Some businesses and their Chrome-using customers are furious at Google's crackdown on Chrome extensions that had been hosted outside of the Chrome Web Store.
Their ire stems from Google's forced disabling of extensions that shipped with paid software that have yet to be replaced, effectively hamstringing those services. Games, financial software, third-party Windows security suites, and productivity tools are among those affected. Some of the people who develop and use the extensions have registered their complaints on Google's product forums.
The change "makes it much harder to build tools to make Chrome a better citizen in the enterprise," said Gary Schare, former Microsoft employee and CEO of Browsium, a company that helps businesses manage multiple browser installations.
"Anyone running an older version of my extension on an unmanaged system just got broken, and there's not a thing I can do about it," he said. His company has been a major advocate for replacing Internet Explorer with Chrome in businesses.
From Google's point of view, it's kneecapping the biggest problem on Chrome for Windows.
Google announced the plan to allow Chrome for Windows to only install extensions from the Chrome Web Store last November, citing security problems on Windows as the impetus for the change. Chrome engineering director Erik Kay wrote at the time that "bad actors" had figured out how to bypass Chrome's security measures, and were able to install malicious extensions on Windows computers. Not only did they often replace the New Tab page or override browser settings without permission, both major complaints, but Kay said that malicious, third-party extensions were the top complaint about Chrome.
After giving developers half a year to migrate their extensions to the store, Google began to implement the restriction at the end of May. The change affects Chrome Stable and Chrome Beta, the two most widely used versions of Chrome.
Complaints are numerous, and judging by the 42 pages of angst in Google's own product forums, voluminous. They can be summarized as general outrage at being told what to install on their computer, and specific frustration with not being able to use an extension that was part of a program they paid for.
The problem for developers is not only an issue of updating the extension to comply by Chrome Web Store rules. Google recommends that the new versions of extensions be tested in either the Chrome developer channel or Chrome Canary, rougher builds of the browser than Chrome Stable or Chrome Beta, which most people use. Testing an early build of an extension on an early build of a browser is no guarantee that the extension will work when the browser finally ships.
Another part of the problem is that while Google has exempted some non-Web Store enterprise extensions from the ban-hammer, they must be managed by Microsoft's domain-joined computers technology and group policy. That leaves extensions that have been written for personal use high and dry, unless the developer switches to a different version of Chrome.
However, not everybody is upset with the change. JD Sherry, vice president of technology and solutions at security firm Trend Micro, said that even though the change caused some problems for Trend Micro users, he was glad Google made the leap.
"This approach is brilliant, and I think it's a wonderful step in the right direction with browser security," he said. It's "critical and important" that Google protect Chrome users against "Java-based attacks and third-party extension attacks," Sherry said.
A Google spokesperson told CNET, "We're working with the top developers affected by this change."
That's not enough to mollify Browsium's Schare. "Microsoft used to make mistakes like this," he said, "but learned a long time ago not to."
It's possible that some Windows users will abandon Chrome for competitors like Firefox, Opera, or Chromium, the open-source browser that Chrome is based on. People can also switch Chrome channels to a less stable, more experimental version. But at least with extensions, Chrome may have crossed the thin, harsh line that separates security and usability.