Browser

What are the security implications for Google Chrome?

Google has announced the beta test release of its new Web browser, Chrome, and everybody's talking about it. It's time to talk about the implications this new browser may have for Web browsing security.

Google has announced the beta test release of its new Web browser, Chrome, and everybody's talking about it. It's time to talk about the implications this new browser may have for Web browsing security.


The appearance of the Google Chrome browser has caused quite a stir. Everybody's talking about it, including a number of writers right here at TechRepublic. Most of what caught my attention was the security implications, of course:

  1. The multiprocess model of operation for browser tabs allows far greater partitioning of resources (see Google's talk about "sandboxing", for instance). If handled well, this may mean the end of cross-site scripting, many types of denial of service attacks on browsers, and certain types of buffer overflow attacks. Google rightly touts the shared-nothing approach to tab concurrency -- and Google knows quite a bit about the benefits of shared-nothing architectures.
  2. The limited permissions and privilege separation model Google describes in its comic book about Chrome is a significant improvement over what other modern Web browsers use. Part of the reason for this is surely because such a model is easier to implement when each tab runs in its own process, but there's nothing I've seen to suggest other browser developers could not have taken an approach to partitioning plug-ins and scripting the way Google says Chrome will do so.
  3. Some express concern over whether Google might collect data from users through Chrome, the same way it does so with its various Web services such as Gmail. This seems extremely unlikely, considering Chrome is 100% open source software, however -- especially once it becomes available for open source OSes and gets included in their software management systems, because at that point our upstream software binary providers (the package and port managers for those OSes) will not be Google.
  4. On the other hand, Chrome represents a lot of new code. Sure, there are parts of it that are simply picked up whole from other open source projects (like the Webkit core of the application), and have thus been substantially stress-tested and secured, but there's a lot of new code involved as well.
  5. V8, Chrome's new JavaScript virtual machine, is of particular interest as new code -- because it is a whole new implementation of JavaScript. JavaScript is, when sloppily used, one of the most problematic sources of security issues in most browsers (discounting issues specific to individual browsers such as ActiveX controls).
  6. On the gripping hand, V8 provides an excellent opportunity for new architectural security to be employed in the implementation of a browser's scripting support.
  7. The fact that all the new code in Chrome is open source software that seems specifically designed to be reused in other open source development projects means that sussing out any security issues in the new code and fixing them may happen at record speed.
  8. As a brand new browser, Chrome lacks a lot of third-party software support enjoyed by other browsers. Some of that third-party support could include security benefits, particularly including examples such as Perspectives and other encryption related extensions to basic functionality.
  9. I can't comment very thoroughly at this time on how well saved passwords are handled by Google Chrome, but it's something that will definitely bear watching. Initial observations include the fact that Chrome "only displays one at a time when you ask it to, instead of all at once like FF" -- to quote fellow TechRepublic writer Sterling Camden, of IT Consulting.
  10. Chrome's "Incognito" browsing mode seems well designed, and -- coupled with the strong data partitioning implied by its multiprocess tabbed browsing model -- should offer significant benefits over the major combatants already involved in the browser wars in terms of secure browsing capabilities.

For a long time, I have thought about eventually writing my own Web browser. Since before Firefox 2.0 was released, I have been increasingly of the opinion there simply aren't any modern Web browsers that are actually good -- only some that are less awful than others. Some people complain that Google chose to create a new browser rather than contribute development to an existing open source browser like Firefox, but (like Google) I believe the changes needed to make a significantly better browser at this point involve changes so fundamental that they basically require starting over from scratch.

Probably the biggest change from the standard browser design model I had in mind appears to be the biggest that Google Chrome uses as well: multiprocess concurrency design. I've since come to think that perhaps the benefits I wanted from such a model could be accomplished with a multithreaded model, and people are already noticing the process overhead that contributes to a fairly significant memory footprint for Chrome -- overhead that I would have sought to avoid by going with a multithreaded model instead of a multiprocess model. On the other hand, the development difficulty of achieving some of these benefits, especially the security benefits, is notably greater using a multithreading model rather than a multiprocess model.

All in all, it's the multiprocess browsing model of Chrome that most interests me, and I will be watching as Chrome develops to see just how well it works out in the long run. I have high hopes that, before much longer, I may be able to replace my least-bad browser with one that is actually good.

. . . or at least less bad.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

25 comments
Jaqui
Jaqui

I went and googled google chrome and saw a news item that they have already released a security update for it. then I went and checked out the source code. [ svn repo, anonymous read / co access enabled on purpose ] 1.7 GigaBytes for the SOURCE CODE? that just screams bloatware. bad google, bad google. I haven't looked at chrome itself, google screwed up and don't have it available for my operating systems. It's to bad they didn't think about it, and pick a cross platform widget set for their c/C++ coded browser. After all, using CodeBlocks ide to use wxwidgets, have ONE code base that builds on all platforms seems such a simple concept that they should have been able to grasp it easily.

bsauer
bsauer

The one thing that may keep a lot of corporations from buying into Chrome, is the statement in the EULA that Google had the right to use any information that passes through. Not an exact quote but very ominous. Working in the Financial Services industry there is no way we could ever adopt any technology that uses or has used that kind of language in a disclaimer of any kind. Our information is way too sensitive and having passed the EULA past our legal team we have now placed in policy that Chrome is never to be loaded onto any corporate computers. If this does not happen in Chrome then the Google legal advisors really need to watch closely the language used in it's disclaimers. As you can see people do read the EULAs and they can prevent businesses from adopting what may be good products.

Sterling chip Camden
Sterling chip Camden

... that with the critical eye of the entire Internet focused on them, Google would have made a serious investment of their brain trust into the security of this beast. Time will tell.

Lademastrj
Lademastrj

I have two points to tell you, first, tie any software to a specific IDE is the receipt for disaster, because these things are compiled in compiler farms, that don't have the IDE, in fact they didn't even have a gui to run the IDE. Second, wxWidgets uses an LGPL alike license, which would add to the increased amount of license spargetti that is google chrome, so no thank you. To the final point, even if you use a specific IDE for developing your own domestic programs, don't try to scale what you do, to large software that gets downloaded by many people, and is changed by even more people, it will just not work. Besides, google chrome code is more clean than mozilla and they gecko, with all of it's XPCOM components, that make nothing more than providing cross platform and plugin support, Chrome does that for much less.

LyleTaylor
LyleTaylor

I thought I heard on the radio that that was actually a mistake (copy and paste error?) and that it has since been removed from the EULA. Haven't checked to verify, though. Might be worth checking it again.

apotheon
apotheon

The author of the analysis at that URL is obviously not as knowledgeable as he thinks. For instance, his comments about JavaScript being "slower than code running in the OS" doesn't even make sense, his inability to grasp how Web applications work and the fact they're becoming more ubiquitous, and the point he misses about how (aside from potential JavaScript issues, which will probably be non-issues once the beta version becomes a little more mature) nobody really has to worry about compatibility with a new browser because Chrome uses the same rendering engine as the Safari browser, all adds up to big flashing red warning signs about the author's low levels of knowledge of the subject matter. I was lazy, and picked those three examples out of a two-paragraph segment of the screed on that page. I could have gone on at great length detailing minor issues from throughout the entire document, but figured three was a good number to make my point. Aside from not knowing what he's talking about, he's also ascribing intent to things said in the "comic" that are not evident. I'm not usually very impressed by straw man fallacies. The commentary about memory usage indicates the author doesn't know about memory fragmentation issues in Firefox (for instance). You don't need a memory leak, per se, to consume more memory with a single-process browser than with a process per tab browser after long use. The crap about starting a separate browser instance misses the point -- and uses much more RAM than having separate processes for each tab would use, thus exacerbating the problem the author brings up rather than fixing it has he suggests. The comparison with the Windows Explorer GUI manager is obvious poppycock. A lot of the things that are described as being "exactly" like they are in IE 8 or Opera are not [b]exactly[/b] the same. In particular, based on what I've read, Chrome's sandboxing model is significantly different from that of any other browser that supports sandbox-like behavior, and the privilege separation model seems like a much stricter approach than any other browser uses as well. Insinuating that IE in particular actually accomplishes the kind of privilege separation Chrome offers is a sign of either blatant deception or mind-boggling ignorance for someone writing about the subject like this. The author's tendency to apologize for the security and stability gaffs of other software developers and distributors is almost amusing -- for instance, the highly contrived apology for the fact that Flash does pretty much everything wrong based on some half-baked excuse about memory consumption (which -- if that's really the reason -- is pathetic, since Flash does a piss-poor job of keeping resource consumption within the realm of reasonability under the conditions suggested). The one really interesting thing the author brought up was the bit about browsing history being used to populate the default start page, and how inconvenient that could be if you're prone to visiting porn sites or something equally embarrassing -- particularly if you do so at work. I'm a little confused by the fact the author seems to expect that Google shouldn't have tried to cast itself, and its new browser, in a positive light. What's wrong with talking yourself up? It's not like Google lied about anything, and the magnitude of any potential misunderstandings has been blown way the heck out of proportion in this screed. There will surely be people who exaggerate what Google has said about its Chrome browser for a while to come yet. Some of them will use those exaggerations to fuel their own pro-Google biases, of course. Others will use them to attack Google, setting up straw men to knock down at their leisure, just as this guy did. That, in short, is my impression of what the guy wrote.

apotheon
apotheon

Google already has an opportunity to show us how interested it is in such an investment: [url=http://www.us-cert.gov/current/index.html#google_chrome_vulnerability]there's already a Chrome vulnerability[/url] listed by US-CERT. It's easily worked around, and wouldn't really affect me since I always enable the option in my browsers of choice to prompt me for a download location anyway, but still -- it's something that needs to be fixed, and we'll see how quickly and well Google fixes it.

apotheon
apotheon

It took Google all of two days after initial release of Chrome to announce the error and change the license. Wizards of the Coast could learn a thing or two from Google, re licensing.

apotheon
apotheon

Most, if not all, of Google's original code in Chrome is subject to the terms of the BSD license -- not the GPL. Thank goodness.

Neon Samurai
Neon Samurai

That's a nice summary of the process related command switches. I expect we'll see more detailed coverage like this now that the knee jerk reactionary articles are getting out of the way.

Neon Samurai
Neon Samurai

I was curious to hear a point of view from a security and programming background. So far, that site seems to have one "Chrome is the end of humanity" article followed by two or three more positive articles. I'm still on the fence with this one myself. For now, I'm just reading what comes out about the new browser until it's out of beta or at least into Google's ongoing beta. I'm also waiting to hear more details about what/if any data collection is done beyond the standard server side log of IP, URL and queries. If Google keeps it a clean browser as is likely with the source available for review then I can't see how another choice can be bad for the end user.

Sterling chip Camden
Sterling chip Camden

Like you, I always prompt for download location. It was one of the first things I changed. People should really be careful about what they're clicking, anyway. I hope they'll just change the default config to ask for download location instead of adding an annoying "Are you sure?" -- unless they provide an option to supress it.

apotheon
apotheon

Firefox isn't GPLed, either -- it uses the MPL (mostly) instead, which isn't much better than the GPL, if it's any better at all (it's arguable either way, really). One of the things I like about Chrome is its licensing, which fits well with the licensing on Google's other open source software releases: all of them I've noticed so far use [url=http://copyfree.org][b]Copyfree[/b][/url] licenses. Chrome isn't 100% BSD License, of course; it incorporates some bits and pieces of LGPL (because of Webcore -- part of WebKit) and either MPL or GPL (Firefox) code. All of the original code in Chrome is distributed under the terms of the BSD License, though, so it's a huge step in the right direction. For that reason, if I find in the long run that on purely technical and usability criteria the decision between Chrome and Firefox is a toss-up, I'm going with Chrome. . . . but it's going to be a while before we get to that point, I'm sure. Chrome isn't even available on my favored "desktop" platform yet, and there are some issues that need to be worked out before I'd use Chrome as my primary browser even if it was available for FreeBSD.

Neon Samurai
Neon Samurai

I'd read that the source was available and took the leap of laziness to not confirm which license it was under. A couple of current projects have kept me from dropping it on a VM to look at so it's all just what I've skimmed out of articles so far. BSD license is even more open ended though. It would definitely get forked right quick if they tried to funnel all viewing statistics back to the google databases.

Sterling chip Camden
Sterling chip Camden

... I'm impressed. But I expect to be even more impressed by the follow-on releases, backed by the significant push of Google. Maybe I'm over-optimistic, but I don't think that the big GOOG is taking this class for an audit.

Neon Samurai
Neon Samurai

Either, Chrome turns out to be the second coming of HTML and the end user wins. Or, Chrome at least causes the other browsers to compete harder through quality and innovation, and the end user wins. Reality will be some place inbetween though. We'll see how fast the distributions pick it up. I think it will soon be time to look at the betas on a few VM but I haven't yet had reason to rush in just because it's a new program. I must be getting old, it used to be because a program was new that I had to check it out.

apotheon
apotheon

Chrome shows a lot of promise. How well it fulfills that promise determines how things will turn out. Worst case scenario: it fails to fulfill that promise, but it might shake things up a bit for projects like Firefox, Opera, and Safari. Best case scenario: it fulfills all its promise and more. We get a really, truly excellent browser for the first time in many years. It'll probably land somewhere in the middle, of course, but I rather suspect it will at minimum spur some more interesting work into developing more secure architectures for other browsers.

santeewelding
santeewelding

One meaning has it that, when it rains and you are frustrated about it, understand rain and see to frustration.

apotheon
apotheon

I'm only half serious. My comment was my frustration speaking. I can sometimes become frustrated with the way people are [b]willfully ignorant[/b] of things that are, in fact, important to them -- whether they know it or not. It is the willful ignorance of people who don't want to ever have to think about things like security that leads to high volumes of spam and prevalence of malicious mobile code on the Internet, after all. edit: If they were at least willing to think about security enough to realize they should seek the aid of someone who isn't completely ignorant or incompetent, the Internet would be a much safer place for everyone.

istoptofly
istoptofly

It never stops being funny to me that some people in IT seem to completely overlook the fact that most people are not computer savy, and browsing the web and checking email without any problems qualify as a good computer day for them. These basic settings, to us, do need to be default and then leave the adjustments of 'advanced' settings to the other 25% of us 'geeks'.

Sterling chip Camden
Sterling chip Camden

... can barely figure out how to navigate to GMail and Chippendales Las Vegas, and doesn't worry about much else.

apotheon
apotheon

I'd say the "no need for 'are you sure'" should be the default, actually. I find it difficult to understand how someone could be other than willfully ignorant and still fail to check out the most basic configuration options of an application that has such potential for affecting the security of their computers. As such, I find it difficult to have much sympathy for people who don't end up with a secure system because they never bothered to, y'know, see if stuff is configured to suit their style of computer use securely.