Malware

U.S. State Department switches to Chrome browser: Is it secure enough for you?

Ian Hardenburgh looks at how Google has shored up security for its Chrome browser. What sets it apart from other browsers?

Secretary of State Hillary Clinton recently announced at a town hall meeting that the U.S. Department of State has already installed the Chrome browser on the majority of its employee PCs (see Google Enterprise blog post here). Moreover, she suggested that this might amount to around 100,000 department computers around the world.  Considering that the State Department's activities involve highly sensitive government information, some of which is directed quite regularly to extremely covert agencies like the CIA, FBI, and Department of Homeland Security, this can be regarded as a mammoth achievement for Google and its cross-platform web browser, not just in regards to widespread adoption, but mostly in terms of enterprise security.

Google touts Chrome's safe browsing through its HTML rendering and JavaScript execution sandboxing, as well as its auto-update technology. The two core features combine to help protect users against malicious sites, or more specifically, phishing and malware attacks. The main concept behind sandboxing concerns encapsulating processes initiated by a website in a restricted sense or environment, preventing files from being written to a PC's hard drive, or a HTML/JavaScript redirect from occurring in the current and/or any new browser tab. Sandboxed sites suspected of phishing or presenting malware are then displayed to the user innately within the browser as warning pages. Supplementary to sandboxing, Google is also constantly phishing/malware websites, by crawling URLs, testing them for malicious activity, and submitting those that fail these tests to a blacklist of sorts, for Chrome browsers everywhere to reference. In fact, upon startup of one's computer, Chrome will download an updated list of Google's suspected malicious websites to the hard drive it's installed upon, and every half-hour thereafter. The only caveat to all this is that the phishing and malware protection setting must be enabled (see this help page for instructions on how to check this).

Probably the biggest flaw to Chrome security to date is the flaw that is not in and of itself Chrome. Since its security relies upon the operating system it runs on, this can affect how it translates certain processes, opening up the possibility that some threats can bypass any weakness in the underlying OS security architecture. This especially goes for old file systems, like Windows FAT32, certain devices like USB-based storage ones, as well as for systems with highly customized registry keys and configured files that may sidestep access checks. Therefore, one might be led to believe that the better the Chrome-dependent OS security system is, the more secure Chrome itself is. Furthermore, this might also lead one to assume that the most secure operating system for Chrome is the Chrome OS, as mounted on all Chromebooks.

I wouldn't expect anyone to believe that Hillary Clinton, or the bulk of the entire Department of State, are your resident experts on Chrome security, nor network and Internet security for that matter. However, with the great lengths that Google has gone through to make Chrome and its Google Apps cloud service as pre-set and user-friendly as possible, its security model has to measure up. The advantage is that much of the security work is being done on Google's end (as explained above, with its list of malicious sites, and Google's incessant web crawling and blacklist auto-updating technology). And as more desktop operating systems are to be provisioned in the cloud, one can only expect security to become even that much more reliable, making last-resort process-sandboxing a moot point.

  • Google has created a rather informative comic book to address the topic of sandboxing, amongst other Chrome related ones. Don't be fooled by the childlike approach toward Chrome edification; Chrome is definitely not child's play.
  • If you're looking for a more advanced (perhaps more adult) paper on how Google crawls for malware, you might want to try reading "The Ghost In The Browser Analysis of Web-based Malware," written by a number of software engineers and security experts at Google.
  • If you're looking for an in-depth understanding as to the inner workings of some of Google latest security features, check this Chromium Blog post out.

What are your thoughts on the security of the Chrome browser? Is it better than most?

About

Ian is a manager of business intelligence/analytics for a small cap NYSE traded energy company. He also freelance writes about business and technology, as well as consults SMBs upon Internet marketing strategy.

9 comments
c1951
c1951

Google Chrome Is just a bonus to there network for speed, They have The Software/ Hardware/ Virtual/ And Expert IT knowledge for a SOLID NETWORK. Personally i dont like Chrome because of there privacy policy. And i dont know how many times ive got the famous google virus just searching threw some pics. IE9 i got tons of java exploits and rouge Anti Virus thrown at me. But I can HONESTLY say Never had an issue with FIREFOX!!! PLUS Im an open sources type a guy.

Michael Kassner
Michael Kassner

The State Department is on a highly secure MPLS-style network that has major-league ingress and egress filtering. Plus they are probably using advanced -- meaning not available to us -- VPN technology to harden access to that network. So, more than likely Chrome will do just fine.

Gisabun
Gisabun

The state department will have fun updating Google every couple of weeks. Every time NIST releases it's Email newsletter on vulnerable software, Google's Chrome browser is always in the with a dozen or so vulnerabilities. That is an unsecure browser. Recently Google released an update to the browser a day after a group was awarded for hacking the browser. So what kind of testing does Google do to verify if it fixes the vulnerability and not open anything else? What do they have there? One guy fixing any bugs that come in and then tests it on his own? [This would be typical for some shareware author - but Google?]. I'm not saying the other browsers are better [well maybe!] but I'd rather have a browser that takes a few milliseconds longer to generate a page than an unsecure browser like Chrome.

Jeromied
Jeromied

Have had excellent results with FF10 ESR and compatible with existing FF add-ons. Tested a few phishers and malicious sites, blocked everyone of them, on and off a proxy- Does it make sense that the most widely used website, most widely scrutinized site wouldn't be attacked the most? Would the same be true of its browser?

Gisabun
Gisabun

The rogue anti-virus software can come from any browser. If you are getting them and/or the "google virus" maybe your anti-virus isn't strong enough. Firefox is generally quite secure. Unfortunately unstable.

jetsethi
jetsethi

But what makes Chrome so insecure? There is no such thing as a totally secure environment. But covering 99.999% of issues is much better than 99.9%

Pete6677
Pete6677

Would it be better to use IE with its numerous exploits? There's no such thing as a browser that is guaranteed to always be safe, but Chrome is one of the better choices.

Gisabun
Gisabun

Who has 99.999% secured browser? [see my previous reply to Pete6677] Part of the protection is not just a secured browser but a secured environment. Is there proper firewalls in place? Intrusion detection? Can your firewalls withstand a DoS?

Gisabun
Gisabun

Like? Go to an independent web site [NIST for example]. Count how many exploits Chrome has had in the last year. Compare against IE, Safari, Firefox and others. You'll be surprised what you will find out. And how come you didn't comment that Google released an update after the Pawn2Own contest. What kind of testing did they do - if any - in one day?

Editor's Picks