[ArnoVW]

While this is true, allow me to give another POV. I run corporate security and internal IT for a 100 person SaaS. I "nudge" our users towards Chrome. Why? Because I can manage Chrome using the config infrastructure provided by Google. Because Google has more resources to secure their browser. Because my observability and DLP stuff works with Chrome and not with Firefox. And I'm probably still missing out on a bunch of things.

Those are real, practical reasons. Not just "if I do this I get to check another box".

Yes. I know. It's a pain that when you cannot do what you want to do. But it's not your laptop. It's the company's. Supporting more browsers to the same standard that I just described would take engineering resources, of which I do not have an infinite supply. And the priority goes to keeping the company secure.

[lol768]

> Because Google has more resources to secure their browser

They've kneecapped ad-blockers, when ad networks are perhaps one of the biggest causes of malware installs/page hijacking/other unwanted behaviour. I'm not sure how you can consider Chrome remotely secure in this light.

[flir]

My org (or rather, the org they pay to run their IT) blocked browser plugins with a security justification.

I find this incredibly amusing, and at a different point in my life I'd already be gone.

When you outsource IT, there are many, many misaligned incentives.

[remus]

> I find this incredibly amusing, and at a different point in my life I'd already be gone.

How so? Bad actors buying existing extensions with large user bases then publishing a new version which does bad stuff is a pretty common pattern. It certainy seems like a reasonable concern for a corp IT department.

[michaelt]

99% of security experts I know use ad blockers.

When there are unpatched browser vulnerabilities, attackers will use ad networks to inject attack code into reputable-but-ad-laden websites. And even when there aren't unpatched vulnerabilities out there, many ad networks will happily accept scam ads, ads that trick people into downloading malware, fake download buttons and suchlike.

[nazgul17]

Not GP, but I think the point was that no extensions => no ad blockers => major malware vehicle unlockable, short of disabling JS

[DANmode]

They didn’t take a decade plus to implement per-domain process isolation, for starters…

[mbac32768]

This is the correct answer. Having your users run multiple browsers by default (instead of with whitelisted exceptions) is now multiple attack surfaces the org has to manage.

[dijit]

while valid points, my company uses Microsoft products and they are pretty abysmal in whatever domain they have products in. Edge for example being one of the weaker browser options. (though better than it was in the IE era).

Being forced to use various tools for compliance is frustrating, doubly so if it helps create a stronger monopoly position, because a monopoly position creates stagnation, which makes worse products.

But those worse products are forced on users, even when better ones start to come about.

This is the crux of my issue, Microsoft is the king of this behaviour, and they are using this a lot which is squeezing the metaphorical testicles of almost all companies in Europe.

[chinathrow]

If you run a SaaS, large parts of your orgs should be on all major browsers regularly.

[ArnoVW]

I have a handful of endpoints, used by staff that represent a low level of risk, that use Firefox for that precise reason.

But really, we have a couple of million enterprise end-users, some of which surely using Edge. If we as much as move a button without telling them about it three months in advance, it's the end of the world. In 10 years time, no customer has raised it.

[DANmode]

Edge: Chromium with Google Chrome-like data collection, but with data going to Microsoft instead.

[verall]

Do people get pwned by anything besides spearphishing or ads nowadays? I think ad->phish or targeted phish emails is the only shady thing I've been exposed to in like 10 years

[NewJazz]

It's a pain that when you cannot do what you want to do. But it's not your laptop. It's the company's.

But it is my craft, and to be limited to what tools I can use in my craft can decrease the value of my work, and in doing so decrease the company's productivity.

[Arainach]

Let's say you earn a million dollars a year (most of us earn far less). At quite a few companies, a 50% decrease in your productivity (and changing browsers is nowhere near that) would cost the company significantly less than dealing with the fallout of any of the following:

* A user intentionally leaking sensitive documents outside the corporate network

* A user installing an infected browser extension that gives attackers access to corporate resources

* A user accessing malware or ransomware which infects corporate resources.

That's on top of the cost of having the IT department having to debug issues among users with bespoke tool sets which can often interact in unintuitive ways.

There are many stupid ways that companies "optimize" costs that cost them more in the end. Standardizing the browser and extension set for data loss protection is not one of them.

[makeitdouble]

This feels like the whole IE6 dance coming back.

People know how it ended, but don't seem to remember how it started, which is a shame.

[Wowfunhappy]

> But it's not your laptop. It's the company's.

Sure, which is why you should lock down the laptop. Blocking Firefox in Google Workspace seems like entirely the wrong layer for this.

[LtWorf]

Google has the resources to do it, but do they actually do it? By the looks of it I'd say "no".

See the whole thing with libxml2 for example, or how they started boringssl to "fix" the issues with openssl, but they run it as an internal project you cannot depend on.

[PunchyHamster]

having soon-to-be-nonfunctional adblocking will be far more dangerous to org than any extra security those options might provide