Skip to main content

Google uncloaks Chrome's top security goals

Chrome's privacy controls.



Google's Chrome security team unveiled yesterday its guiding principles on how they build a safer browser.
The manifesto declares seven key guidelines for Chrome security. The first one, "Don't get in the way," both echoes Google's unofficial motto, "Don't be evil," and reflects what many Windows security vendors have learned the hard way about keeping people safe. If security negatively affects performance, users will look to alternatives. For a browser which has built its user base on speed, sluggish response times have the potential to wreak great havoc.
"It's great to see invisibility and automatic background updates as the first principal. Good security is transparent and inescapable," said Chris Wysopal, chief technology officer at Veracode. "The less security decisions that involve the user the better. Every security decision made by the user is a chance that something with be postponed or forgotten or worse, an opportunity for social engineering."
Privacy is not mentioned in the list of principles, and that may raise the hackles of some security experts. "I think Google's approach to privacy is a little bit different than others," said Jeremiah Grossman, WhiteHat Security's chief technology officer. "They make the assumption that you trust them, but if you don't trust them then you have to separate the two. You can't protect your data that's on Google, from Google, because it's contrary to their business model."
(Credit: Google)
Google does have a site dedicated to explaining privacy in Chrome, and it does have acompany-wide privacy policy that applies to Chrome. However, there isn't a company policy statement on Chrome privacy like the new security manifesto.
A Google representative told me that the Chrome security team works in close conjunction with Google's overall security team, as well as the Chrome team itself. "We protect users by embedding security deeply into our culture, as well as our process for designing and developing products. This relentless focus on security often benefits the web more broadly as well, either through our own action or through others who adopt similar approaches," the representative said.
The need for speed has found its way into Chrome security, and the representative pointed to regular release note updates as evidence of this. "We've demonstrated that we will shine a light on security topics that are relevant to our users, even when most companies wouldn't," he said, with tough benchmarks set for response time and how long systems are left unpatched.
Of course, Google is hardly the only company to take this approach. Mozilla also regularly publishes security update release notes, and Microsoft has become so regular at publishing security updates to Internet Explorer and its other software that Patch Tuesday has become lingua franca in the computer security world.
Microsoft recently touted a decade of security achievements, and it's practically universally accepted that the company learned some tough lessons in the past 10 years.
Not surprisingly, Microsoft's current policies of a company-wide approach to security echo Google's similar stance with Chrome. Chrome's third core principle states that security is a "team responsibility," which was explained to me as meaning that browser security concerns go beyond the realm of just the Chrome security team to include Google's general security group and the general Chrome group. While this may sound obvious to some, cross-department communication has had an impact on the browser's development, said the Google representative.
"Engaging the security community makes Google part of the security community. More technology companies should take this approach. They have set up a cooperative and non-adversarial posture. Microsoft pioneered this approach, but Google has taken it a step further with their bug bounties," said Wysopal.
Google has said that the quality of the bug reports has helped it fix vulnerabilities much faster. The company has paid out more than $200,000 for Chrome and Chromium-related security bugs found by bug hunters. The open-source progenitor of Chrome, Chromium was around for a year before Google debuted Chrome.
While likely familiar to many who keep tabs on browser security, the principles document stands as a place where Google can point to its achievements in the field as well as its goals. Some of the Chrome features referenced in the document include the mention of anti-exploit technologies such as JIT hardening along with Google-sourced innovations like the Safe Browsing API. The "Make the Web safer for everyone" section notes numerous public security standards like public key pinningSPDY, and Native Client.
Grossman concluded that despite some concerns about Chrome, that the project has been a boon for the Web. "I think they're doing a lot more right than wrong when it comes to browser speed and security," he said.
Correction 4:41 p.m. PTThis story originally misstated the amount of money rewarded to bug hunters working on Chrome and Chromium. The correct sum is more than $200,000. Update 4:45 p.m. PTThe story has been updated with a link to Google's company-wide privacy policy, which it says also applies to Chrome.

Comments

Popular posts from this blog

Nokia Asha 200 ( Nokia Asha 200 )

Nokia Asha 200 is affordable QWERTY Dual Sim (GSM+GSM) Mobile Phone and offers faster emailing, chatting @ affordable price in India. Nokia 200 Dual Sim Mobile Features: Easily Swap Sim card without switching off the phone Short cut key for SIM card management FM Recording Social networking, email, IM support 2 Megapixel Camera Available in Eight Colors Nokia Asha 200 QWERTY Dual Sim Phone Technical Specifications: Dual GSM Sim Card 900/1800 MHz GPRS/EDGE 2.4” inch QVGA Display screen 10 MB free memory + up to 32GB Memory Card 2MP Camera with 4X Digital Zoom FM recording and Song Capture Bluetooth Powerful Loud Speaker (106 phon) Nokia BL-5J (1430 mAh) Battery Talk time up to 420 Minutes Standby time up to 37 days Dimensions: 115.4 x 61.1 x 14.0 mm Weight: 105 gm Nokia Asha 200 Price in India:  < Rs. 5,000/- INR Nokia 200 Box Includes: Phone, Nokia Charger, Nokia Battery BL-5J and Nokia Stereo Headset WH-102

The joy of Microsoft's 'avoid ghetto' GPS patent

Indeed, not so long ago, one lady  sued Google  because the directions its map offered led her (she believed) to be struck by a  car . Now Microsoft has been  granted a patent  that is designed to make its maps more pedestrian-friendly. Somehow, this patent has immediately been dubbed the  "avoid ghetto" feature . Someone seems to have already attempted a ghetto-related mapping exercise, in Ohio. (Credit:  CC JimBobThe Boss/Flickr ) The gist of it seems to be that Microsoft's GPS--which will  reportedly be inserted  into Windows Phones in the future--will use input from more varied and up-to-date sources in order to create suggested routes. Among these sources are crime statistics. Which has led  some to the thought  that this will somehow be an insult to poor neighborhoods. What is unclear, at least from my reading of the patent--which isn't written by anything resembling a human hand or mind--is what kind of crime statistics the...

Microsoft says 'see ya' to CES (live blog)

LAS VEGAS--Microsoft has sung its  CES  swan song. The company announced plans last month  to walk away from the Consumer Electronics Show  after a nearly two-decade involvement with the confab and the organization behind it. That made tonight's keynote address from Microsoft Chief Executive Steve Ballmer the beginning of the end. Microsoft  didn't make any major announcements  (other than the fact that Kinect is  coming to Windows on February 1 ). But then, the company has said the timing of the annual confab doesn't generally align with its product news milestones, and that's the key reason it's bailing on the show. Microsoft talked up Windows Phone (its mobile phone operating system that's been getting some praise from the tech press), gave a look at some of the upcoming trim ultrabook computers running  Windows 7 , demoed some previously disclosed features of Windows 8 (which should debut toward the end of 2012), and touted its tile-based Me...