The Trouble(s) With Google Chrome’s Security

By  |  Monday, October 6, 2008 at 11:20 am

It’s been more than a month since Google Chrome first hit our desktops. The blogosphere is still pondering its features and performance, and making predictions about Google’s future in the browser business. But amidst all of the commentary about Google’s latest venture, very few have taken the time to examine the new browser’s security. Browser-based attacks in the form of phishing expeditions, cross-site scripting, plug-in exploits, and other techniques should give even the most tech savvy among us pause when considering which browser to make the workhorse of our daily online activities. A significant number of users have chosen Chrome–but the security measures Google has implemented in Chrome are subpar for a modern browser.

There are many simple steps that Chrome could take to further protect its users. To be fair, many of the complaints I have could also be directed at Firefox, Internet Explorer, or Safari, so I’ve decided to break things down into a feature-by-feature comparison.

Password Management
Every single browser offers you the capability to save form information for quick logins to websites, including passwords. They each take varying measures of security to ensure the protection of this sensitive information, with degrees of benefit and safety to each one. Firefox stores passwords in its local information data, and offers an option to encrypt them with a master password, shielding them from other users of the computer. Safari on OS X similarly stores this information in the system-wide password management system Keychain, tying your passwords to your operating system account’s login password.  While Internet Explorer does not give you the option of encrypting your web passwords with a master password, it does store the data in a registry key protected by very limited permissions.

Chrome’s take on this matter is to encrypt your passwords on the hard drive, but it doesn’t offer you the option to protect them from prying eyes. For example, if I walked by a computer with Chrome installed on it, I would need to only click Show password in the Options dialog to see that poor user’s login passwords. In fairness, Firefox is also guilty here to an extent, since it doesn’t prompt you for a master password by default. The shame here is that password protection is really a simple feature that could make a world of difference for anyone who leaves their computer on when they leave the room.

Separation of Address and Search
Like password saving, every browser finally has a dedicated search box for searching in Google, Yahoo, and other engines. A recent innovation in this area–enabled by default only in Firefox–further enhances the search box by offering suggestions for popular queries as you type. Chrome’s approach with integrated search is to make the entire address bar, where you normally enter plain URLs, into a giant search box called the OmniBox. As in IE 8 and Firefox 3, typing into the bar will search your history and bookmarks by URL, as well as page title, but it will also act as an auto-suggestive search box.

While this is certainly an interesting design idea that works well, one not-so-obvious flaw in this feature is that for the auto-suggest to work correctly, every single character that you type in the OmniBox is transmitted to Google, whether or not you intend it to be a search. This means that even if you are just trying to go to a site by plainly typing its URL, you will be sending that information to Google. The privacy-conscious should keep this in mind.

Third-Party Cookies
The ability of cookies to store inormation has added incredible convenience to our Internet lives,  but flaws in cookie-handling have been a thorn in the side of security researchers since Netscape created the technology years ago.  One major problem with cookies from the privacy and security perspective is the notion of third-party cookies. Basically, any site that is displaying content on a page–even if it’s not the same site you’re actually visiting–has the ability to read and write cookies in your browser. For example, if I go to any site with ads, the ad providers could leave cookies behind, in addition to the primary site’s cookies.

This is really not a big deal, except in the case of massive online ad providers such as DoubleClick, who provides ads for countless sites (and happens to be owned by Google). Such providers can read cookies in your browser at any of the sites that you visit with their ads on them, letting them track your browsing habits. Not a very comfortable situation.

Thankfully, as it stands today, all three major browsers have the native ability to protect you from third-party cookies, but only one, Safari, has this protection enabled by default. Google Chrome also lets you limit of third-party cookies, although that feature is turned off by default, as it is in Firefox and IE.

And Chrome’s implementation is not as secure as it should be. Renowned security expert Steve Gibson did a full analysis of its security on a recent episode of the Security Now! podcast and discovered a cookie-handling flaw in the browser known as “cross-context leakage.” Basically, this means that Chrome prohibits writing of third-party cookies, but not the reading of them. If upon clicking a link to a site, I was quickly routed and re-routed through an advertiser’s URL (as depicted below), that advertiser would still be able to track my behavio in a limited fashion.

Gibson attributes this flaw to Chrome’s reliance on the WebKit rendering engine, but I still hold Google at fault for an unnecessary hole in Chrome’s security policies.

Selective JavaScript Controls

In every browser, JavaScript code execution remains the biggest possible source of security problems. As fancy Web 2.0 services find their way into almost every area of our online lives, JavaScript becomes increasingly important. Yet as malware authors use cross-site scripting (XSS), code execution vulnerabilities, and other techniques to do their dirty work, strict JavaScript controls become more and more necessary. Security-conscious Firefox users out there will immediately recall the NoScript add-on as the best implementation of such controls, providing protections from third-party scripts and plug-ins, XSS, and more. Even Internet Explorer and Safari have at least the capability to turn off JavaScript, with the power to do it selectively in IE’s case. Chrome, however, lacks the ability to turn off JavaScript at all.

I know that most people don’t think about JavaScript most of the time, and that Chrome has been praised for its impressive JavaScript handling since day one. But I can’t see myself using Chrome as an everyday browser until it has the ability to turn JavaScript off. The rapidly growing number of JavaScript attacks includes ones hosted by innocent sites that have suffered an SQL injection, which lets hackers execute malicious code in your browser without the knowledge of the afflicted site.

You might also argue that Chrome is really a platform for Web applications, and not just a broswer, so JavaScript is absolutely essential. I agree , but I don’t accept that as an excuse for the browser’s complete lack of controls. I’d even be satisfied by an add-on like NoScript for Chrome that users would have to download separately.

Now For the Good News
After all my harping about Chrome’s small but significant security flaws, I should leave you with some things that do excite me about its security model. Like Firefox and Internet Explorer, Chrome downloads a list of potentially malicious sites regularly, then checks the URLs you visit to ensure you only encounter safe sites. Furthermore, the Google team has implemented some simply awesome sandboxing techniques, preventing the browser from even touching critical parts of your system, leaving them immune from attacks initiated within Chrome. You can see explanations of this system here and here. In truth, I like these protections so much that I would love to see these technologies not only implemented in Chrome but in every other browser out there.

Ultimately, I do think that Chrome has some amazing new technology in it, and that it will push forward the capabilities of standard browsers. I’m hoping the rumors of Google integrating a Firefox-like add-on framework for Chrome are true, so that these and any other foreseeable security problems can be swept away by talented independent developers. But in light of all that’s great about Chrome, I’m even more disappointed about its security flaws. Here’s hoping Google fixes them soon–this browser is, after all, still a beta.

Note: Thanks to Steve Gibson, mentioned above, whose work in investigating the security of Google Chrome was the inspiration for this post.

 
7 Comments


Read more: , ,

6 Comments For This Post

  1. Dean Says:

    Re XSS, have you looked at the cross-site scripting filter in IE8?

  2. Rose Mutiso Says:

    Great article! Security issues are often ignored in the hype of new technologies, thanks for redirecting our attention to the important stuff.

  3. David A. Sampayo Says:

    @Dean – No, I have not. I am glad to hear that IE is implementing such a protection, though. Security advances are always great news, even though I don’t use IE on a regular basis. Judging from the URL of your name, I assume you work on the IE team?

    @Rose – Thanks for the thought. Chrome is going to be great in, say, 6 months, but not until they fix these basic things.

  4. rowanrook Says:

    Good points. It is for these reasons and also lack of Adblock that I finally uninstalled Chrome today. Oh, one more reason you left out: Google Updater. I don’t like it. It’s a sneaky program and I even unistalled the Google Toolbar for IE just to get rid of it. I never use IE anyway 🙂

  5. Jim Long Says:

    I’m a computer illiterate who should have waited and not downloaded Chrome yesterday!! I got frustrated and uninstalled it and went back to IE and they got sarcastic: “Was it something we said?” Then this morning I discovered someone had hacked into my PC and deleted files. Boy, they sure get sore when you uninstall.

  6. Olga Says:

    Password protect your Firefox and Chrome profiles and nobody but you will have access to it. I'm using Rohos Mini, knowing all the security holes in Chrome – http://www.rohos.com/2010/12/how-to-password-prot

1 Trackbacks For This Post

  1. The Trouble(s) With Google Chrome’s Security | Italian Institute for Privacy Says:

    […] It’s been more than a month since Google Chrome first hit our desktops. The blogosphere is still pondering its features and performance, and making predictions about Google’s future in the browser business. Leggi tutto […]