Ian Hardenburgh looks at how Google has shored up security for its Chrome browser. What sets it apart from other browsers?
Secretary of State Hillary Clinton recently announced at a town hall meeting that the U.S. Department of State has already installed the Chrome browser on the majority of its employee PCs (see Google Enterprise blog post here). Moreover, she suggested that this might amount to around 100,000 department computers around the world. Considering that the State Department's activities involve highly sensitive government information, some of which is directed quite regularly to extremely covert agencies like the CIA, FBI, and Department of Homeland Security, this can be regarded as a mammoth achievement for Google and its cross-platform web browser, not just in regards to widespread adoption, but mostly in terms of enterprise security.
Probably the biggest flaw to Chrome security to date is the flaw that is not in and of itself Chrome. Since its security relies upon the operating system it runs on, this can affect how it translates certain processes, opening up the possibility that some threats can bypass any weakness in the underlying OS security architecture. This especially goes for old file systems, like Windows FAT32, certain devices like USB-based storage ones, as well as for systems with highly customized registry keys and configured files that may sidestep access checks. Therefore, one might be led to believe that the better the Chrome-dependent OS security system is, the more secure Chrome itself is. Furthermore, this might also lead one to assume that the most secure operating system for Chrome is the Chrome OS, as mounted on all Chromebooks.
I wouldn't expect anyone to believe that Hillary Clinton, or the bulk of the entire Department of State, are your resident experts on Chrome security, nor network and Internet security for that matter. However, with the great lengths that Google has gone through to make Chrome and its Google Apps cloud service as pre-set and user-friendly as possible, its security model has to measure up. The advantage is that much of the security work is being done on Google's end (as explained above, with its list of malicious sites, and Google's incessant web crawling and blacklist auto-updating technology). And as more desktop operating systems are to be provisioned in the cloud, one can only expect security to become even that much more reliable, making last-resort process-sandboxing a moot point.
- Google has created a rather informative comic book to address the topic of sandboxing, amongst other Chrome related ones. Don't be fooled by the childlike approach toward Chrome edification; Chrome is definitely not child's play.
- If you're looking for a more advanced (perhaps more adult) paper on how Google crawls for malware, you might want to try reading "The Ghost In The Browser Analysis of Web-based Malware," written by a number of software engineers and security experts at Google.
- If you're looking for an in-depth understanding as to the inner workings of some of Google latest security features, check this Chromium Blog post out.
What are your thoughts on the security of the Chrome browser? Is it better than most?