Safe browsing with Google Chrome?

Only one day before its intended beta release, details of an inaugural Google Open Source browser named Chrome, leaked to the general public. Such secrets are almost never kept in their entirety anymore, especially when it’s had a development phase of more than two years.

Hats off to Google for what must be a comprehensive internal data leakage policy. Its ability to successfully keep this news out of the public eye until its worldwide debut demonstrates the company’s legitimate interest in security, but whether this interest sufficiently extends to Chrome remains to be seen.

Chrome beta officially surfaced globally at its launch on 3 September. Simple but powerful were its selling points, with security an added benefit. At first glance, it’s obvious Google built Chrome with security in mind.

“Security typically tends to work in multiple levels,” said Sundar Pichai, VP product management at Google via webcast during the Sydney launch. “That’s the way we’ve approached security in Chrome.”

Specifically, Chrome has adopted tab browsing, but in its version Google applied individual processes for each tab with sandbox capabilities. It restricts privileges for third-party apps, (not plug-ins yet), incorporated a blacklist that alerts users of ‘bad’ sites and designed an ‘incognito’ mode for private browsing.

“It looks like they have designed it from the ground up with some sound security. All the processes have their own memory space, each tab runs in its own secure sandbox and that’s
a good thing.

“It’s not unique, as Internet Explorer 8 is doing something similar, however, they had to decide that before they wrote a line of code and that speaks volumes,” said David Kaplan, head security architect at Australian-based security company, Earthwave.

On paper, security experts quickly warmed up to Chrome and Google’s focus on security. Even when researchers disclosed a vulnerability in Chrome’s WebKit framework one day after its launch, not all were ready to throw in the towel.

“Chrome is going to suffer from the weaker software [WebKit] it uses but its layered security is going to help it deal with that sort of thing,” said Kaplan.

Naturally, not all experts were convinced. Randy Abrams, director of Technical Education at ESET, said: “You’ve got to be concerned when a company is using code from a base that has significant vulnerabilities. They’ll fix it, but to me it’s a pretty sloppy oversight to have even let that go to beta with such an obvious and well-known vulnerability,” said Abrams, who gave some fitting advice around sandboxing.

“It’s really good if a user understands what the technology means. If people don’t understand that a sandbox is really best used as a one-shot environment: empty out that sandbox, before you go to something important, it will not work.”

Google is keen to share Chrome’s Open Source code with the user and vendor community in an aim of improving the overall functionality of the ‘window to the web’.

“However, it’s important that users are aware that a browser, any browser is not going to keep them safe. One, it’s not the job of a browser and two, it’s not possible for a browser alone to do,” said Abrams.