Only one day before its intended beta release, details of an inaugural Google Open Source browser named Chrome, leaked to the general public. Such secrets are almost never kept in their entirety anymore.
Hats off to Google for what must be a comprehensive internal data leakage policy. Its ability to successfully keep this news out of the public eye until
its worldwide debut demonstrates the company’s legitimate interest in security,
but whether this interest sufficiently extends to Chrome remains to be seen.
Chrome beta surfaced globally at its launch on 3 September. It was marketed as a browser that is simple but powerful, with security an added benefit. At first glance, it’s obvious Google built Chrome with security in mind.
“Security typically tends to work in multiple levels,” said Sundar Pichai,
VP product management at Google via webcast during the Sydney launch. “That’s the way we’ve approached security.”
In Chrome, Google utilises tabbed browsing and in its version the tabs have individual processes with sandbox capabilities which restrict privileges for third-party apps, (not plug-ins yet).
Additionally, Chrome uses a blacklist that alerts users of ‘bad’ sites and has an ‘incognito’ mode for private browsing.
“It looks like they have designed it from the ground up with some sound
security. All the processes have their own memory space, each tab runs in
its own secure sandbox and that’s a good thing," said David Kaplan, head security architect at Australian-based security company, Earthwave.
“It’s not unique, as Internet Explorer 8 is doing something similar, however,
they had to decide that before they wrote a line of code and that speaks
volumes,” he said.
On paper, security experts quickly warmed up to Chrome and Google’s focus on security. Even when researchers disclosed a vulnerability in Chrome’s WebKit framework one day after its launch, not all were ready to throw in the towel.
“Chrome is going to suffer from the weaker software it uses but its layered security is going to help it deal with that sort of thing,” said Kaplan.
Naturally, not all experts were convinced.
Randy Abrams, director of Technical Education at ESET, was concerned that a company especially Google used code from a base that has significant known vulnerabilities.
"They’ll fix it, but to me it’s a pretty sloppy oversight to have even let that go to beta with such an obvious and well-known vulnerability,” said Abrams, who gave some fitting advice about sandboxing.
“It’s really good if a user understands what the technology means. If people
don’t understand that a sandbox is really best used as a one-shot environment: empty out that sandbox, before you go to something important, it will not work.”
Google is keen to share Chrome’s Open Source code with the user and vendor community in an aim of improving the overall functionality of the ‘window to the web’.
“However, it’s important that users are aware that a browser, any browser is not going to keep them safe. One, it’s not the job of a browser and two, it’s not possible for a browser alone to do,” said Abrams.
Safe browsing with Google Chrome?
By Negar Salek on Oct 3, 2008 7:00AM