Atlassian is acquiring The Browser Company

It was nice knowing them.

> less than 10% of organizations have adopted a secure browser

Yes Gartner, let's invent a "secure enterprise browser", because there's too much interoperability on the web - there's definitely some business on splitting that up. I'm sure atlassian people love that idea.

> less than 10% of organizations have adopted a secure browser

That's the value prop (along with better application interop+) of the Here browser.

+ I do think the File System API did somewhat mitigate this value prop.

https://developer.mozilla.org/en-US/docs/Web/API/File_System...

Also these guys [1].

[1] https://www.island.io

> let's invent a "secure enterprise browser", because there's too much interoperability on the web

Enterprise browsers are an existing category, and even Google offers an enterprise version of Chrome.

The idea of an enterprise browser is that all of the interoperability that has been built has been between the desktop and web servers. Most desktop browsers don't have many features that allow an organization to manage them, beyond managed policies which honestly aren't that great. For the most part, standard desktop browsers are a big hole in both inbound and outbound security.

I'm not sure we need a new browser for that. Between corporate proxies filtering content and the ability to disable JIT by policy, you get 99% there with security. Add some containers for zero trust / auto-sso and we'd be there... There's really no reason to make a new browser.

It could be a few options away on Firefox for example if people cared about the "secure" part more than the "enterprise sales" part.

Whats a good source to read about designing enterprise browsers? I imagine this would becomes a tradeoff between breath functionality(API) vs the kind of threat vectors they face. But like what are the objectives and goals that help make these decisions?

Secure browsers want interoperability and for there to be zero objections on those grounds. Companies want to offer a standard web browser, but they need to harden deployments for specific threats. You can see articles like https://aka.ms/EdgeSecurityWhitepaper/Docs for Edge which describe the extra layers of security you can apply while still using the same browser.

Atlassian would want integration with their backend products to increase lock-in and provide a place where their products are centered. IT control how products are presented to end users in organizations that matter (in terms of sales volume.) Establishing visibility and driving engagement is hard if the Atlassian tools are a niche and they want to attack SharePoint or other products. Being able to more efficiently use the tools the company has bought is attractive (even if not a reality.)

Making their browser incompatible is a bad outcome for them because it's an IT choice to adopt their browser. This carries visibility and risk for IT who could be embarrassed. Any backlash carries over to other Atlassian products or affects renewals.

can it, when clicking a given link, hand off to a remote desktop session that is running windows XP and Internet Explorer because some random part of your intranet hasn't been updated in 20 years? If yes, then its an enterprise browser.

> Companies want to offer a standard web browser,

I don't believe that in a long term. If atlassian creates an enterprise-managed browser they can charge for, there will be a big incentive to making their suite work better in that browser only. Or JIRA/Confluence features will be released using APIs only available there. It will be their EEE.

If they really cared about actual security, they'd optimise their services enough to use them with JIT disabled. And maybe push the industry to do the same. And publish some SSO auth standard that integrates with the browser.

> Any backlash carries over to other Atlassian products

Atlassian doesn't care about users and what they think. If they did, markdown textboxes would still be there and JIRA wouldn't be a slow abomination. But they sell to businesses, not users. So instead of fixed issues or QoL improvements, I get an AI button.

breath functionality?

Remember when most organizations only supported IE for their websites, then in some orgs it later became a requirement for working with legacy webapps.

A secure browser was never a concern.

Enterprise Chrome is just regular Chrome with remote policy enforcement. It isn't a different browser.

It's already invented - someone else mentioned Here and Island. It allowed us to onboard contractors without giving them computers because we could control a lot. It's an interesting idea on the business side and I'd say a good risk for Atlassian even though it won't be good for their current users.

Think about putting your business VPN and security controls in the browser. And if you can put your connection to AI and start building a productive workflow around it, that's an interesting proposition. It doesn't change interoperability on the web; it's a controlled client for the business use case.

This is being marketed to an entirely different group.

From an engineering perspective, most browsers are "pretty much just Chrome(ium)", but that's not what I'm talking about here. The delivery mechanism isn't really relevant from a product perspective. It is a different product with a different price and different features.

Also, my point was just just say that there's a market for something like this. Chrome Enterprise is not even really that competitive of a product in the space.

For the most part, default Chrome and Firefox are designed primarily for B2C use cases.

It wouldn't be the worst event of that type or even unprecedented. HTTP/3 is not even TCP and barely HTTP anymore. HTTP/3, QUIC, was openwashed through the IETF by google/ms/apple and can't even connect to a website unless that website gets continuing approval from a third party corporation for existing (a CA TLS cert, no self signed, no plain text). It is "secure enterprise HTTP" with every one of it's architectural and implementation choices being driven by the needs and use cases of for-profit enterprises. It is a fairly crap protocol for human persons and the web and sites as we know it.

> there will be a big incentive to making their suite work better in that browser only. Or JIRA/Confluence features will be released using APIs only available there. It will be their EEE.

That just sounds like going back to making thick clients/desktop apps vs. web with extra steps. They might as well make their own native Jira app instead of making an entire web browser and breaking their web app to only work in their new browser.

I haven't heard of Here browser until now, but lookin at the website I guess I don't understand what the point is?

For Windows shops, Edge is already an "enterprise browser." I can control literally every aspect of it via MDM policies or Group Policy for the on-prem AD folks. If using EntraID, SSO is already included, and you can go as far as whitelisting sites as well. I can set custom tab groups, pinned tabs, etc all with policy.

Even on non-managed/BYOD devices, once signed in to the work account Edge can be managed the same way via MAM policies. I can even force documents and links from other "work" apps to open in the managed Edge profile.

The only thing Here seems to offer that I couldn't configure Edge to do is the split-pane view in their "Supertabs" but Edge does have the sidebar, that I can configure to be pinned with Teams, Outlook, Copilot, etc.

>A secure browser was never a concern.

Because majority of malware if not all was written for PCs. Nowadays still most of the malware targets PCs but now attacks targeting web users are more prevalent. Attackers attack through compromised websites or phishing websites using social engineering techniques or exploit kits[0]. Websites are dominant attack surface not web browsers because it is hard to find 0-day exploits and usually they are found and used by state sponsored attackers. Chrome is still the most secure browser because it has enormous market share and everybody is attacking it, both whitehat and blackhat actors so Chrome team is constantly fixing and patching Chrome.

[0] https://en.wikipedia.org/wiki/Exploit_kit

Which is what Enterprises need. They don't need their own version of Chrome, they need to ability to make changes to it like force Proxy, insert MiTM certs and various other Enterprise stuff.

I would wager that if you asked corporations which was more important, knowing what their staff are doing online during work hours vs ensuring that their browser is hardened, they would choose to spy on their employees.

My point is this is coded language to give corporations an excuse to have another foothold on their employee's data.