Secretary of State Hillary Clinton recently announced at a town hall meeting that the U.S. Department of State has already installed the Chrome browser on the majority of its employee PCs (see Google Enterprise blog post here). Moreover, she suggested that this might amount to around 100,000 department computers around the world.  Considering that the State Department’s activities involve highly sensitive government information, some of which is directed quite regularly to extremely covert agencies like the CIA, FBI, and Department of Homeland Security, this can be regarded as a mammoth achievement for Google and its cross-platform web browser, not just in regards to widespread adoption, but mostly in terms of enterprise security.

Google touts Chrome’s safe browsing through its HTML rendering and JavaScript execution sandboxing, as well as its auto-update technology. The two core features combine to help protect users against malicious sites, or more specifically, phishing and malware attacks. The main concept behind sandboxing concerns encapsulating processes initiated by a website in a restricted sense or environment, preventing files from being written to a PC’s hard drive, or a HTML/JavaScript redirect from occurring in the current and/or any new browser tab. Sandboxed sites suspected of phishing or presenting malware are then displayed to the user innately within the browser as warning pages. Supplementary to sandboxing, Google is also constantly phishing/malware websites, by crawling URLs, testing them for malicious activity, and submitting those that fail these tests to a blacklist of sorts, for Chrome browsers everywhere to reference. In fact, upon startup of one’s computer, Chrome will download an updated list of Google’s suspected malicious websites to the hard drive it’s installed upon, and every half-hour thereafter. The only caveat to all this is that the phishing and malware protection setting must be enabled (see this help page for instructions on how to check this).

Probably the biggest flaw to Chrome security to date is the flaw that is not in and of itself Chrome. Since its security relies upon the operating system it runs on, this can affect how it translates certain processes, opening up the possibility that some threats can bypass any weakness in the underlying OS security architecture. This especially goes for old file systems, like Windows FAT32, certain devices like USB-based storage ones, as well as for systems with highly customized registry keys and configured files that may sidestep access checks. Therefore, one might be led to believe that the better the Chrome-dependent OS security system is, the more secure Chrome itself is. Furthermore, this might also lead one to assume that the most secure operating system for Chrome is the Chrome OS, as mounted on all Chromebooks.

I wouldn’t expect anyone to believe that Hillary Clinton, or the bulk of the entire Department of State, are your resident experts on Chrome security, nor network and Internet security for that matter. However, with the great lengths that Google has gone through to make Chrome and its Google Apps cloud service as pre-set and user-friendly as possible, its security model has to measure up. The advantage is that much of the security work is being done on Google’s end (as explained above, with its list of malicious sites, and Google’s incessant web crawling and blacklist auto-updating technology). And as more desktop operating systems are to be provisioned in the cloud, one can only expect security to become even that much more reliable, making last-resort process-sandboxing a moot point.

  • Google has created a rather informative comic book to address the topic of sandboxing, amongst other Chrome related ones. Don’t be fooled by the childlike approach toward Chrome edification; Chrome is definitely not child’s play.
  • If you’re looking for a more advanced (perhaps more adult) paper on how Google crawls for malware, you might want to try reading “The Ghost In The Browser Analysis of Web-based Malware,” written by a number of software engineers and security experts at Google.
  • If you’re looking for an in-depth understanding as to the inner workings of some of Google latest security features, check this Chromium Blog post out.

What are your thoughts on the security of the Chrome browser? Is it better than most?