Browser

Chrome extensions: Potential cracks in the armor?

Chrome became my Web browser of choice, after learning contestants at this year's Pwn2Own felt it was too difficult to exploit. Yet, bad guys don't have to abide by the same rules.

Chrome became my Web browser of choice, after learning contestants at this year's Pwn2Own felt it was too difficult to exploit. Yet, bad guys don't have to abide by the same rules.

-------------------------------------------------------------------------------------

Chrome is one of the most secure Web browsers right "out of the box" due to sandboxing. Understanding that, cybercriminals are turning to a different attack vector, aftermarket extensions.

The dilemma

Chrome is relatively new, but its list of available extensions is growing rapidly. That's good, yet creates a problem. How do you vet each extension, making sure it meets the development team's requirements? This gives the bad guys a possible in. They can exploit buggy extensions or create malicious extensions.

Vulnerable extensions

Let's see what Google does to protect users from being exploited through buggy extensions. Google based their extension system after methodology proposed by the EECS Department, University of California, Berkeley; in their paper Protecting Browsers from Extension Vulnerabilities. The abstract of the paper sheds light on the problem:

"Browser extensions are remarkably popular, with one in three Firefox users running at least one extension. Although well-intentioned, extension developers are often not security experts and write buggy code that can be exploited by malicious web-site operators.

We propose a new browser-extension system that improves security by using least privilege, privilege separation, and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability."

  • Least privilege: Google achieves this by requiring every extension to have a manifest that explains what privileges are required, and that is all the extension gets.
  • Privilege separation: Google divides privileges between what they call background pages and content scripts. Like it sounds, the background pages have no contact with Web pages, thus they can have the most privileges. Whereas, content scripts deal directly with Web pages and have limited privileges. This creates a condition where attackers would not be able to obtain privileges or escalate existing privileges.
Malicious extensions

Malicious extensions are harder to defend against, because they are intentional attacks. Google would prefer that users only install extensions that are found in their gallery. Google checks the extensions and rates them. Their logic is that malicious extensions should have a low reputation. Once Google notices that, the extension is removed.

Obviously, Google would rather not have extensions from other sources installed in Chrome. If they are, Google advises using the same precaution as when installing any executable code.

Sandboxing

Earlier, I mentioned that the Chrome Web browser uses sandboxing. That alone makes Chrome formidable. In an interview after last year's Pwn2Own competition, well-known security researcher Charlie Miller had this to say about Chrome:

"There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard.  They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things, you can't execute on the heap, the OS protections in Windows and the Sandbox."

Needless to say, Chrome was not exploited at this year's Pwn2Own contest.

Lots of processes

One thing I immediately noticed about Chrome is that it opens all sorts of processes:

After the shock, I found out it's by design. Google uses multi-process architecture. That means extensions, the browser kernel, and web content are all in separate sandboxed processes. Google has its own task manager, allowing you to easily understand what resources are being used by what process:

Having each process in a sandbox, creates a condition where a malicious Web site cannot compromise a vulnerable extension or malicious extensions cannot subvert the browser kernel.

So what's left?

It appears that Google is doing all they can to create secure conditions for Web browsing. Sadly, when that happens, the bad guys usually revert to social engineering and that is the case with Chrome extensions. There are several posts online referring to a circulating email that offers recipients a cool extension for opening email.

Sure, it's a con, installing a trojan instead. So, we still need to be careful out there.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

41 comments
LeonBA
LeonBA

Just FYI: the UC in California is spelled Berkeley, with that "e" in the middle. (The place in Michigan, though, is spelled without it, as Berkley.)

eatmyshred24
eatmyshred24

One reason I use Chrome is for the Sandbox method to security, yet I think that as it becomes more popular more and more malicious hackers will find a way in. Yet what confuses me is the prevalence of Trojan attacks. Are people seriously so stupid as to download these E-Mail attachments/Links from E-Mails? People complain about the security of the Windows platform, yet I have not been infected in years, (even whilst browsing dodgy sites) Admittedly Avast Pro is a great AV program, but it seems to me that the majority of infections are through peoples own stupidity.. "Download this awesome app- (unknown sender)".. "Ok that sounds like a great idea, all I need to do is hand over my credit card details and the codes to every program I own".. Idiots

Ocie3
Ocie3

but its "task manager" does control, thus can limit, the access to host resources which each process that it launches will have. The description in the Google Chromium blog (http://blog.chromium.org/2008/09/multi-process-architecture.html) reminds me of descriptions of how Unix operating systems enforce privilege limitations, access rights, and process separation. Traditional sandboxing such as that effected by Ronen Tzur's Sandboxie creates, for example, an image of the file system in the "sandbox". All file creation, reading, writing and/or deletion that are effected by a sandboxed process occurs in the sandbox, and not in the file system outside of the sandbox. In that context, the user can instruct Sandboxie to "recover" files which are present in the sandbox. Doing that will, for example, replace a file that is outside of the sandbox with a copy of the same file that has been altered inside of the sandbox, or add a new file that was created in the sandbox ([i]e.g.[/i] by downloading it from another computer) to the system outside of the sandbox. But anything that the user does not choose to "recover" remains in the sandbox. If and when the sandbox is deleted, anything that is remaining in it is eliminated. Since I run Firefox, Thunderbird, iPodder and any other application that accesses the Internet in a Sandboxie sandbox, I doubt that malware which exploits a vulnerability in an add-on will be able to interact with the actual host. Sandboxie will intercept its attempts to do that and confine its activities to the sandbox. It is worth noting that Sandboxie, by default, drops the user's administrative privileges (if they have any) with respect to each process that is running in a sandbox. So I am not "running as admin" in that context. It isn't clear whether Google Chrome "drops" a user's administrative privileges while they are running Chrome. That could be very awkward if the user switches to running another program that needs admin privileges. I have encountered that while using Sandboxie, but the incident has since proven to be unusual. Ordinarily, when I switch to an application that is running outside of a sandbox, my admin privileges are restored. For example, Firefox will download a software installation file, which is stored in the sandbox. If I run the installation in the sandbox, the only changes that occur will be confined to the sandbox (which has its own mini copy of the Registry, too). The software will not actually be installed unless I recover the file from the sandbox. Then I can run it outside of the sandbox with my admin privileges restored if I want to install the software. As far as I can determine, Google Chrome does nothing like what Sandboxie does, at all. In fact, it could be interesting to run Google Chrome in a Sandboxie sandbox. :-) :-) The key to Chrome is its "task manager", which launches and controls the respective processes: (1) one for itself as the browser, (2) one or more for web site page rendering, (3) one or more for web apps such as GMail, and (4) one or more for plug-in or extension execution. All interactions with the host from the various processes must pass through the browser process itself. As the writer disclosed and discussed in the blog article, there are some limitations to using the multi-process architecture. Hmm ... I wonder whether I can use Scroogle as the interface for access to the Google search engine. :-) By the way, a reader posted a comment on that blog article, stating that Internet Explorer 8 beta was the first browser to use a multi-process architecture, though its implementation differs from the way it is implemented in Google Chrome.

andrewgauger
andrewgauger

As a web developer I am constantly running into issues with "after market" extensions that are built to supplement Firefox. Often times, I have to handle Firefox's debug tools re-submitting a form, or other nuances that are unexpected. I have used Chrome for a year now, and was not surprised that no one took it on at Pwn2Own. As a fellow Chrome user, I hope that the extensions don't become a turn-off as they did for me. Extensions remain the very reason I migrated from Firefox to Chrome.

zwayne
zwayne

Ironic that a so-called secure browser has no master password for site passwords. Until they fix this glaring oversight - and believe me, people have been complaining for a long time but to no avail - I'll stick with Firefox.

cbader
cbader

Been using Chrome with a couple of security related extensions (Flash block, AdBlock) for about a year and loving it. Once I started using it it pulled me away from Opera real quick.

Jack Flash
Jack Flash

Very good review Michael... I was aware of the multi threading feature in chrome, but not to its security related aspects... And as said in my subject - major problems are also an open invite for new services and startups...such as a service that validates browser extensions... Yours, Jack. IT Professional - You are not alone any more Joint the party here http://itprofessional-mastermind.com/blog

Michael Kassner
Michael Kassner

I think so, it uses sandbox technology by default. Learn how that helps fight malicious browser extensions.

Ocie3
Ocie3

often the biggest security vulnerability is the person who is using the computer, irrespective of the software. You may recall that when Google's system was hacked, allegedly from mainland China, the intrusion started when someone at Google responded to a spearphishing e-mail. Social engineering is not as reliable as a process executing on a computer, but often it is the approach that works the best, and it may be the only method that can be used. Personally, I don't know whether "trojans" in e-mails or in other contexts have become the predominant method for invading a computer with malware. It seems to me that JavaScript rendered by a browser which is [i]not[/i] running "sandboxed" remains the biggest threat with regard to acquiring malware on our computers, despite the popularity of Firefox NoScript and AdBlock. Then again, last week Malwarebyte's Antimalware found 14 executables, in C:\Windows on my computer, which it identified as a worm. Worms are designed to propagate from an infected computer to other computers [i]via[/i] a network. No web site or user interaction is required, just some way to make a connection to the target computer -- a connection that allows the worm to pass through a firewall. Worms are one reason that firewalls and other "network intrusion protection systems" were invented. So it is reasonable to suppose that both the firewall and the NIPS feature of the AV that was running at the time failed to stop the worm from propagating to my computer. By the way, as I explained in my post here on the subject, Google Chrome does [i]NOT[/i] use [b]sandboxing[/b] and people who keep repeating the unfounded allegation that it does are, at best, just passing on Google's questionable use of the term. It remains to be seen whether Chrome offers either the known security of a properly developed sandboxing system or the advantages of a virtual machine. Saying that it does either one will not make it so. The way that Chrome is designed [i]does[/i] seem to have some security advantages, if the actual coding takes advantage of those features which are in the design [i]per se[/i]. It is interesting reading: http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html (from Michael's article, perchance you overlooked it). Unfortunately, the blogger does describe what Chrome does as "sandboxing" by defining sandboxing in a very general and, IMO, misleading way: [i]"In a nutshell, a sandbox is security mechanism used to run an application in a restricted environment. ...."[/i] Hey! By that "nutshell" definition, the [i]Windows OS[/i] creates a "sandbox" for each process that it runs. Indeed, when the blogger proceeds to describe the design of Chrome and how it works, it seems to have the characteristics of an operating system -- with its "task manager", process isolation, and privilege separation features -- instead of the attributes of any sandbox system of which I have been apprised. As far as I can determine, Chrome does not create any "sandbox" anywhere. But no doubt Google and its employees would like everyone to consider what they don't know -- Chrome -- as having the security of something which they do know, sandboxing. In that respect, the use of the term "sandboxing" to describe what Google Chrome does is purely propaganda.

Ocie3
Ocie3

Uninstall all of the extensions and disable all of the plug-ins, and you will have Firefox in its native state. It was designed to be used, and useful, without any add-ons at all. Being cautious, I ran it for a long time before I began adding plug-ins and extensions. In that respect, I was concerned as to whether an add-on would malfunction or adversely affect Firefox than whether they would introduce security vulnerabilities. (My, how times have changed!) It has been a long time since, but the experience of running Firefox without any add-ons was not at all unlike running Chrome without them today. Without the add-ons, I would surmise that Firefox has very few, if any, significant security vulnerabilities that have not already been found and rectified. It is worth remembering that Google patched Chrome not that long ago to eliminate several security vulnerabilities. However, all security vulnerabilities that arise in using the Internet are not found in using software such as web browsers or e-mail clients. Vulnerabilities have been found in the DNS system and even with the SSL/TLS protocols. The Firefox Perspectives extension was developed to respond to DNS vulnerabilities, and there is an SSL Blacklist extension that identifies servers which still have a certain SSL/TLS vulnerability. AFAIK, Google does not have any add-ons to deal with those. Goggle Chrome cannot do anything about the vulnerabilities in the Internet itself, except perhaps if someone can develop an add-on such as Perspectives, or that functionality is added to the Chrome executable(s). Personally, I am inclined to take the security offered by Firefox NoScript over Chrome's JavaScript rendering engine. NoScript has many more features than just protection against JavaScript malcode. Exactly what the security features of Chrome are in comparison is not readily discerned, even if you can read the source code which Google makes available.

Neon Samurai
Neon Samurai

Use a proper credential manager like Keepass.

Michael Kassner
Michael Kassner

Can you clarify your comment, please. That said, Firefox lasted about 3 hours in this years Pwn2Own. So, I guess,I don't see your point, unless it is related to features. Chrome certainly needs help there.

Michael Kassner
Michael Kassner

Just wait, I have a 10 thing post coming with all sorts of security extensions.

Michael Kassner
Michael Kassner

Actually the ability to sandbox each process is the critical bit. Most other browsers do not have that feature.

grax
grax

I didn't like Opera for a variety of reasons. I won't use I.E. for well documented security reasons. So I use Firefox, with a very few add-ons that I find useful, because it seems to be more secure and it's cross-platform (increasingly important because I plan to migrate to Ubuntu with the release of LL). Your article has prompted me to download and try Chrome. Install was a doddle. Everything transferred from FF and I was up and running in seconds. First impression is that it's faster even on my rubbish connection. Unless I can find replacements for the Add-ons that I do use I will, eventually stick with Firefox. Thanks, as ever, for a useful article.

Michael Kassner
Michael Kassner

I can just as well say that your definition of sandboxing is incorrect.

SkyNET32
SkyNET32

Free, and they have extensions for chrome and firefox. Great little password manager. Most of my passwords for my logins are 64 alphanumeric and special characters long. :D

saghaulor
saghaulor

What the person is referring to is the fact that most browsers now offer to remember your login credentials, and that Firefox has a master password feature that when used the master password must be entered before you can unlock all your saved passwords. Honestly though, I think this is more so a physical security issue. Which we all know, if your computer has been physically compromised, kiss any and all security goodbye. It may be the case that when a browser has been hijacked, they can then get to your saved passwords,but I don't know much about that stuff. But then again, if your browser cant be hacked to begin with, whats the worry about a lack of a one password to rule them all feature? Other than if someone has physical access to your computer. Please see above response. My $0.02.

cbader
cbader

Always interested in new extensions that increase security. Was a bit bummed that Perspectives hasnt been ported over yet. I emailed their team and they said Chrome didnt expose the needed API's but they were going to try to work with Google on it, so hopefully sometime in the near future...

Neon Samurai
Neon Samurai

The one thing I've run into is space limitations. that one row to the right of the URL field fills up quick.

Ocie3
Ocie3

I don't recall at the moment how I discovered Sandboxie, but I do believe that I had been using it for several months before I began frequenting Tech Republic's IT Security blog. Your remarks about Sandboxie's usability have merit, and you probably have much more experience with its shortcomings than I have found. So far, I run Firefox, Thunderbird, I.E. 8, and iPodder sandboxed, and if I keep Chrome installed, I would run it sandboxed, too. (I'm considering whether to use Pegasus Mail instead of Thunderbird.) IIRC, I haven't encountered any problems with using the USB HP Deskjet D1420 printer while Firefox and Thunderbird are sandboxed, but the printer is not a network device. Some day I might make it a network device, so that someone who has a laptop can connect wirelessly [i]via[/i] the router for Internet access, and also to use the printer. However, maybe that project would be best left for Windows 7 instead of patchy old Windows XP. More to the point, I suspect that you are likely to encounter an obstacle(s) to accessing a networked printer with a Chrome process, such as one that is rendering a web site page. For example, suppose you want to print a receipt for a purchase from a web merchant. Chrome has the rendering process totally locked-down, so it cannot use the host's resources, whether also a resource [i]via[/i] a LAN, except by asking the browser process to effect the job. Will it work? (I don't know, yet.) But perhaps I digress. What I have tried to communicate is that Chrome's design and methods appear interesting and worth exploring, but I doubt that they are or will become the Silver Bullet that wins our war with the criminals. The Google developers are quite clear in their remarks that they believe Chrome is not likely to be "all that you need". If you are running Chrome to effect online banking, can the ZeuS trojan still capture your credentials, and use them to transfer funds from the bank account to their "money mules"?? Remember that both tzuk and the Google developers declare that their software cannot protect you if your computer is already infected with malware. So, the question is whether either [i]Sandboxie[/i] and/or [i]Chrome[/i] can stop the ZeuS Banking Trojan from being installed on your computer when it has not been. If I may say so, it is easy to over-promote Chrome because of the use of "sandboxing", especially since it is still in development and largely untested in actual deployment. When it has as many customary users as Firefox has, then maybe we can begin to see whether Chrome can live up to its promise. Which is also to say: if [i]Sandboxie[/i] sandboxing cannot be the universal solution, neither is [i]Chrome[/i] "sandboxing" likely to become one, if only because, at present, its security model is implemented in just one application, namely, the Chrome browser. As you know, Microsoft's Kernel Patchguard will not allow a kernel-mode driver on 64-bit Intel hardware (I'm not sure about AMD, maybe I should pay a visit). So Ronen Tzur has, until recently, declined to develop a version of Sandboxie for 64-bit systems. However, I have a hunch that tzuk might be planning to adopt Google Chrome's use of native Windows OS security features to create a general purpose sandboxing system for 64-bit computers. It should be simple to apply them to each application that runs sandboxed, lock them down completely, and require them to obtain access to host resources with Sandboxie Control's supervision and constraints. Basically, Sandboxie Control assumes the role of the "browser" in the multi-process model, which in many respects is what it does now (look at it with Sysinternals Process Explorer and you will see). It is not clear as to how much of Chrome is open source (at least the web page rendering engine), and how much is proprietary. Still I would assume that tzuk could develop his own implementations for using the native Windows OS security features, even if Google is granted a software patent(s) on its methods. Google almost certainly cannot stop anyone from using the native security features of the Windows OS that they use for Chrome. In fact, IIRC, Google encourages it and even solicits "contributions of code". Ah, would that I had the money and the time.

Ocie3
Ocie3

You know that "the devil is in the details", and I have only read Google's equivalent of a programmer's "executive summary". :-) Since I've installed Google and started using it, I've had to ask: What good is a "secure" browser that is not particularly usable or useful for what I want to do with it?? Security aside, Chrome has many deficiencies in its user interface. I can barely read the text that it displays with the tiny point-size that it uses, and which hardly anyone has been able to change. The standard Windows window controls (minimize, maximize, close) are also tiny, which means that using them becomes a conscious effort instead of a thoughtless reflex. Google seems intent on cramming as much "information" as they can into the area where Chrome displays web pages. Using Ctrl+ to increase legibility gets old really fast. The irony is that such tiny text is almost always surrounded by vast areas of empty space. Images tend to be small with wide borders of whitespace. The Chrome options pertaining to text are simple and, as far as I can determine, useless. (Like Firefox, the user can specify a "serif" font that is actually sans-serif.) Google also apparently believes that their unmonitored and unmoderated "user self-support forum" is the way to go, and that "voting" by the users as to whether an answer was useful is how to evaluate them. That has it merits, but I guess Google fails to realize that the responses which get the most votes are the ones which say "I'm sick and tired of messing around with Chrome, and I'm going back to Firefox 3.5.x." What that boils down to from Google is, "If you don't worship the ground we walk on, then go to some other church instead." That said, it seems that what is left of my life is a long farewell.

Michael Kassner
Michael Kassner

Before any debate, definition of the topic should be the first order of business. That said, I have no problem with Sandboxie, I believe that I introduced you to it. Yet, it is cumbersome to use and many applications do not work correctly. I submit that if Chrome gains sufficient market share, the general security level of all users will increase due to decreased number of infected computers. That is more important, than whether Google's definition of sandboxing agrees with yours. Also, people such as yourself who are knowledgeable need to view security from a different perspective. People with your interest are a huge minority. Most users aren't interested, they just want it to work. Think about the American business person trying to get something printed using the hotel's networked printer and Sandboxie will not allow it. What will they do, you know. Now think about the system admins that have to keep hundreds, if not thousands of users working efficiently. Chrome versus Sandboxie is not even a choice in many cases. IE comes automatically, so it's the browser used. Next best scenario, Chrome is simple to install and users can adapt easily. You can not say that about Sandboxie. It goes back to why users will ignore security advise. We as security types need to step outside our ivory towers. I can say that having just returned from a business trip to Europe. Once again experiencing all the pitfalls of security versus usability.

santeewelding
santeewelding

After all that, I am still left wondering how it is that you see how you are in the scheme of the world. I don't wish to see you circling some drain of minutia like this. You have far, far more to offer, don't you?

Ocie3
Ocie3

Before I posted any comments on this topic, I read at least two of the Google Chromium blog articles, and other references in Michael's article. Since then, I have re-read them and read two more, one of which I don't recall seeing in the article when I read it, and another which is referenced in one or more of the Google Chromium blog article(s): Chrome's Multiprocess Architecture: http://blog.chromium.org/2008/09/multi-process-architecture.html The "Google Chrome Sandbox": http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html The Chromium Projects "Sandbox" article: http://dev.chromium.org/developers/design-documents/sandbox The "Sandbox FAQ": http://dev.chromium.org/developers/design-documents/sandbox/Sandbox-FAQ It is clear that Google Chrome is not designed to create any "sandbox", in which a process executes, by using the designs and methods which have been used previously, such as those that have been used by Ronen Tzur's [i]Sandboxie[/i]. The primary method of [i]Sandboxie[/i] is using a kernel-mode driver to intercept and filter all API calls to the Windows OS by processes which are running in a [i]Sandboxie[/i] sandbox. Such a "sandbox" consists of the contents of a C:\Sandbox subdirectory, on the primary HDD of the computer which is executing the [i]Sandboxie[/i] software. Essentially, while the browser and/or e-mail client run "in a sandbox", [i]Sandboxie[/i] requires any malware that enters the system [i]via[/i] the sandboxed program(s) to store its output, and the results of actions such as changing the Registry, in the sandbox -- instead of in the host's file system "outside of the sandbox". In contrast, Google's Chrome cleverly uses three or four features of the Windows OS security scheme to deny access to the host computer system's resources by any process which Chrome's "task manager" launches (with the exception, currently, of plug-ins). This is especially important with regard to running Chrome's HTML rendering engine for web site pages in a sub-process which it spawns for the purpose. Access is implicitly denied [i]entirely[/i] "by default", but a process can request and gain access to a resource [i]via[/i] the primary process, which is the Chrome browser itself. That is how, for example, a user can download a file from a web site or from an FTP server. The file will not, however, be stored in a "sandbox" on the HDD as it would be if Chrome is running sandboxed by [i]Sandboxie[/i]. So the question arises: can a web site take the initiative and, for example, download and install an executable file on a user's computer "silently in the background without the user's knowledge or participation" as it can do with Microsoft's .NET Framework "Click Once technology"?? Which is to say, Google Chrome relies on security features of the Windows OS which will probably remain the same, but may be changed, by Microsoft in future versions of Windows. If you want another example of their usage, just fully enable the features of Vista User Account Control. :-) Aside from that, whether Google's methods constitute "sandboxing", I would still say that they don't, even if they accomplish the same objectives, because using the term "sandbox" to characterize their system is misleading. Then again, it is not easy to think of an alternative, but surely Google's marketing department could do it. Last, but not least, given the [i]caveats[/i] that Google discloses in its articles, it seems to me that it would be wise to run Chrome in a [i]Sandboxie[/i] sandbox, [b][i]if you really want the security of a sandbox![/i][/b] -- such as it may be. For one, Google admits that there may be "undocumented" ways to bypass the security check that ordinarily occurs when a process makes any given Windows API call. [i]Sandboxie[/i] has its own [i]caveats[/i]. For example, it might not be able to protect a computer system from malicious activity or further intrusion if malware is already installed and running while [i]Sandboxie[/i] executes. Google says the same thing with regard to Chrome's security, and neither Chrome nor [i]Sandboxie[/i] can guarantee preventing malware from exploiting a vulnerability in the Windows OS. Succinctly, whether the OS is secure is, ultimately, the foundation of any and all security for any computer system. That is perhaps even more essential for Google Chrome as it is for [i]Sandboxie[/i]. OS X or Linux, anyone?

Ocie3
Ocie3

Forget, for a moment, about our current and pressing need for security from the criminals who are using the Internet for their profit. AFAIK, the first "sandboxing" programs were developed to create an environment for testing the operation, input and output, of one or more applications that were in the course of development (in "alpha testing"). That is, we wanted to see what one or more programs would do "in a sandbox" in which they were allowed to create, alter and delete files, before we loaded and ran them "live" on the actual, real system. Doing that was especially useful when input was in "real time", [i]i.e.[/i], while the program(s) that processed it were running, and producing their output in "real time", too. [i]Real time[/i] was in contrast to [i]batch processing[/i], although really rapid execution of a batch-processing system can be practically indistinguishable from real-time interaction. As with Ronen Tzur's [i]Sandboxie[/i], the primary emphasis was creating a parallel file system on-the-fly within the "sandbox", if only because the focus of most applications was processing the data input from reading one or more files, and writing the output to one or more files. So the essential objective of sandboxing was, and is, to prevent an "untested" application from making actual alterations to the data space of the computer on which it is running. Some sandboxing systems were created to test alterations to systems software such as the file system itself. Sandboxing for software such as hardware drivers and network routers led to developing Virtual Machines, which adds simulating access to the system's [i]hardware[/i] to that of simulating access to its [i]file system(s)[/i] on storage media. VMs originated, if I recall correctly, in academia during the early days of "computer science". (Albeit, some private VM research might have been done, by IBM in particular). Of course, sandboxing began in the mainframe era, and it has continued to this day while the hardware and its capabilities, and perhaps the programming languages, have changed. But sandboxing's apparent [i]usage[/i] has also changed, insofar as it has been adopted for security purposes. The "untested application" in that context might be malware, or it might be an innocuous program which could have a serious incompatibility with the system on which it is executing. [b]All things considered,[/b] from the description offered by the Google blogger, I would not call what Chrome does "sandboxing", if only because Chrome apparently does not isolate its processes from the file system of the computer on which they execute. When a user decides to download a .PDF or a software installer, where does Chrome store the file? (I know where [i]Sandboxie[/i] stores it!) The blogger's "nutshell" definition seems, at best, to be made-up on-the-fly as a convenient metaphor for what Google [i]hopes to achieve[/i] with its "new browser security model". Otherwise, it appears to misrepresent what Chrome does, or does not do, in the course of its operation. Please note that I am not saying that the (actual) Chrome security model is flawed, just that Chrome doesn't launch any subprocess in a "sandbox". On the face of it, the Chrome model as it has been otherwise described appears to have merit and might prove to be more secure than others such as Firefox, Safari and Opera. Although I would add Internet Explorer to those, the claim has been made that I.E. 8 uses a multi-process structure, although it is different from the one that Google has adopted for Chrome. According to the WXP News released April 28, 2010, Google released seven (?) Chrome patches for security vunlerabilities in the past ten days. So I guess that their "sandbox" has more "leaks" than they originally thought.

Michael Kassner
Michael Kassner

I would not be using Chrome if LastPass was not available. I tried RoboForm and LastPass in my world is much better.

saghaulor
saghaulor

I'm sure you gathered from the tone of my previous post that I don't believe all the hullabaloo hype about master passwords being a security feature. Opponent's to Chrome/Chromium like to talk about how insecure it is, and how featureless it is. Steve Gibson dedicated a whole podcast to it on his Security Now show. While I agree that Chrome could be a little finer grained with its current features as it relates to cookies and scripting, I think the master password stuff is silly. If your browser and OS are compromised then it seems to me cracking the master password is trivial. As I said before, it seems to me the worry about master passwords is for physical access. That's understandable, however, pretending like one knows something about security and then commenting in a way that demonstrates one doesn't clearly understand security and attack vectors belies one's ignorance. And as I said previously, if the browser can't be compromised to begin with, who cares about master passwords. Moreover, if one is worried about their computer being compromised in another fashion, and thereby compromising the saved passwords, well, I can understand that. However, the issue is then with the security of the offending exploited software, and not with Chrome, because as we said before, once the blackhat has access, cracking a master password is trivial. PS. Obviously none of my tirade was directed at you Mr. Kassner, as you clearly understand the situation.

Ocie3
Ocie3

If the only place to put icons for add-ons is on that single bar, then Google apparently intends to make installing a significant number of them impossible. At least while an extension is running, Chrome has to create a separate process for it, but the "task manager" is currently limited to a total of twenty processes. When you consider that, ideally, each web page is rendered in a separate process, and that each "web app" such as GMail also has a separate process, and one process is always required for the browser itself, then there is not a lot of room left for multiple add-ons. Everyone wants the Flash Player plug-in, at least, and whether it is Adobe Reader or Foxit Reader, that is at least a plug-in and sometimes an extension, too. So, the 20 processes become 19 that can be used without having the same process either (a) render more than one page from one or more web sites, or (b) run more than one web app, or (c) run more than one plug-in or extension. It doesn't take many add-ons and web site pages opened on multiple tabs before the Chrome "task manager" processes start doing multiple tasks. And realize that all communication with the host computer ([i]i.e.,[/i] the one running Chrome) must pass through the process in which the browser is executing. Add-ons do make Firefox slower and I have become very picky as to which ones I use. It seems to me that they will really be a drag on Google Chrome. By the way, for whatever reason, Chrome is installed in my Windows XP account profile and not in C:\Program Files, as the shortcuts disclose: "C:\Documents and Settings\[i]UserAccount[/i]\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" Go figure.

Ocie3
Ocie3

Google Chrome, but so much more experienced with Firefox. Security aside -- if security is indeed provided by Chrome -- what else has it got?? I've installed it and looked it over, and so far I'm not particularly impressed. This is not the first time that I've examined Chrome, but I don't remember enough of the first time to compare it to this one. The UI looks like a bright fourth grade kid designed it on a chalkboard. You need good eyesight to see the UI controls such as the (X) that closes a window, and the confident manual dexterity to place the mouse cursor on them and push the appropriate button. Obviously, Google is designing for youth, not the adult population. Certainly, I will admit that I have some concerns about dealing with Google. For a start, Google seems to me to have become a giant with an ambivalent and uncertain attitude toward privacy. The firewall keeps telling me that Google Installer wants to phone home at least once every two hours or so. Actually, it appears that [i]regardless of whether I am running Chrome[/i], "Google Updater" has been installed on my computer as a service that loads every time the system boots. Who does Google think they are, Microsoft? By installing Chrome, did I give Google license to keep a detailed log of all of my Internet activity, if not also other activity on my computer?? Notice that Google does not provide or sell Chrome as a computer program with the customary EULA. Instead, our use of Chrome is governed by "Terms of Service". They are apparently written with the perspective that Google is providing a service -- not a computer program -- for which they can, in our legal tradition, more easily dictate the terms. The document begins: [i]"These Terms of Service apply to the executable code version of Google Chrome. Source code for Google Chrome is available free of charge under open source software license agreements at http://code.google.com/chromium/terms.html." (April 12, 2010, version of the TOS)[/i] Does [i]"the executable code version"[/i] imply that there is some other "version" of Chrome? Where would we find it? Google Chrome has the customary browser UI (simplified), but its design and operation is quite like an operating system that is, in usage, a particular kind of "Windows app". It is a very specialized operating system, and not one that operates a General Purpose Computer, such as the microcomputer that I am using as I write these comments. To put it another way, Google Chrome is the prototype "web app" which, [b]if[/b] it served as an interface between a computer [i]qua[/i] hardware, and the applications and utility programs that were executed by it on that hardware, then it would be considered an "operating system". Perhaps we should call it a "web operating system for web apps" which has a browser front-end, just as Microsoft's browser is the embedded UI for the Windows OS (according to Bill Gates). And Microsoft should rename Windows XP to Apatchy Operating System. ;-) With regard to Information Technology, Google is the heir apparent to Microsoft. Microsoft destroyed the IBM hegemony* in mainframe computing by making it feasible to use microcomputers as tools instead of toys. Google is destroying Microsoft's microcomputer hegemony* by moving computing into the Cloud with "web apps" and SaaS. Certainly, the end-users will always possess (if not own) the hardware, be it desktop, laptop, or pocket/purse. But who develops and vends its operating system and the applications that work with it will become less important over time, as operating systems multiply among the growing plethora of computing platforms, beginning with the Blackberry, Palm, iPhone, Android and their brethren. Nonetheless, it seems that Google is still searching for a firm foundation for its enterprise in The Cloud of the lawless frontier of the Internet, while Microsoft plays out its fading role as it looks for a new act. The only constant is change. _________ * http://en.wikipedia.org/wiki/Hegemony

Neon Samurai
Neon Samurai

I didn't notice it until answering Micheal's post last evening but there is a slider for the URL field's length. To include my selected plugins, I'd be reducing it down to nearly nothing though. I must be missing something or maybe someone else has done a plugin already (not been high enough on my list to go looking yet).

Ocie3
Ocie3

Odd that Google would underestimate the popularity of add-ons (plug-ins and extensions). With Firefox, it is possible to have a Menu Bar, Navigation Toolbar and Bookmark Toolbar. I refrain from putting anything on the Menu Bar that is not a menu, but I have customized the other two quite extensively.

Neon Samurai
Neon Samurai

ok.. so I grabbed chrome and went on my plugin shopping spree. Plugins which have icons mostly apear to the right of the URL field at the top. A few present icons within the URL.. some present data along the bottom. Currently, I have 14 plugin icons showing between the, now shortened, URL field and the two menu icons to the furthest right. For this though, I still had to disable several plugins to make the more desirable one's visible. Otherwise, several get pushed out of view. For plugins that present information through the icon like the html validator; keep them visible. For plugin icons which are an activation only like the website screenshot plugin; is there another plugin that can contain them all into a "plugins" menu that would expand down like the page icon and wrench. With firefox, many plugins place themselves into the tools and similar menus. It's messy to have them all mashed around like that but a nice clean "plugins" icon menu in Chrome could be a very clean way of doing it.

Michael Kassner
Michael Kassner

You lost me, but I am slow and old. Can you explain what you mean?

Editor's Picks