Browser

Google Chrome: The new breed of Web browser

The Chrome development team focused on three things; stability, speed, and security. Chrome is stable and fast, but how do we know if it's secure?

The Chrome development team focused on three things; stability, speed, and security. Chrome is stable and fast, but how do we know if it's secure?

-----------------------------------------------------------------------------------------

Determining if something is secure can be difficult. Fortunately, software has the advantage of testing regimens like the Pwn2Own contest. If the software has any weaknesses, the highly-qualified contestants will find them.

It took reading about this year's contest to convince me that Chrome is secure, and I needed to switch. I also started wondering what sets Chrome apart when it comes to security. After a little digging, I met Ian Fette of the Google Chrome team. He provided the needed insight:

TechRepublic: It's been mentioned numerous times that security was a top priority when designing Chrome. Could you list the top three security concerns of the development team?

Fette: When building Google Chrome, we wanted to design the browser with security in-depth. We know that there isn't a single silver bullet to solve all security problems so we wanted to develop security functionality in all levels of the application. Three areas where we invested a lot of time were:
  • Warn users when they were accessing an unsafe site.
  • Work to keep untrusted code from leaving the browser's sandboxed renderer.
  • Ensure that users always have the latest and most up to date version of the browser in as quick a time as possible.
TechRepublic: Those concerns make sense; could you briefly explain what the development team came up with to overcome each of the concerns? Fette: To warn users that they may be accessing a phishing site or a web site that contains malware, we were able to utilize our Safe Browsing technology, which already powers similar functionality in Google Search, as well as in Firefox and Safari. Safe Browsing warns users through an interstitial page that the site they are about to visit may not be safe.

To prevent untrusted code from leaving the renderer process we implemented what's known as a "sandbox" around the renderer. This added level of security makes it harder for an attacker to exploit code on your computer, because even if they find a vulnerability in the renderer, they still are stuck in the sandbox.

Finally, to ensure users are always up to date with the latest version of the browser, including having the most recent security patches, we developed an automated system that updates the browser in the background without any manual intervention.

In order to meet their goals, the Chrome development team decided to use what is called multi-process architecture.

Multi-process architecture

By design, multi-process architecture splits the browser application into component processes. This way if one fails, the entire browser does not crash. Chrome is divided into the following processes:

  • Browser: This process manages tabs, windows, and "chrome" of the browser. This process also interfaces with the hard drive, network, user input, and display.
  • Renderer: This process is responsible for displaying web pages using HTML, JavaScript, CSS, and images. Renderers are controlled by software called the WebKit rendering engine.
  • Plug-ins: By design, a process is created for each plug-in or extension that is in use.

Now, to some questions about multi-process architecture:

TechRepublic: If I understand correctly, Google was the first to use multi-process architecture for Web browsers. How is Google's implementation different from other web-browser applications? Fette: Google took a novel approach by breaking down the browser into distinct components -- the browser, the renderer, and plug-ins. When we launched, we were the only major browser with this approach, which gave us a number of advantages.

For instance, if a plug-in crashes, the page you are viewing stays visible and remains responsive, it's just the portion of the page being rendered by the plug-in that turns into a "sad" icon.

The policy we set on renderer processes prevents malicious code running in the renderer from doing either reads to or writes from the user's file system (desktop etc), registry, and more. This policy is stricter than other browsers shipping today, and also applies to Windows XP, which still has significant market share.

TechRepublic: I remember being surprised at the number of processes Chrome can have open. Is there a limit to the number of web sites that can be open at the same time? If so what happens after the limit is reached? Fette: We limit the number of processes we will create, not the number of web sites you can open. We do this to achieve optimal performance tradeoffs, based largely on the amount of memory on your system (if you have more memory, we will limit the number of processes at a higher number).

Once you hit the limit on the number of processes, new tabs that you open will share a renderer process with other tabs. So, if you have 20 windows open with 20 tabs each, for a total of 400 tabs, it's possible that each renderer process might be supporting 10 tabs each, as opposed to overloading your computer with 400 different Chrome processes.

Chrome sandbox

Besides stability, multi-process architecture affords another benefit. By design, individual processes are not dependent on each other and can be isolated in what Google calls Chrome sandboxes. The following analogy penned by Esalkin on the Sandboxie forum is a great way to explain sandbox applications to those not familiar with them:

"Think of your PC as a piece of paper. Every program you run writes on the paper. When you run your browser, it writes on the paper about every site you visited. And any malware you come across will usually try to write itself into the paper.

Traditional privacy and anti-malware software try to locate and erase any writings they think you wouldn't want on the paper. Most of the time they get it right. But first, the makers of these solutions must teach the solution what to look for on the paper and how to erase it safely.

On the other hand, a sandbox works like a transparency layer placed over the paper. Programs write on the transparency layer and to them it looks like the real paper. When you delete the sandbox, it's like removing the transparency layer, the real paper is unchanged."

Experts, such as Charlie Miller sees the use of sandboxes as the reason Chrome has not been exploited:

"They've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things, you can't execute on the heap, the OS protections in Windows and the sandbox."

How the Chrome sandbox works

Remember the renderers that I mentioned earlier? They are the sandboxed processes in Chrome. Because they are in sandboxes, the only resources renderers (Web page tabs) can use are CPU cycles and memory. Examples of what renderers cannot do, would be write to disk or display their own window. Those tasks are controlled by the browser process.

In order to achieve this, Google Chrome uses the Windows security model based on access tokens. An access token consists of information about the process owner and the privileges the process has. After reading the access token, the operating system then knows what resources that particular process or sandbox can access. Here is Google's explanation:

"Before launching the renderer process we modify its token to remove all privileges and disable all groups. We then convert the token to a restricted token. A restricted token is like a normal token, but the access checks are performed twice, the first time with the normal information in the token, and the second one using a secondary list of groups.

Both access checks have to succeed for the resources to be granted to the process. Google Chrome sets the secondary list of groups to contain only one item, the NULL user. Since this user is never given permissions to any objects, all access checks performed with the access token of the renderer process fail, making this process useless to an attacker."

How this helps

Using sandboxes prevents an attacker from exploiting the Web browser. Malicious code can be run by the sandboxed process, but the malware will not be able to read or modify any files on the computer. I again turned to Ian Fette for help in understanding the details.

TechRepublic: Could you give some real-world examples of what our computers will be protected from by using Chrome sandboxes? Fette: Like many other browsers, we maintain a list of security vulnerabilities that we have fixed. Many of the listed vulnerabilities are mitigated by the sandbox. For instance, we had an integer overflow in our JavaScript engine that, were it not for the sandbox, would allow an attacker to run any arbitrary code on your computer.

Because of the sandbox, the exposure due to this vulnerability was much less. An attacker would not, for instance, have been able to install malware that would persist on your computer after the tab had been closed.

TechRepublic: A colleague wanted me to ask if plug-ins and extensions are sandboxed? Fette: Extensions in Google Chrome are sandboxed, because they operate just like normal Websites and are written using standard Web languages like HTML, JavaScript, and CSS.

Plug-ins are not sandboxed right now, but we are working to bring them into the sandbox. Our recent announcement about integrating Adobe Flash into Google Chrome is a big step towards helping us operate Flash in the sandbox.

TechRepublic: With regards, to Chrome sandboxes, I have read they work differently when using operating systems newer than Windows XP. Could you elaborate on that? Is there a benefit to using the newer OSs? Fette: In Vista and later, extra capabilities are introduced to lock down a process, namely "integrity levels." Chrome applies low integrity on top of the normal restrictions applied by the Chrome sandbox on both XP and Vista.

While this theoretically makes the Vista sandboxing capabilities stronger, we are not aware of any practical attacks against Chrome where this would have made a meaningful difference. However, it does provide another layer of defense, and so we do use the integrity levels on Windows versions where they are available, as a defense-in-depth practice.

Final thoughts

I am no expert when it comes to Web browser design, but Charlie Miller is. If he can't exploit Chrome, that means something. I now have a better idea as to why he can't thanks to Google's Ian Fette. I also want to thank Eitan Bencuya of Google Communications, for connecting me with Ian.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

106 comments
Ocie3
Ocie3

In my experience with Chrome, Google clearly does not want anyone who uses the same computer to run any other browser at all, although they don't interfere with running I.E. for Microsoft Update ([i]e.g.[/i], on Patch Tuesday). But that it is about their only tolerance. For some indiscernible reason, Chrome would always be the default browser after a Windows XP boot from power-on. It did not matter whether Firefox (or I.E.) was the default browser when Windows most recently shut down. So, I thought that Google Updater, which runs as a service, was setting Chrome as the default, because Firefox (as it is configured to do) would always check whether it is the default browser, so it would announce that it was not the default and ask whether to make it the default. However, Firefox continued to do that even after Chrome and Google Updater were uninstalled. Getting it to change proved to be an instructive ordeal. FWIW, Google Chrome installation actions seem to be more directed at Firefox than they are at I.E., although they do affect both. They are also effected without the user's prior knowledge and explicit consent or any forewarning as to what changes will be made to the computer system when it is installed. Perhaps the user is likely to only notice or discover them after they uninstall Chrome, which leaves behind a major mess in the Registry for which Google assumes no responsibility. The abandoned changes make it difficult to continue or to resume using another browser. Google says that Firefox does not initialize various Registry settings when it becomes the default browser, and on the face of it, that does seem to apply to a few (but significant) keys. So, Google recommends making I.E. the default browser after Chrome is uninstalled, then rebooting and running Firefox to make it the default, because they say that I.E. does re-initialize the Registry keys. But if Firefox doesn't initialize them the way that I.E. does (as Google claims), then making I.E. the default first simply makes the values of the keys point to I.E. instead of to Chrome. Getting them to point to Firefox instead is not easy. So, IMHO, there is something else going on but Google protests that it is innocent rather than disclose what it is. Given the evident arrogance of their actions during installation, just about anything but innocence is credible.

zwayne
zwayne

Ever since Chrome was released, users have been begging for a Firefox-style "password protected" password manager. All passwords in Chrome are visible in plain text, a glaring security hole. There has been no official response as to whether they are even considering this. (Or provide a lame response such as "that's not the responsibility of the browser", even though Opera and Firefox users have long benefited from such a feature.) Many people - myself included - refuse to use Chrome until Google corrects this oversight.

rmerchberger
rmerchberger

And I quote: "TechRepublic: If I understand correctly, Google was the first to use multi-process architecture." I'll assume you meant "Google was the first to use multi-process architecture _for a browser_" or similar... or maybe as it's a browser-centric article, that was just assumed all the way thru. I didn't take it that way on first read, but it's not like I've been wrong (or read things funny) before... ;-) As I started my "Internet presence" as a mail/web/news admin nigh on 15 years ago, and quickly switching from Sendmail to qmail early on in that career, I found & reaped the security benefits of a multi-process architecture long ago; I still run qmail on my mail servers and have never been disappointed. One side note: A friend of mine uses Pandora (the Interweb music service) and finds that Chrome uses a *lot* more memory than Firefox - I'm wondering if the multi-process & sandbox approach contributes to that. Like others, I'd like to see an article on the Google-specific data collection issues of Chrome (something that concerns me enough to not use it with certain websites (read: Facebook)), but I do realize that wasn't the scope of this article. Good read! Thanks! "Merch"

shekharghosh7
shekharghosh7

Google Chrome is the fastest Internet Browser till date. It is secured also. One can add many applications to this Browser also. I am using this Browser since one year. I also used Firefox but I did not find it more efficient as compared to Google Chrome. Google has proved to be the Best Worldwide. Thank you Google for providing the Best Browser in the World.

ultima
ultima

The weakest link at this time seems to be Adobe Acrobat/Reader, at least from the malware I'm cleaning up. What good is it to lock the door if you leave the windows open?

jim
jim

Michael, I respectfully refer you to an article from Chad Perrin in today's TR collection: http://blogs.techrepublic.com.com/security/?p=3717&tag=nl.e036. It opens with this: "Google has increasingly become the target of criticism from privacy advocates over the course of the last year, with the first major headline-grabber in that area being CEO Eric Schmidt?s now-infamous statement about privacy: 'If you have something that you don?t want anyone to know, maybe you shouldn?t be doing it in the first place.' " Comments like that from the head of the company seem to indicate the overall attitude of Google's leaders about user privacy & security is alarmingly similar to the arrogantly dismissive behavior we've seen from Facebook.

flood_specialist
flood_specialist

No one is paranoid when it comes to tracking. I would like to ask, "Why didn't Micheal inquire as to the tracking capabilites of Chrome?" I'm sure that will be the title of his next article, right?

mr_m_sween
mr_m_sween

My first run in with chrome occurred due to a user installing it and the application being incompatible with some corporate legacy apps. Firefox was not installed on the machine and Chrome would constantly reassociate itself as the default. Finally I uninstalled Chrome and was left with a hodgepodge of broken files and associations so deep it could only be compared to AOL. In the end I had to completely reinstall Internet Explorer just to regain basic file association for html files. I imagine that the reason current testing doesnt show the same reactions would be patching. I'm very happy that someone else saw this behavior.

Michael Kassner
Michael Kassner

I just tested that and I could have either IE or Firefox be the default after a cold or hot boot.

Michael Kassner
Michael Kassner

I wrote an article about LastPass: http://blogs.techrepublic.com.com/security/?p=3291 You may or may not like it, that is not my point. My point is this: "Siegrist: The biggest risk with built-in password managers is how malware is able to steal passwords directly from your password manager. For those who don?t believe this is possible, try our windows installer and see if it finds stored passwords. If LastPass can find passwords, so can malicious applications. During installation, LastPass imports all found passwords, then cleans all traces off your computer."

Michael Kassner
Michael Kassner

I should have been more clear. You are correct. I was referring to use in Web browsers. Thanks for correcting me. As for memory, I wonder if the total is more or that many more processes are open. It is Google's contention that more processes is stable. If you can find out, please let me know.

Jaqui
Jaqui

no graphical browser will ever be as fast as the text only lynx, links, elinks, or even the gtk wrapped lynx called dillo. they all are slower than molasses in January in comparison. chrome might be he fastest bloated graphical browser, but until it can beat lynx, it's not the fastest browser.

RipVan
RipVan

I thought the article was great, and it brought me closer to giving Google a try. After reading the discussion, there is NO WAY I will use it. Glad I came across the article and discussion, though. Very informative. Great job on both ends.

Michael Kassner
Michael Kassner

Google has an extension called gPDF that opens online PDFs in Google Docs, which eliminates the problem. Adobe Reader is not a plug-in, so I am confused by your statement about plug-ins.

valduboisvert
valduboisvert

Facebook from my perspective brought nothing to the world except alienating the young generation. Google on the other hand is providing some useful services. Not to mention their good quality software products like the one the article is talking, Chrome. However, when it comes to privacy I must agree Google is walking a fine line here. Even though I understand Google business model my personal belief is that they went a little bit too far. But again I consider myself a little paranoid. I do not trust google, I do not share my documents with them, calendar, I use scroogle.net and many other paranoid practices like this that "normal" people don't do.

Craig_B
Craig_B

While I think Google Chrome is one of the most secure browsers as Michael's article points out, I simply do not trust Google. Every single character you type into Chrome is sent back to Google, regardless of clicking or pressing any keys. Everything Google does is designed to track your information so that they can sell it. They keep everything they track for at least 9 months and then they only change the last octet of your ip address and keep that information for a long time.

Michael Kassner
Michael Kassner

This post was about a new way of making a Web browser much more secure. That said, I have written a great deal about how one browser is not really any more private than the next: http://blogs.techrepublic.com.com/security/?p=3118 http://blogs.techrepublic.com.com/security/?p=3080 It is a choice you make. Google has all sorts of posts about their privacy regulations. If they are not to your liking, I understand. I have read that comment by Eric Schmidt. I would suggest listening to the entire recorded conversation with Charlie Rose, before making a final conclusion.

Michael Kassner
Michael Kassner

I was trying to point out that Chrome has built-in sandboxing. Which is huge from a antimalware stand point. Privacy is another issue.

Ocie3
Ocie3

http://www.google.com/support/forum/p/Chrome/label?lid=42d96cb60a89c6ca&hl=en has a long list of messages about problems with either installing or uninstalling Chrome -- some with discoveries and with suggestions, whether from other users or, occasionally, someone who "represents" Google in some way. There are other sections about "crashes" and "web site display problems", etc. in the primary Google Help Forum - Chrome section: http://www.google.com/support/forum/p/Chrome?hl=en You don't have to have a Google account or log-in to read the messages, just if you want to post one. That said, I appreciate your reply! And I'm sorry to hear that Chrome wreaked so much damage. It sounds like a bad bug or two. Aside from that, there are reports similar to my remarks here that are posted in the Install/Uninstall issues topic.

Michael Kassner
Michael Kassner

I would love to pass this type of information onto the Chrome development team. Sadly, since I have not seen this personally, I can't do that without help.

Ocie3
Ocie3

installed and functioning, the difference should not be in the respective versions that you and I were running, but they could be different nonetheless if Google has changed the behavior which I described since I uninstalled Chrome. Does Chrome still ask you to make it the default browser each time that you run it?? At first, Chrome always asked and presented two options. As I recall, one was "Yes" and the other was something like "don't display this dialog again". I don't recall seeing an option to just say "No", but it doesn't matter with regard to this discussion if it did. There was no option to "make Chrome the default browser permanently", but after I decided to choose the second option, Firefox began always finding that it was never the default browser the first time that it launched after a cold boot. For that matter, all I had to do was run Chrome, and if I ran Firefox subsequently, then it would find that it was not the default browser. (Ditto for I.E. in the same circumstances, too). Have you changed to Firefox or I.E. as the default browser after running Chrome as the default browser, then rebooted??

zwayne
zwayne

Bogus response for the following reasons. 1)You are suggesting that the Firefox password manager is not secure because malware can steal passwords?? Sorry, I can easily - and passively - protect against malware. Otherwise I wouldn't do any financial transactions on-line, nor would you. 2) You are implying that NO password manager is just as secure as a password protected one? That's silly. 3) Lastpass (who mentioned it? it is only needed for Chrome because they don't have any security on passwords) cannot find passwords unless you let it. You have to be authenticated to Firefox (if you do have a password protected manager.) Of course, it can easily find the Chrome passwords since there IS not protection! Many users WANT this feature and Google is not listening.

Ocie3
Ocie3

does not mean that the Firefox password manager cannot be [i]made[/i] secure, just that at the present, it isn't secure. Can LastPass read the Firefox password manager file if the disk partition on which they are located is encrypted??

rmerchberger
rmerchberger

My friend's laptop ran XP SP3 with 1G of RAM; and he was always bumping into virtual memory issues when Pandora was running with 8-9 tabs open - I asked him to exit Chrome & start Firefox and open the same windows, and memory usage difference was almost 100Meg lower, and memory utilization didn't grow appreciably with more tabs open. Now, I don't know if Pandora requires a plugin that might be outside Chrome's control, or Google's sandboxed architecture requires them to "reinvent the wheel" instead of using Windows' system calls for streaming media... it's tough to say. Also, this isn't a "Google Bad - Mozilla Good" argument either - each has their good points (altho, for me, AdBlock Plus on Mozilla is tough to live without ;-) ) I'm just saying on limited resource systems, users might need to weigh increased memory utilization vs. higher security. As far as "more processes == more security" that's wholly up to the program[mers]; but when you have a program that has several disparate functions, I think it makes it much easier to audit for security. Back to my (oversimplified) qmail model, there were several programs: qmail-smtpd which only interacted with port 25 & dealt with incoming mail & internal mail routing; qmail-send which dealt with only outgoing mail; qmail-pop3d which dealt only with serving local mail via the POP3 protocol on port 110, etc. A bug in the POP3 daemon could not affect anything that sent mail so couldn't be exploited by spammers, etc. All of these daemons had minimal system rights as well, so could not be exploited to gain root access on a system. =-=-= On my Ubuntu 10.04 64-bit install at home (with 2G RAM) I've opened lots of sites/tabs/windows in Chrome (gone nuts for testing, actually) and never had a resource issue, but I didn't really measure it other than "Still didn't hit swap." I suppose it's also possible that Windows' "individual process environment" may be less efficient than Linux - I really can't say. The last OS I wrote ran on the Motorola 6809 (in Assembly), so this is pure speculation for discussion's sake at this point. I can say this, tho: on that Ubuntu box, Adobe's 64-bit Flash won't run certain apps on Facebook under Firefox (Farkle2 in my case) but Chrome's implementation seems to work fine. However, I don't trust Facebook all that much, and until I know I can secure Chrome (tracking cookies, etc) as well as Firefox, I don't use Facebook on that machine. [[ This is more paranoia towards Facebook than Google, TBH. ]] Maybe it's time to do some more reading up on Chrome - I think I saw a post that it came out of Beta on the Linux platform now... Laterz! "Merch"

Neon Samurai
Neon Samurai

I wish websites degraded gracefully down to base html for Lynx but those who use text browsers are the obscure minority these days. Based on that, old Netscape 2 standalone should blow away current GUI browsers since it's only rendering a little more than Lynx. Actually, I wonder if I have that laying around my archives still.. might be fun to pull out for the web devs at work.

Neon Samurai
Neon Samurai

Both the current production version and Developer preview version are available as portableapps. I wouldn't pollute the registry with a local install outside of my test machine but portableapps shouldn't touch the registry or areas outside of the specific portableapp directory.

Ocie3
Ocie3

does have a plug-in, as I know when I used it in Firefox. When I switched to Foxit Reader, it replaced the Adobe Reader plug-in with one of its own. Adobe Reader and Foxit Reader also have their software installed on the computer, of course, the plug-in is just a .DLL that links their software to Firefox. Adobe Reader and I.E. works the same way, but with an ActiveX control. I still have Adobe Reader attached to I.E. but I seldom use it. Historically, at least, it has always be a challenge to keep it updated.

Michael Kassner
Michael Kassner

Microsoft, Yahoo, and others could be doing the same thing. I am not what the answer is for privacy. I was just trying to point out a great feature that Google has developed successfully.

Ocie3
Ocie3

the result is a dictatorial regime like the one in the now-defunct USSR and the still functioning Peoples Democratic Republic of China. The consequences are the same in technology and in commerce as they are in politics, and much for the same reasons. You cannot dismiss privacy concerns just because Google has "sandboxing" which, if it works, will reduce (but not eliminate) the risk of malware being introduced to a user's computer [i]via[/i] Chrome. Everyone is right to be concerned about swallowing this technological temptation whole. Too many people today don't consider the ramifications of their actions, or even know what they are, with respect to their privacy, personal safety, and their public identity when they do such things as join Facebook or accept "free" services such as Google Mail. But of course, Facebook, among others, began with reasonable and strict privacy safeguards until they could not resist the lure of monetizing the data which has become [i]their property[/i], with the excuse that it would "keep Facebook free" when, in fact, losing one's privacy is the highest cost of them all. Google has already shown the same "evolution" in its Privacy Policy too. But perhaps I digress. Google does things when Chrome is installed which, on the face of it, violate the Sherman Antitrust Act, just as Microsoft did with many of their business tactics to implement Bill Gates's strategy of "Windows Everywhere". It never seemed to occur to Gates and to Microsoft that Windows does not belong "everywhere". Neither does Google nor Chrome. We do not need or want a sole-source browser provider, regardless of their promises, even if they can deliver on them. There are arguably better answers than technology to our need for security. You won't find them on TechRepublic.

Ocie3
Ocie3

Chrome to Firefox or vice-versa, and switch from Chrome to I.E. or vice-versa. Not long after I began using Chrome, it became evident that Chrome would not allow either Firefox or I.E. to [b]remain[/b] the default browser. At first, Chrome always asked whether I wanted it to be the default (when it wasn't), but when I chose the option to stop displaying that query, Chrome evidently decided that it would just be the default browser, regardless.

Michael Kassner
Michael Kassner

But, I did a few months ago and it works fine for me. Seems like you got yet another gremlin.

Ocie3
Ocie3

choice to make Chrome the "permanent" default browser?? IIRC, I did not use that option in the configuration. I only described the query that Chrome presents when it runs and it is not the default. After I chose the option to stop Chrome from asking, the troubles began. You haven't uninstalled Chrome, have you?

Michael Kassner
Michael Kassner

The choice is on the first tab of the options. I was able to switch between FF,IE, and Chrome as default browsers no problem.

Ocie3
Ocie3

is that Google Chrome does not have features that he and others want to have available from the browser that they use, but the Chrome developers are not very receptive to their requests (when they respond at all). They will continue using Firefox because it has those features. Those are the two principal reasons why I stopped using Chrome and uninstalled it. It took me quite a bit of time to find, choose, install and configure an RSS feed extension, then collect the same web pages and blogs to which I have already subscribed with Firefox Live Bookmarks. It could and should have been easier if the feature was available directly from Chrome. I.E. 8 has an excellent page zoom feature that is better than the Firefox extension Image Zoom. But they share the same limitations, which are difficult to overcome. Chrome does not have a native zoom feature, and from what I could learn about their development of one, the scheme sounds screwy and puny because it is something that they don't really see as necessary or desirable. During the whole course, there was a constant assertion of exclusivity by Chrome, which the developers unequivocally wanted to be the default browser if not also the only browser. Michael says that he has not found the same issue, but it isn't clear to me as to why he hasn't. The final issue was that I kept returning to Firefox to do things that I couldn't do as well in Chrome (if at all), but where they have something in common, such as bookmarks, there is no way to synchronize the data which is collected for their respective features. So I sometimes found myself doing something with Chrome, then again with Firefox, or doing something with Firefox then trying to figure out whether and how I could do it with Chrome. Nonetheless, I might install Chrome again in the future and see whether it has matured a bit more.

santeewelding
santeewelding

And employ your considerable argumentative skills, rather, as to why [b]zwayne[/b] comes on so strong over so small a bone of contention. He is either very young and practicing for a Great War, or old, fading, and making some last gasp of relevance.

Ocie3
Ocie3

you should step back and consider: why is Google Chrome such a hard sell??

Michael Kassner
Michael Kassner

Go to the LastPass web site with your supposedly-secure Firefox password manager and see what happens. You may be surprised.

Ocie3
Ocie3

cannot stop the user from downloading a file that contains malware, if the user believes that they will benefit by downloading the file. It is difficult for technology to defeat "social engineering". Another is that Google has pushed patches for many security vulnerabilities at least twice since Chrome was released for public use. We can hope that they can and will find everything before some blackhat cracker does, but you never really know. Chrome can [i]control[/i] access to the host computer's resources, but cannot consistently [i]deny[/i] either web sites or plug-in add-ons access to those resources, or it will soon become a rather lame "user experience". It will not surprise me if webmasters and developers find way(s) to use perfectly good and acceptable "calls" to Chrome Central for access that, in some sequence or combination, will harm the user by damaging or compromising the data and/or executables and/or the OS on their computer. After all, that is exactly how malware developers achieve their aims, deliberately. There are no "evil instructions" in the set which a computer's CPU can execute, just evil in the hearts of those who give the CPU instructions in combinations and sequences that harm others. But such a sequence or combination might not be deliberately harmful, thus malicious. It could simply be a set of instructions that sometimes has unintended and unanticipated consequences. Or it could be one or more instructions that have a "bug" that Chrome does not recognize. Oh well.

Ocie3
Ocie3

or, like the criminals, they prefer the low-hanging fruit. How many of them actually spent much time and effort on Chrome?? Their apparent inattention to Chrome tells me that they probably couldn't find the same flaws that have been historically found in other browsers. That does not at all mean that Chrome does not have any vulnerabilities. It just means that those who want to compromise it must "think outside of the box". Google Chrome is still a relative unknown in many ways, and it is clearly still in development. The design certainly has potential advantages, but whether the implementation is effective, too, remains to be seen.

Michael Kassner
Michael Kassner

I could use the same philosophy and say that Chrome has the potential to get better too. I will reiterate once more. I was trying to point out that at this moment Chrome is more secure as determined through real-world testing by well-known experts that would have decimated Chrome if they could have.

Ocie3
Ocie3

whatever Google's Chrome does is often presented in a way that casts a bad light on Firefox and/or on I.E., without any particular justification for doing that. With respect to the security of the browser itself, there appears to be some justification for it, but not so much with regard to other "features" or the behavior of the software. There is nothing inherently good or advantageous about being the new kid on the Internet. Not that I am a fan of I.E., but as you many know, I.E. 8 also uses a multi-process architecture, and it has the apparent potential to become just as secure (or better) than Chrome. One thing that irritates me is "response" comparisons. I have run Chrome and Firefox respectively, at the same time on the same hardware and with every other aspect the same. There was no difference between their respective "responsiveness" that I could discern. Chrome did not fetch pages any faster than Firefox, using exactly the same DSL connection at the same time of day. Search responses were displayed only marginally faster, because I could not go through Scroogle with Chrome. AFAIK, there is no way to use any other search provider with Chrome, only Google. (Duh! But can you say "Sherman Anti-Trust Act"?) To the extent that Chrome [i]might[/i] have been more "responsive", it was irrelevant. And Chrome was running with only two or three extensions added, in contrast to 24 extensions, 2 installed themes, and 8 plugins with Firefox. Add-ons do reduce Firefox's responsiveness, but there is no requirement that anyone install them. Actually, in my experience, they don't seem to have a material effect until the numbers begin to increase above what I have at present, so I limit extensions, especially, to about 25 at any given time.

Michael Kassner
Michael Kassner

I like your take. Is is not secure now but can be. So does that work for other issues like, kind of seems like you are biased a bit.

Ocie3
Ocie3

does not require a plug-in or an extension when Firefox accesses the web site. I do not recall that I used Pandora with Google Chrome. What Pandora does require is the ability to use "Flash cookies". If I recall correctly, Adobe Shockwave Flash did not run on Chrome while I was using it.

Neon Samurai
Neon Samurai

And that's the reason only us cli geeks care.

santeewelding
santeewelding

Growing old and ossified before your young time...persnickety...complete failure to drag your ass into the whatever century...holding fast to forefathers...uncertain of what comes. Playing with your head.

Jaqui
Jaqui

the text mode browsers are all faster than any graphics enabled browser. and lynx is the fastest of them all, it doesn't render tables, frames, or even parse javascript. as far as video or image content, it ignores it also. the html and text is all it displays.

valduboisvert
valduboisvert

And yes again, Chrome is a very well built piece of software. I think everybody agree about this. It will also get better once they manage to wrap the plugins into the same sandboxing architecture they have right now. But security or very fast running web applications is not everything. Like the trend on this blog can show people are concerned about privacy and this is a deal breaker for many of us. I admire Chrome but if this means to jeopardize my privacy I will have to pass this offer, sorry. I personally hope Chrome will set up a standard and others will follow its steps.

Michael Kassner
Michael Kassner

I agree privacy is security, but security can be dealt with on its own. How Google treats privacy is an entirely different topic. I was wanting to inform the members that Google has a feature that is not available on other browsers(to my knowledge) and it is a valuable one as Chrome is the only web browser to not be exploited as of this writing.

Editor's Picks