with Firefox. Firefox calls it "studies", and you can easily opt out of them in the browser's options.

Chrome (and chromium) calls the feature "field trials" and there doesn't really seem to be a way to opt out. I'm seriously baffled by the audacity of Google here.

Seems as if the only way to actually get rid of them is to modify the Chromium codebase and compile it yourself.

It might be worth to investigate whether there is some kind of host name that could be nullified on the network, of the server that the trials are loaded from.

Sorry for that misinformation, I clearly have to update my original rant.

[fps_doug]

No no no. This is an isolated incident. Developers at Google are absolute Wunderkinds that know everything better than the stupid users out there, and never make any mistakes. Except this one time. So don't worry, just leave those field trials enabled, it won't happen again.

[obituary_latte]

Reminds me - they still don’t allow developers to disable chrome auto-fill which renders typeahead/autocomplete functionality useless since the chrome auto fill covers up the typeahead dropdowns. https://news.ycombinator.com/item?id=21238375

[robocat]

The reliability of Chrome is completely astonishing - why do you want to rip the team a new one for making one honest mistake?

Any enterprise that didn't have mitigations in place cannot legitimately complain about what is probably the most reliable piece software they use (adjusted for some complexity metric).

[omh]

Chrome is a generally great piece of software and I admire many of the things that Google are doing with it.

The frustration here is that Google are operating outside the way we're all used to for software updates. If we update the software, we know to expect problems. So we can test it and (crucially) roll back.

If Google make changes outside of that then it becomes far more difficult to manage.

[m45t3r]

Yeah, the fact that Google rolled up a fix in less than two days really shows how good they software engineering is.

I am sure that those multi million dollar enterprises affected by this issue have other softwares so reliable that this was the only time they lost millions on software issue /s.

[omh]

> I'm seriously baffled by the audacity of Google here

Join the club!

> It might be worth to investigate whether there is some kind of host name that could be nullified on the network, of the server that the trials are loaded from.

It looks like they're downloaded from https://clients4.google.com/chrome-variations/seed

Blocking the entire hostname would cause problems with other features of Chrome. But I think blocking the particular URL would need SSL interception which isn't very appealing.

[Slartie]

Digging in the code also brought up that URL, and it appears as if the entire feature was disabled if Chromium is built without the "Google Chrome branding" flag (and can then be reenabled by specifying a seed URL yourself via command line). Hence one might get by with building from unmodified Chromium source.

But the options to disable it on official prebuilt Chrome appear to be grim indeed. SSL interception might not even work at all, as I guess Google uses certificate pinning.

[technofiend]

Amusingly Chromium shows up in my list of things to disable in the Google security checks results.

[oarsinsync]

> But I think blocking the particular URL would need SSL interception which isn't very appealing.

SSL interception is very appealing in a corporate environment. Thanks for sharing this, I've raised it with the guys who run the proxies here to investigate if we can / should drop this.

[patrec]

Is just patching the url in the binary an option?

[Slartie]

I found this Chromium bug report, which seems to be the epicenter of all the debate and also the source of the citations from the linked article:

https://bugs.chromium.org/p/chromium/issues/detail?id=102483...

It is well worth a read! There are lots of complaints from what seems to be business users of the free version, but also a few by customers of the Chrome Enterprise subscription with managed installations, and they also appear to be affected by this issue and are demanding an option to disable the trials. From that I conclude that it can be considered safe that the trials also affect paying customers, and it does indeed seem as if they also have no option to disable them, at least currently (my personal guess is this is going to change, for sure at least for the paying customers, hopefully for everyone).

[m45t3r]

Paying customers should have an option to disable it, however unpaid customers should either rollout their own solution or deal with the consequences of running business with free, uncontrolled software.