Skip to main content

Google uncloaks Chrome's top security goals

Chrome's privacy controls.



Google's Chrome security team unveiled yesterday its guiding principles on how they build a safer browser.
The manifesto declares seven key guidelines for Chrome security. The first one, "Don't get in the way," both echoes Google's unofficial motto, "Don't be evil," and reflects what many Windows security vendors have learned the hard way about keeping people safe. If security negatively affects performance, users will look to alternatives. For a browser which has built its user base on speed, sluggish response times have the potential to wreak great havoc.
"It's great to see invisibility and automatic background updates as the first principal. Good security is transparent and inescapable," said Chris Wysopal, chief technology officer at Veracode. "The less security decisions that involve the user the better. Every security decision made by the user is a chance that something with be postponed or forgotten or worse, an opportunity for social engineering."
Privacy is not mentioned in the list of principles, and that may raise the hackles of some security experts. "I think Google's approach to privacy is a little bit different than others," said Jeremiah Grossman, WhiteHat Security's chief technology officer. "They make the assumption that you trust them, but if you don't trust them then you have to separate the two. You can't protect your data that's on Google, from Google, because it's contrary to their business model."
(Credit: Google)
Google does have a site dedicated to explaining privacy in Chrome, and it does have acompany-wide privacy policy that applies to Chrome. However, there isn't a company policy statement on Chrome privacy like the new security manifesto.
A Google representative told me that the Chrome security team works in close conjunction with Google's overall security team, as well as the Chrome team itself. "We protect users by embedding security deeply into our culture, as well as our process for designing and developing products. This relentless focus on security often benefits the web more broadly as well, either through our own action or through others who adopt similar approaches," the representative said.
The need for speed has found its way into Chrome security, and the representative pointed to regular release note updates as evidence of this. "We've demonstrated that we will shine a light on security topics that are relevant to our users, even when most companies wouldn't," he said, with tough benchmarks set for response time and how long systems are left unpatched.
Of course, Google is hardly the only company to take this approach. Mozilla also regularly publishes security update release notes, and Microsoft has become so regular at publishing security updates to Internet Explorer and its other software that Patch Tuesday has become lingua franca in the computer security world.
Microsoft recently touted a decade of security achievements, and it's practically universally accepted that the company learned some tough lessons in the past 10 years.
Not surprisingly, Microsoft's current policies of a company-wide approach to security echo Google's similar stance with Chrome. Chrome's third core principle states that security is a "team responsibility," which was explained to me as meaning that browser security concerns go beyond the realm of just the Chrome security team to include Google's general security group and the general Chrome group. While this may sound obvious to some, cross-department communication has had an impact on the browser's development, said the Google representative.
"Engaging the security community makes Google part of the security community. More technology companies should take this approach. They have set up a cooperative and non-adversarial posture. Microsoft pioneered this approach, but Google has taken it a step further with their bug bounties," said Wysopal.
Google has said that the quality of the bug reports has helped it fix vulnerabilities much faster. The company has paid out more than $200,000 for Chrome and Chromium-related security bugs found by bug hunters. The open-source progenitor of Chrome, Chromium was around for a year before Google debuted Chrome.
While likely familiar to many who keep tabs on browser security, the principles document stands as a place where Google can point to its achievements in the field as well as its goals. Some of the Chrome features referenced in the document include the mention of anti-exploit technologies such as JIT hardening along with Google-sourced innovations like the Safe Browsing API. The "Make the Web safer for everyone" section notes numerous public security standards like public key pinningSPDY, and Native Client.
Grossman concluded that despite some concerns about Chrome, that the project has been a boon for the Web. "I think they're doing a lot more right than wrong when it comes to browser speed and security," he said.
Correction 4:41 p.m. PTThis story originally misstated the amount of money rewarded to bug hunters working on Chrome and Chromium. The correct sum is more than $200,000. Update 4:45 p.m. PTThe story has been updated with a link to Google's company-wide privacy policy, which it says also applies to Chrome.

Comments

Popular posts from this blog

ITC: Motorola does not violate Apple patents

The U.S. International Trade Commission ruled that  Motorola's Droid smartphones do not violate three Apple patents , dealing a blow to Apple's legal offensive against the Android  smartphone ecosystem.                              The ruling is preliminary and needs to be approved by the ITC's full six-member commission. An Apple spokeswoman declined to comment. In a press release, general counsel Scott Offer declared Motorola "pleased" with the ITC's decision . Apple originally lodged its ITC complaint against Motorola in October 2010, alongside two lawsuits. In its complaints, Apple alleges that Motorola's Droid,  Droid 2 , Droid X, and a handful of other smartphones and related software violated several of its patents. Apple's complaint followed  one from Motorola  that claimed Apple was violating 18 of its patents with its smartphones and other mobile devices. Related stories App...

HTC Sensation XE

HTC Sensation XE is latest Android multimedia smartphone with Beats Audio system and Powered by Dual core 1.5 GHz ARM CPU @ premium price. HTC Sensation XE Mobile Features: Android Operating System 2.3.4 (Gingerbread) Custom made Beats headsets for extraordinary sound Faster performance in Multi-tasking and web browsing Aluminum unibody construction 4.3 inch expansive qHD display Full HD camcorder with stereo sound HTC Sensation XE Android Phone Technical Specifications: Asia HSPA/WCDMA 2100 MHz Download up to 14.4 Mbps, Upload up to 5.76 Mbps GSM/GPRS/EDGE 4.3” inch (540 x 960 Pixels) Multi-touch screen Dual Core 1.5 GHz Processor 768 MB RAM + 1GB Memory + 32GB Micro SD Card Support 8MP Camera with Dual LED Flash + Full HD VIdeo Wi-Fi + GPS + Bluetooth FM Radio 3.5 mm stereo audio jack + micro-USB 2.0 1730 mAh Li-Ion Battery Talk time up to 7.4 hours Standby time up to 22.5 days Dimensions: 126.1×65.4×11.3 mm Weight: 151 gms HTC Sensation XE Price in India : App...

RV 400 electric bike

R evolt RV 400 is an electric street bike available in India at a starting price of Rs. 1,02,129. It is available in 2 variants in India and 3 colours with top variant price starting from Rs. 1,16,776. Revolt RV 400 generates 3000 Watt power from its motor. With both front and rear disc brakes, Revolt RV 400 comes up with combined braking system of both wheels and with attractive looks. IT  is the country’s first AI-enabled electric motorcycle with the design on the lines of street naked motorcycles. Variant Price RV 400 Premium ₹ 1,02,129 80-150 Km, 85 Kmph, 108 kg, 4.5 Hrs RV 400 Standard ₹ 1,16,776 80-150 Km, 85 Kmph, 108 kg, 4.5 Hrs Above mentioned prices are Avg. Ex-showroom. RV 400 key highlights Riding Range 80-150 Km Top Speed 85 Kmph Kerb Weight 108 kg Battery charging time 4.5 Hrs Rated Power 3000 W Seat Height 814 mm