Adding Chrome to Browser Configuration category

[agpt8]

Hey there,

Its really nice that the module adds many platform level security policies to edge for security and privacy. While Edge covers majority of the use cases and is compatible with majority of the websites out there, there are still some which requires Chrome for their entire or atleast some part of their websites. Currently, I have manually added some platform level policies in registry but having this built in the module would be really appreciated.

And as Chrome still has a strong foot hold on the browser market and majority of the people still using it, applying equivalent or all applicable policies to it at platform level along side Edge would go a long way in ensuring device and user data security.

In enterprise setting as well (or atleast what I saw in my org) is the IT would configure policies for both Edge and Chrome to cover 99% user base in the org. People naturally gravitates towards Chrome out of habit so I believe covering Chrome under Edge Browser Category (a name change to just "Browser Category" would be nice as well) would cover a much larger user base.

Making the Browser category generalised is a better option imo. Detecting what browsers are installed and giving a choice to the user for each browser would take this to the next level!! (EU users would remove Edge use other browsers, the choice would come in handy here and getting other browsers covered (atleast chrome for now) would make the script work for a lot more use cases.)

Chrome and Edge both have similar release cadence and both provide group policy objects for both stable and pre release builds.
https://chromeenterprise.google/download/#managepolicy-downloads
https://chromeenterprise.google/download/?modal-id=download-chrome#management-download

What are your thoughts on this?

[HotCakeX]

Hi,
Which websites specifically need Chrome and don't work in Edge? 🤔
(need answer to that before I can reply to the rest)

[agpt8]

Many websites (or parts of them) like some grad school websites (I am applying to them so I had to switch for some to chrome) where some of there modal elements or some subdomains that requires students to record and upload a video as part of applications;
Many Indian Government websites, including their subdomains, account related user flows does not work on any other browser that Chrome or Firefox.

[HotCakeX]

Do you have links to them? I wanna see what the dev tools console says about them, because Edge and Chrome use the same engine, there shouldn't be any compatibility issues.

I haven't run into any website like that in the past 4+ years that I've been using Edge.

[agpt8]

Some examples are:
https://www.esic.in/EmployeePortal/login.aspx/EmployeePortal/login.aspx
https://www.irctc.co.in//
https://contents.irctc.co.in/en/bookEticket.html)/en/bookEticket.html
https://retail.onlinesbi.sbi/retail/login.htm

While these straight up gives the following error:

If I manage to get them working by removing the ciphers configured for edge and under the tls category, they still dont work correctly (or many times parts of them glitches out) when logged in as an employee (in the first example) or as a user.

These are just some examples, there are many other gov websites that does not work correctly on edge but works fine on chrome (yes I checked by disabling content blockers, removing the edge policies)

[HotCakeX]

Thank you, please give me some time to go over them and i'll reply with more details

[HotCakeX]

@agpt8

Sorry for the late reply, had to complete my PR first.

So, some of the websites you gave me have a common problem, they don't work with strict MIME checking in the modern browsers.

This is an old security feature and even Firefox prevents those websites from loading properly.

Just like Edge

This one works fine though in Edge

So does this one

The new Edge browser uses industry standard browser engine, same one used by many other browsers. If a security feature is enabled in Edge it's most likely enabled in Chrome as well. I haven't seen any problem that is only related to Edge and not other browsers such as Chrome or Firefox.

Chrome does have the most userbase, that's true, at least for now, but that doesn't mean we should boost it, actually the opposite should happen. Google's aggressive and often false advertisement to make people think Chrome is better than Edge is probably a reason for their high user base too. These tactics obviously shouldn't be rewarded.

EU users have the option to remove Edge from the OS but doing that is their own decision, not a good one though.

IT departments in many enterprises make lots of mistakes and bad decisions which result in financial and data loss, happens a lot, that's how they get compromised.

End users with unmanaged workstations/client PCs cannot use all of the policies available for Edge because of security reasons.

If you visit this page: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies

and search for Applies to a profile that is signed in with a Microsoft account: No

You will see all of the policies that are not applicable to unmanaged PCs. at the moment they are 299 vs 277 policies

This is one of the reasons why the Harden Windows Security module uses registry keys instead of Group policies.

The security baselines for Edge include policies that cannot be used unless a PC is managed by Intune or a domain controller.

Another reason is that the Edge security baseline group policies include some policies that make no sense to be used by the module, such as a policy that disallows all of the browser extensions, that'd definitely make everyone instantly unhappy.

There are of course privacy implications related to use of Google products too.

In conclusion, any website compatibility in Edge will manifest itself in Chrome as well because they share the same engine. Firefox can't fall behind if it wants to stay a relatively secure browser. Apple's Safari is usually the strictest one from what I've seen.

Users of unmanaged PCs such as home users should continue using Edge only, keep their attack surface low by not installing duplicate 3rd party stuff such as browsers.

Users of unmanaged PCs can't do much, if their IT admin in the company they work at designated Chrome as their only browser then that's what they're stuck with and it's out of the scope of the module to change that, because the module can't provide policies to be applied to Chrome browsers in managed PCs, the Admin is somebody else.

Also, I can personally support Edge, constantly validate all of the policies i add, all of the exploit mitigations i add to make sure things work smoothly. Can't do the same for Chrome or other browsers since I don't use them.

[agpt8]

Understandable! Thank you for your consideration.

[HotCakeX]

Of course, thank you too for bringing it up!