< they are such a bunch of monkeys! | InfoSec Professionals are the Hottest according to Forrester >
Sep 3

My Thoughts on Google's Chrome

Security 9 Comments »
Security First, let me preface this by saying I don't trust Google at all. Their entire business model is based on violating my privacy and for a security & privacy person who wears more tinfoil than most, this irks me. Google irks me to the extent that I have a separate Firefox profile just for the odd Google thing I may do, and I use Scroogle to deliberately anonymise my searches with the big eye. Why the rest of the world gets up in arms about warrantless wire-tapping by AT&T, and not explicit tapping on an arguably more important/sensitive medium confuses me. Imagine if your telco said they would give you a free phone line, but in exchange they would monitor all your calls and periodically have a telemarketer phone with offers you may be interested in? Beyond the irritation, the privacy outrage may even get the EFF's attention.

So, last night I downloaded and ran Chrome. It provided me with a browser, it loaded stuff, yay. It didn't do anything I can't already do, and it didn't do anything better. Sure it was a bit snappier, but if I ran the Mozilla Gecko engine embedded in a Gtk widget I would get a pretty snappy browser too. Comparing Chrome to a fully featured browser isn't an apples-and-apples comparison.

So why is everyone so excited about it? One geek friend, Tham, is over the moon with it, and exuberantly exclaimed his love for it earlier today. I'm not sure why, I think it may be the hype combined with the fact that Google is good at this web stuff and people have high expectations.

Next I had a look at some of the settings to see what sort of privacy invasion was going on. The two things I noticed were that it provided no way to auth specific cookies, something even lynx manages and which is certainly indicative of Google dev thinking. Blocking all cookies isn't particularly practical either, and blocking third party cookies doesn't stop large service providers setting a life time cookie and correlating all your actions. It also provides the 'tell me if this is a bad site' option, which can be a bit invasive if each site kicks off a new request to Google, but so does Firefox and they aren't evil. Finally, it does leave a 'GoogleUpdate' service running full time and starting at each boot, which seems completely unnecessary. I really haven't done an in-depth look into these, but the principle of "don't let someone you distrust run resident software on your machine" kicks in here.

As for this 'separate process per tab' stuff, I'm not convinced this buys you much. It doesn't protect you against most of the web attacks like XSS, CSRF, browser-bugs, Flash bugs etc. It may provide some temporary protection against cache and history snooping attacks, but that's only until someone figures out how break into Chrome's management layer. It may provide some stability, but this isn't by default; there's already a PoC which purportedly crashes the whole browser. Finally, this may lead to performance problems with process overhead for each tab, but we'll have to wait and see when it's a real browser. It's okay though, it has new features and re-implementations of stuff, that will make sure none of the old vulnerabilities work, now there will just me lots of new ones. Let's hope their security response on Chrome doesn't provide content for another of RSnake's talks.

This is clearly Google's go at making the web a platform and controlling it. The press talks about the next browser war, they're wrong, this isn't a browser way, it's a platform war. Don't buy Office (or use LiveOffice) use Google Docs, don't buy Outlook and Exchange, use Gmail and the appliance (coming soon?). On many devices, the operating system is becoming less relevant. My Wii only became useful as more than a gaming console when it got Opera, and I now use it as a media centre via TVersity's flash interface. The LG phone's are essentially flash interfaces with a web browser for any heavy lifting. Android may very well turn into the shell which exposes Chrome.

This will be interesting to watch, and I'll periodically check in on the development. But until Google stops being evil, Firefox stops being awesome and an actual browser appears, I'm happy to leave it well alone.

Updated: spelling

Posted by Dominic White

Last modified on 2008-09-08 21:23

1 Trackbacks

Trackback specific URI for this entry
  1. singe.za.net
    09/24/2008 08:43:52 PM

    PingBack

9 Comments

Display comments as(Linear | Threaded)
  1. mh says:
    09/04/2008 02:56:57 PM

    Considering that firefox made >$150million from google over the past few years, im surprised that u havnt made the swap to webkit/opera/konquerer yet :>

  2. Dominic White says:
    09/04/2008 03:28:32 PM

    I know you put that smiley in, but I'm going to respond as if you were raising a serious point, because I get the feeling there is a kernel of a real point floating there ;)

    I have no problem with people making money. I particularly don't have a problem with people giving money to projects I think rock. And I certainly don't think Firefox==Google because of it.

    My problem is that I don't trust Google's apps to provide me a service without invading my privacy. That's not the same as saying they are inherently evil and all their employees eat babies.

  3. mh says:
    09/04/2008 07:52:03 PM

    yeah.. im just trolling.. i have a relatively healthy distrust of google [but im pretty sure ill give chrome a spin for a while before dissing it] mainly because they managed to put together a comicstrip that included the words biba and no write down

  4. Proofreader says:
    09/08/2008 10:37:25 AM

    It's "principle" and "separate". By the way, you're incorrect about one-process-per-tab not buying you much. It allows for almost-perfect isolation of each tab, which is an excellent foundation on which to build a robust security system. By the way, two of the attacks you mention (XSS and CSRF) can only be fixed on the server; the client can mitigate against them, but is under no responsibility to do so. The other two attacks ("browser-bugs" and "Flash bugs"), well, actually, one-process-per-tab *does* protect you against the former and leaves the latter up to the manufacturer to fix, which is appropriate.

    I still don't get why you're up in arms about Google's privacy invasion. Yes, they take my "personal" data and use it to serve up better ads to me. They haven't sold it to telemarketers or anything, and I'm OK with that. My bank does worse things with my data, and I trust them with my money, don't I?

  5. Dominic White says:
    09/08/2008 02:15:41 PM

    Thanks for proof read, spelling is fixed now.

    You know how everyone always responds to security arguments with "but it's not a panacea (NAP)" that's what I am going to do. Process separation will buy some security, but at the cost of other things. Additionally, I believe this benefit will erode over time (in a faster way than most controls do) because people will learn to target Chrome's management layer. I have no problem with an existing control, but as it and speed seemed to be the two benefits most heavily lauded I thought it appropriate to analyse the message.

    Onto the next point, client side attacks (XSS, CSRF, Flash etc.). I absolutely agree with you, and you with me on this one. However, this clarification wasn't made anywhere, and certainly client-side sploits are a large part of "internet security". My mother should know that Chrome may provide some protection against a small class of bugs and leave her open to a larger set that the browser can do little to protect. Although, Dave Ross seems to be trying with XSSFilter.

    On the other hand, with browser bugs you are taking too specific a view. Look at some of the vulns posted already, such as the arbitrary file download. This is a browser bug, and the tab separation does nothing to stop it. NAP

    Onto privacy invasion, you're on a clear slipper slope; just because I give my info to some people, doesn't mean I should give them to all or any. I would argue and even stronger case, that you should limit who you give your info to as much as possible. Additionally, people explicitly collecting lots of info about you should be treated with extra caution. You being au fait with people knowing your data is merely because you haven't read enough conspiracy theories. Yahoo has explicitly handed search data over the the Chinese gov, and those people were 'detained'. If I CSRF you with a few searches of "I love Tibet" to google.cn, that may even get you on a few 'watch lists'. Don't think .gov's are above that sort of stuff either.

  6. Roofpleader says:
    09/08/2008 03:03:26 PM

    On the security benefit of one-process-per-tab, I think that we can agree to disagree. You see it going in one direction; I would argue that if they architect it properly, it'll be as difficult to break out of as a secured VM. Time will tell which of us is correct. Time will also tell us whether your mother, and other users, will learn to distinguish between vulnerabilities that the browser can realistically mitigate against, and vulnerabilities that it can't do much about. I have less hope for that :).

    The more interesting point you've raised is with regard to privacy. Why, exactly, should "people explicitly collecting lots of info about you [...] be treated with extra caution"? Why should I not trust them, when they appear to have done nothing malicious with the information at all? I give them my details for two reasons: firstly, I trust them to exercise reasonable care with my data; and secondly, if my data gets out, I don't think it'll cause me too much inconvenience. If I'm put on a no-fly list, so what? I wasn't intending to leave the country any time soon. My Google-held data is of much less revolutionary value than my openly-expressed opinions. Why should I care about the former?

    You need to tell me that Google won't exercise reasonable care with my data; and that, if my data gets out, it'll be disastrous for me. I don't think that you can do either. In fact, I don't think that you can even make those two claims about your data. So, why not embrace our digital overlords? Resistance is silly, as well as futile.

  7. Dominic White says:
    09/08/2008 03:17:55 PM

    Ha ha, Yusuf you can never put the troll back in the cage can you :) And you provide such shiny shiny jewels to tempt me into it.

    Right, on the non-troll part:

    * One process per tab - I hate agreeing to disagree. They may architect it properly, but at some level you need a management layer, and if you have enough monkeys in front of a fuzzer they'll find it and break into it (also, they may hack Shakespeare).

    * My mother - no, no, no, *your* mother. But seriously, she doesn't need to distinguish, we do. The message I'll give to her is "Google lied! Run for the hills!", because it doesn't provide much security against a big chunk of the sort of intertube bugs out there contrary to marketing.

    On the troll part (I mostly distinguish this for you dear reader):

    They *appear* to have done nothing malicious, that's part of my discomfort. They don't disclose what they do with my data. I would be very happy (and semi-irrationally be more likely to hand my data over) if they had a facebook like privacy tab listing all the things they did with my data and allowing me to allow/block certain actions/correlations, or even just allowing me to delete it all and not play.

    As for disastrous things happening with your data. I think you already bowed out of 'reasonable' territory (when you started commenting, ho ho ho) when you said you don't care about things such as "no-fly lists". Assuming the link was clear, if using a Google service translated to an increased risk of not being able to fly to the US, I think many people (many people != Yusuf) would be uncomfortable.

  8. Truthseeder says:
    09/08/2008 04:03:38 PM

    According to your reasoning, it's impossible to have secure software. If "Throw enough monkeys in front of a fuzzer" will break anything, I think that you'd be out of a job pretty-darn-quick.

    As for the average user, I think that they need to be told nothing but the truth about Chrome: it's no more or less secure, in the days after its initial release, than any other major browser -- and it's significantly more secure than one of Mozilla's "nightly builds", or one of Microsoft's "Community Technology Previews". Give them a few months, and we'll see what happens. They've already fixed both vulnerabilities that have been widely reported; one of those wasn't an exploitable vulnerability, and the other wasn't a vulnerability in their code (it was a vulnerability in WebKit). Not a bad start.

    Now, on to the privacy aspect. If I'm reading you right, you're saying that they appear to not be malicious, so they must be hiding something ... and you trust Facebook with your data instead, when their terms-of-service say the following:

    "When you post User Content to the Site, you authorize and direct us to make such copies thereof as we deem necessary in order to facilitate the posting and storage of the User Content on the Site. By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content."

    Gosh. Guess I'm stupid for trusting hasn't-done-malicious-things Google, and you're smart for giving much more personally-identifiable and valuable information to I'll-pimp-out-your-data-when-I-want-to Facebook. Oh, well.

    I don't think I'm alone in not caring about no-fly lists. Millions of people never leave the town they were born in, let alone the country or continent. I'm one of those who chooses to stay within my country's borders. If I leave, it's generally on Company business -- and if I'm on a no-fly list and can't board, I don't much care. So, where's the disaster for me?

  9. Dominic White says:
    09/24/2008 09:09:49 PM

    Well, that's the point; it is impossible to have secure software. They are subject to the same sort of problems that lead to holes as any other browser. If webkit has a vuln, then so do they. While code, does get you some of the way, a skilled security response team with robust processes is really where the differentiator lies. The 'multiple-process-per-tab-silver-bullet' isn't what it is cracked up to be, and certainly wasn't advertised as just another security control, but rather as a very significant one.

    I agree that Facebook has a significant amount of my data. However, I think there are intelligent middle ground approaches to privacy. Facebook provides a great service I literally can't get anywhere else. In addition, this service uses only the data I give it for that service, and does not require any additional data. Much of the private information in it, is generated in using the application. Additonally, I can limit the info I give it (and we recommend that to many people). Then, on top of that, Facebook provides some of the most robust web security & privacy features of any application. They were one of the first to get anti-CSRF protections right, and their privacy options are out of this world. This has generated far more trust on my side.

    Google on the other hand, wants to know about everything I do and does so without asking, and these are things that I don't generate in using one of their apps. For example, Google Analytics tracking of the sites you visit, Google Proxy's web visit and search correlation. I need to install NoScript and CookieBlocker to make it stop. Then on top of this, Google's apps aren't the only one out there, why must I give them my e-mail and calendar when many very decent alternatives exist. I have much more of a choice around my supplier of this functionality. This has generated a large amount of distrust on my side.

    In the end, you have to give some data to some people. The people who limit the data collection to what is reasonably required for their app, tell me what they do with it, provide an option for me to remove it or better yet control which bits of it can be used specifically, are going to be more likely to get my data. That is the middle ground, and what many of my 'knee-jerk-opposition' don't seem to get. I don't think everything Google does is evil, I just don't trust them with my private data, and take steps to limit how much I give them, while still benefiting from the parts of their service I can reasonably use within my limits.

    As for your flying habits, I'll take it that you are discounting yourself from the argument, not rebutting it.

Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA