Chrome security – calm down.
I answered a post on SEW and thought it was useful information for the blog as well, so I’ve added to it. It was a thread about how Chrome has security flaws and should people be using it basically.
Last week, the German federal office for information security advised against the use of Google Chrome
. The official apparently said that the fact that it was released as a beta was problematic and it was risky for one vendor to have all of this data. It seems that the German official wasn’t quoted completely accurately
. It seems strange that Chrome should be targeted because of it’s beta release when IE is often in beta as are many other browsers. As for Google having too much information, well no one ever complained about Microsoft before.
In fact Matt Cutts says
, people don’t seem to know that Chrome doesn’t send information about your surfing habits to Google but Microsoft’s IE8 beta 2 will send Microsoft information if the “suggested sites” feature is enabled.
Chrome is a beta, there are always going to be some issues, and other browsers have security flaws as well. In fact Chrome has some good security features that other browsers don’t like site blacklists, there is also a privacy mode (incognito), a dialogue box where you can clear data, and the rendering engine runs in a sandbox (if something bad is running in one tab, only that tab is affected and not the whole browser).
The vulnerabilities to date include the flaw from the Safari webkit, some java bugs (ok, of which one severe one), a DoS (denial of service) vulnerability.
Google did hire Michal Zalewski
in July though, so he’s probably helping out with the Chrome product.
I don’t blame people for waiting for it to come out of beta but that might take quite a long time. In the meantime, other browsers have been used happily for years along with their security flaws. Firefox
3.0 as recently
as June was found to have some problems
, for example.
IBM’s x-Force report
was released in July 2008. It says that 94 percent of all browser-related online exploits have happened within 24 hours of official vulnerability disclosure (“Zero-day” exploits). Browser plug-ins are the favorite hacker weapon (how many FireFox
plug-ins do you have?) as 78% of all hacks during the early part of 2008 happened this way. The reports says that automated toolkits
, obfuscationand unpatched
browsers are the primary hacking route at the moment. It also says “Although the most exploited Web browser vulnerabilities are one to two years old, the availability of public proof-of-concept and exploit code is speeding the integration of more contemporary exploits into toolkits
.” Automated SQL injection
attacks are also on the up.
This report was released before Chrome was even around, so it’s safe to say that many of us have been using insecure browsers. I understand about being cautious but it’s a not fair to call Chrome an unsafe browser when others are not necessarily any better.