SuperSite Blog

Ok, so did anyone pick up that Google took the same Page/Tools 2-menu system that IE7 has?

I should note that the minimal menu system is the way most browsers should be.  It's also one of the reasons why I take a pass over Firefox and Opera (except Opera Mobile on my new HTC Touch Diamond EV-DO, which also *doesn't* have menus).  Menus are so passé in a web browser.  Kudos for Google for blatantly copying Microsoft's good ideas.

There must be something about developing a browser on top of the WebKit engine that requires you to violate basic Windows UI conventions.

When it was just Safari, I figured it was Apple but note that Chrome doesn't even do the Title Bar correctly.

>>I’ve been testing Chrome for about a week, trying out all its features, and using it side by side with Microsoft’s latest iteration of IE, which came out just last week.

My verdict: Chrome is a smart, innovative browser that, in many common scenarios, will make using the Web faster, easier and less frustrating. But this first version—which is just a beta, or test, release—is rough around the edges and lacks some common browser features Google plans to add later. These omissions include a way to manage bookmarks, a command for emailing links and pages directly from the browser, and even a progress bar to show how much of a Web page has loaded.<<

ptech.allthingsd.com/.../first-test-of-googles-new-browser

Installing in C:\Users\[user name]\AppData\Local\Google\Chrome\Application rather than in C:\Program Files\Google\Chrome has two VERY SERIOUS issues

1) Program Files has specific security restrictions to make sure that applications can't be overwritten without administrator permission.

2) Installing an app in a specific User folder means it either isn't available for other users or they have to install a separate copy in each user folder tree.

Either of these is a total violation of how Applications are supposed to be installed and show a complete lack of understanding of Windows or Security.

Just plain bad.

I had problems running it along side Symantec's Endpoint Security suite.

It started working when I uninstalled Endpoint.

"It started working when I uninstalled Endpoint."

AHAHAHAHAHA!

Ay to go Google!  Still in beta, and already classified as spyware!

Good job, rookies!  *big thumbs up*  ;)

I apologize in advance if you view this as OT.  But we're talking about browsers and their future, and it seems that thats what MS is looking at too:

>>"Consuming twice as much RAM as Firefox and saturating the CPU with nearly six times as many execution threads, Microsoft's latest beta release of Internet Explorer 8 is in fact more demanding on your PC than Windows XP itself, research firm Devil Mountain Software found in performance tests. According to the firm, which operates a community-based testing network, IE8 Beta 2 consumed 380MB of RAM and spawned 171 concurrent threads during a multi-tab browsing test of popular Web destinations. ***InfoWorld's Randall Kennedy speculates that Microsoft may be designing IE8 for the multicore future.***<<

tech.slashdot.org/.../1418252.shtml

Oh, and when I said "a complete lack of understanding of Windows" I didn't just mean Vista.

Installing applications to the Program Files (or equivalent named) tree has been part of the guidelines since at least 1994.

I'm really thinking that there's some hidden license requirement in WebKit that mandates doing stupid things that violate basic behavior of the OS.

Installing a high security risk app tree inside the data folders. Absolutely unbelievable. Just absolutely f'ing unbelievable.

Maybe Microsoft needs to have the Windows Mojave demo guy go out to Google so they'd at least have SEEN Vista.

Ocean.

Total process isolation is VERY expensive in RAM.

IE8 is doing a limited process isolation tuned to decrease the RAM cost that an unlimited process isolation model entails. It's described in the IE Team Blog.

Chrome, which does totally UNLIMITED spawining of new processes ought to be much, much worse for the same test. (Hence my warning yesterday)

Yes, because Mike is much smarter than any team of engineers.

Any team of engineers? No.

This team of engineers? Apparently.

What arrogance.  What hubris.

Can't say I'm surprised...

There are a lot of good reasons to install in the user home directory, the main one being it doesn't require admin permissions.

If an app wants to install in Program Files, it needs full UAC admin permissions - which means it can completely hose your system.  Why should I give some random app I want to try permissions to install device drivers, spyware, keyloggers, and anything else it wants?

"Everything goes in Program Files" were the guidelines in 1994.  They're completely out of date now, and Microsoft seriously needs to update their guidelines and installer standards.

Definitely apps should be *able* to be installed to Program Files, so they can be locked down... but the difference between "All Users" and "Just Me" should be meaningful, and the standard should be *not* to give random internet apps full permissions to hose your system.

Ocean what do you expect? The guy probably sits down and tells his kids and grand kids "Use anything but Microsoft and Satan will come and rape you while you sleep".

is "thingy123" on some kind of hallucinogenic drugs?

thingy

The whole reason for requiring app install to be separate from app data (hence the appdata folder where Google dumped their app) is that Applications are supposed to be protected. Period. That's why Program Files is protected by UAC and permissions. (And, yes, the installer needs to run as an admin which is one of the few times to run a process as admin. That's pretty much the main reason for administrator accounts. It does NOT mean the app itself runs in the context of the installer. When you run the app, it runs in your security context.)

There is NO good reason for installing an application in any other tree. There are lots of BAD reasons.

As for the guidelines from 1994, they've been updated many times. But putting apps in the tree designed for apps is one that's even more important now than it was then and has more benefits to both the user and the vendor now than it did then.

Seriously. Google not only blew this but did so in such an amateurish way that I wonder what else they screwed up. This looks like they couldn't be bothered to read how to do a decent setup app and dumped Chrome where it was easiest for them and damn the consequences.

Ocean,

My knowing something you don't isn't hubris or arrogance. It's just knowledge.

This is windows programing 101 stuff. Anybody who has written an app for Windows in the last few years would know where apps are supposed to be installed. In fact, most Windows users know that much. Apparently you don't.

Attacking the person who teaches you something you don't know is rather sad.

>>Anybody who has written an app for Windows in the last few years would know where apps are supposed to be installed.<<

I suspect they knew...and I also suspect they didn't care.  

Oh wow...this browser lets you adjust the size of the text input area...FF doesn't do that....does IE?

"I suspect they knew...and I also suspect they didn't care."

As I said, they dumped Chrome where it was easiest for them and damn the consequences.

I honestly don't know if this choice was out of ignorance, laziness, or incompetence but it's such a monumentally bad decision I can't see any other options.

Thanks, Mike, for pointing out the Chrome mal-installation.

I won't run Chrome until Google fixes it.  (I have IE 8 beta 2 and Netscape 3.0.1 on my Vista laptop, and IE 8 beta 2 on the alternate boot installation on my iMac--with Netscape to come when I get a round tuit--I don't have a huge need for other browsers.)

Text box size adjustment.  Found in Safari (at least on Mac) as of Safari 3.  It is really, really handy.  Doesn't work in Safari on some text boxes (like the single-line ones for Name and URL just above where I'm typing).  Probably because they are, well, single line.

"Text box size adjustment.  Found in Safari (at least on Mac) as of Safari 3.  "

That would make sense since they use the same layout engine.

Chrome is (or will be, for those slower to jump in) one more reason not to run Safari on Windows.  But there were plenty of reasons already.

>>I won't run Chrome until Google fixes it.  <<

When did Google announce that this was a bug.  Lets wait on their input...

>>Chrome is (or will be, for those slower to jump in) one more reason not to run Safari on Windows. <<

Agreed.  

Ocean, the install location feels wrong to me, thanks to Mike's explanation.  (I have no direct knowledge of the subject matter, as I have zero interest in developing for Windows.)  

Since these are my machines, I'll act on that feeling, without caring whether Google thinks it's a bug or not.

@Mike

Saying "Applications are supposed to be protected. Period." does not make it so.

It's all just a matter of perspective.

Web applications?  They're not "protected."  ClickOnce applications?  They're not "protected."  Silverlight / Flash / Adobe AIR applications?  Not "protected."

I hope you don't like trying out random shareware or open source applications, because every time you say "Continue" to the UAC prompt (or run it with Admin permissions in XP), you're giving that installer permission to do whatever it wants to your system, including replacing files for any other applications on your system .... It doesn't matter if the application itself runs in a secure context if the installer put a backdoor and keylogger service on your system when it had full control.

(And it doesn't even have to be malware... who else has been annoyed by iTunes installing a multitude of drivers and services when all they wanted to do was listen to music?)

As for the risk of Chrome.exe getting replaced or corrupted by a malicious application since its not in "Program Files" - any app with the permissions to replace "Chrome.exe" already has the permissions to do whatever damage it wants.  Corrupting "Chrome.exe" isn't necessary.

Ideally, Microsoft should provide multiple levels of UAC, including the concept of a user-based protected Program Files folder.  But given the current constraints, I'd rather install every app to the user profile directory than give every app installer complete access to my system.

In any case, the reason for the choice of installation location is pretty obvious:  They want corporate users to be able to install it without requiring permission from IT, and they're guessing the IT departments are too lazy to properly secure their systems from unauthorized executables.  It's a way out for all those people stuck with IE6 by their outdated IT departments.

I am blown away by Chrome's performance.  Chrome's display of history is easily more usable than any other browser.  Paging a page is innovative.  So far I like it a lot.  

I still prefer Firefox's RSS handling.  

IE is still the only browser I can properly copy a table and paste it into Excel.

I have to agree with johnbaxter on this one. When I read that bit of information about the Chrome installation, it definitely raised the "This is damn peculiar... Yellow Alert" warning. (Yes, I just referenced Star Trek II.)

When something feels wrong, after doing enough experience doing installs, then you have to trust that judgement.

As for blatently copying, Apple, Microsoft, and now Google all follow the same mantra as Pablo Picasso. "Good artist copy, Great artist steal."

Frankly, there's enough theft and copying between the companies to make a GTA game. A very geek version of GTA.

I meant to say Chrome's page search is innovative.

Thingy

That may be the most clueless defense I've seen on here and that's saying a lot.

NO application should be installed by a user level account. Period. Modifying the system (like adding or removing applications) should ONLY be done with an Administrator level account. That's security 101 stuff.

The applets you talk about that run in a browser window run inside both the context of the browser (User mode) or in a sandbox. They are NOT modifications to the system.

Installing an application in a non-protected data space is flat out brain dead. Period.

No good reason. (And, no, getting around admins is not a good reason nor would this work if the admins have a clue)

As for the Windows should have more granularlity of security, do some homework. Windows has the most granular security system of any operating system out there both with the ACL control, the additional evidence based granularity of .NET and the option of the extra granularity of COM+.

See, there are some advantages of a modern OS that doesn't measure security by a triplet of octal digits.

techboy2000

I'll say I'm impressed by Chrome's History. My copy has entries for two days in July and one in June and I didn't install it until today!

(Yes, it's a beta.)

>>Installing an application in a non-protected data space is flat out brain dead. Period. <<

Says the man who'll say anything to dent a non-MS project.

EDIT:  Update at 11:20AM -->  He's doing it again!

Ocean

Wow. You really don't have a clue about computers, do you?

I know you rely on the reputation you've developed for knowledge of systems programming  to bash anyone who criticizes MS.

You don't look for the right tool, you assume that if it isn't from MS then it just ain't right.

Well I am so far impressed...

Thou the logo reminds me greatly of the Simon game from Milton Bradly....

Screenshot here:

www.burzycki.org/.../untitled1.jpg

mikegalos,

Windows LiveMesh also installs in AppData so there is some precedent.  

The Chrome browser seems very nicely coded - however I do agree that the browser should have as much protection as possible so it is an interesting installation choice.  We'll have to see how this works out for them - I'm sure there are plenty of folks looking for vulnerabilities in the browser now (especially as it is based on WebKit).

martin woodward

The Live Mesh Program Files install in:

C:\Program Files\Live Mesh

The Live Mesh App Data get stored in:

C:\Users\[username]\AppData\Local\Microsoft\Live Mesh

Which is just what it's supposed to do.

(There is also a bin directory in there but it's not the main Live Mesh executables but just service front ends since the main MOE runs as a system service.)

hmm, curious, I can't scroll up using my trackpad in chrome, although it still works everywhere else.

strange.

I have been testing out Chrome and i love it!

As a web developer myself i have noticed that Chrome has great developer tools, right click any element on a website and click inspect element. You get a very advanced code view with the bonus of being able to check its loading times and size.

You even get a task manager telling you how much memory each tab is using :D

For more discussion about the Chrome setup and installation process see this post over on the Joy of Setup blog,

www.joyofsetup.com/.../google-chrome-setup

I tried it out last night.  Still not convinced about the browser itself, but it is a great first beta and operates quite fast.

However, outside of thingy's delusion rantings, installing an application where they did is just wrong and it is the first app that I've seen do this.  Perhaps they were going for a poor mans protected mode experience, but this is not the way to to do it.  I'll be uninstalling it until this is fixed.

>>mikegalos@msn.com said:

techboy2000

I'll say I'm impressed by Chrome's History. My copy has entries for two days in July and one in June and I didn't install it until today!

(Yes, it's a beta.)>>

You do realize that it imported that data and so those entries are "valid" in the sense that they came from your previous browser?

<<johnbaxter said:

Text box size adjustment.  Found in Safari (at least on Mac) as of Safari 3.  It is really, really handy.  Doesn't work in Safari on some text boxes (like the single-line ones for Name and URL just above where I'm typing).  Probably because they are, well, single line.>>

Yes - in html forms a text box is a different type of element from an input line and thus the reason you can't edit the size of the input using WebKit.

"In any case, the reason for the choice of installation location is pretty obvious:  They want corporate users to be able to install it without requiring permission from IT, and they're guessing the IT departments are too lazy to properly secure their systems from unauthorized executables.  It's a way out for all those people stuck with IE6 by their outdated IT departments."

You really have no idea how corporate IT works, now do you?

Martin.Woodwards blog post said:

>>   4. Google Chrome is a per-user application. It even installs in the per-user LocalAppDataFolder. (The included Google Gears is marked as "UAC compliant.")

That Google Chrome is a per-user app is amazing.

--

That Google took the extra effort to limit themselves to the capabilities of a per-user app says a lot about their desire to have:

   * a low-impact setup

   * and absolutely no barriers to entry.

I wonder if it’s the start of a trend…<<

Start of a trend?  

deepfry

Re the wierd "History" entries: I wondered if it was importing the history but, as anyone here can tell you, I've been on the Internet a more than 4 days in the last several months...

(My guess is that it is an attempt to import but that it doesn't quite have it working - as I said, it is in beta)

Anyone else notice how Chrome's EULA allows Google to exploit anything you do in Chrome? How nice of them...

I think Mike's right about the dangers, although I suspect Google will have fixed this by the time it's out of Beta, they just want as many people to try out the beta as possible.

The danger of having your browser in the users datadata folder is that if some malicious software did manage to run on your system it could replace chrome.exe with it's own evil version* without the user realising. It couldn't do that to Firefox or IE because they are in the Program Files directory and would have to show a UAC prompt to do anything to them.

* As Chrome is open source it would be trivial to add a keylogger, or steal passwords for banking websites.

Compact...here's a bit about the EULA:

>>The wording on Chrome's TOS is very similar to the TOS of Google Docs, which caused a similar outcry in Aug 07. At the time a Google Docs rep replied in our comments: "As we state in our terms of service, we don't claim ownership or control over your content in Google Docs & Spreadsheets, whether you're using it as an individual or through Google Apps. Read in its entirety, the sentence from our terms of service excerpted in the blog ensures that, for documents you expressly choose to share with others, we have the proper license to display those documents to the selected users and format documents properly for different displays. To be clear, Google will not use your documents beyond the scope that you and you alone control. Your fantasy football spreadsheets are not going to end up shared with the world unless you want them to be."<<

www.readwriteweb.com/.../does_google_have_rights_to_all.php

"Anyone else notice how Chrome's EULA allows Google to exploit anything you do in Chrome? How nice of them..."

Does that also mean that any user data in the same folder tree also belongs to them?  According to many privacy advocates that have reviewed the legalities of Google's notoriously vague privacy policy, "any content on a system attached to a Google service belongs to Google".  Say "bye-bye" to privacy and IP (that's intellectual property).

You honestly didn't expect any different from Google though, did you?

So wheres the outrage over the install location?

http://techmeme.com/

C'mon Ocean.  You really believe that from the people that openly stole content for their own book search?

What does the book search disagreement have to do with a legal license?

Thats a slur, and a nasty one.

Ocean and Thingy -

The installation path issue that is being discussed here, is a security risk. For you to argue otherwise tells me that you have never supported a secure environment. To write it of as follows is really stating htat Google not only wants to get at your personal information, but also at corporate data. You do realize, that at many medium to large organizations, security, along with other areas of risk management is a top priority, don't you? Places like healthcare institutions, financial institutions, insurance companies...

"In any case, the reason for the choice of installation location is pretty obvious:  They want corporate users to be able to install it without requiring permission from IT, and they're guessing the IT departments are too lazy to properly secure their systems from unauthorized executables.  It's a way out for all those people stuck with IE6 by their outdated IT departments."

--tayme

Thus the question:  Why isn't it getting larger play across the internet?  Why hasn't MS pointed it out?

I have no trouble believing it...the question is one of confirmation.  Lots of people here are awfully partisan...

Pauls writeup is up (is that 5 Mike?) :

windowsitpro.com/.../googles-browser-created-out-of-fear-of-microsoft.html

I might note that Paul is putting words in Googles mouth (as Mike and as MS seek to do):

>>But a big part of the thrust behind Chrome is to formalize the notion that Web applications are as capable and "real" as traditional desktop applications.<<

Where did they say that?  Because they didn't.  Be very wary whenever a partisan writer starts off with the words: "implicitly admitted".  

"I have no trouble believing it...the question is one of confirmation.  Lots of people here are awfully partisan..."

Well I can also confirm it.  You could install it yourself and see and end the confirmation.  Likewise, in XP, it installed it in Documents and Settings.

That it's a huge big security hole...not that it installs there.

I have played with Chrome for a little bit but the one glaring snafu for me at least is when I use the scroll wheel on my mouse it scrolls way too much per notch.  Is there a way to control that?  I have my mouse settings set to 3 lines per notch and all of my other programs behave good.

betsig...see here:

episteme.arstechnica.com/.../3

Look toward the end of the page...

"That it's a huge big security hole"

Well it didn't require a UAC prompt and totally circumvents the protections of the Program Files folder.  As an IT admin, this is a huge problem.

Running it through Looking Glass, we see key files not protected by NX, although they are doing pretty good with ASLR.  Neither is the Chrome.exe file digitally signed. Hopefully these problems will be fixed soon.

Ars Technica (a writer at) says Google (a person at) told them the EULA will be fixed.

Perhaps this fresh incident will convince Google that it's cheaper to have the lawyers work out a special EULA ahead of time when appropriate rather than to use the cookie cutter one and pay the lawyers extra to fix it under time pressure.  (In this case, Google has had 2 years to think about a EULA for a web browser, and this is not one of the "20 percent of your time" projects--clearly there is a process problem at Google.)

 --John (who, just to be clear, would very much like to see this browser succeed, but annoying IT departments doesn't help with success in business environments and flaky EULAs don't help with success anywhere)

Mike, if you look at the premature history this way, it's scary:  Those June and July items are in the history because Google knew you were thinking about those URLs while logged into one of their services.

Not that I believe that:  if Google could do that, their ad revenue would look like petty cash beside the mind reading revenue.

So much for Chrome's process isolation means that a crash can only take down that pane (and give you the sad tab display)

ZDNet is reporting blogs.zdnet.com/security that a proof of concept DoS attack is already out that takes down the entire Chrome system of tabs and windows just by visiting a bad site in one tab.

"When a user is made to visit a malicious link, which has an undefined handler followed by a ’special’ character, the chrome crashes with a Google Chrome message window “Whoa! Google Chrome has crashed. Restart now?”. "

>>Shrug<<

You expected perfection on day 2?  

Ocean

The whole point of their architecture is to make that impossible. Apparently despite the massive overhead of running a separate instance in a separate process for each tab, they don't isolate the tabs the way they said.

It's likely an architecture bug and not a code bug and since it's precisely that architecture that they tout as their big advantage (despite the costs) this might be a major issue.

I thought the point of the architecture was to provide a more stable *surfing* element...not to proof it against directed attacks.  

I personally don't think it's possible to harden a browser to the point where any and every pointed attack will fail...without damaging the browsing experience.

>>despite the massive overhead<<

Not all users have found that to be the case.

Am I the only one missing the fact that this is beta?

Security wise, busted from day one. Why would Google use an older unpatched version of Apple's WebKit? I guess they don't believe in true QA at Google...

Dude1313, others have noticed the beta tag.  Chrome seems to "beta" farther back into unreadiness than even Google usually does.  (By necessity, I speak from reading others' postings.  Not installed here (likely not this year).)

Actually I've found the beta for Chrome to be much more stable and functional than the first Safari for Windows beta....not that that is saying much though. :)

Mike you are right in that there are likely more items in your history from your other browsers, I was just pointing out where those entries likely came from - in that Chrome didn't just make them up or have a timestamping glitch.

And for the record, I will agree with those who have said that putting the app into the users' data directory is not the way to go. I'm not against per-user apps, but the executables should be stored in the proper programs folder with all the other programs, just allow separate user information to be stored in the data directory. If I'm backing up my user data, I don't want to be backing up program files (that won't run if all I do is restore them to the data folder on another computer).

Silverlight on Msnbc does not work on IE8.  I can't believe they would release a beta where Silverlight did not work.

I've always been a bit of a Microsoft fanboy but Google keeps turning up the heat.  Chrome is exciting.

Perhaps it was all of the anti-trust baloney that killed Microsoft's aggressive style.

techboy2000

You're right to not believe that Silverlight doesn't work on IE8 because it worked fine in beta 1 and it works fine in beta 2.