How Secure Is Google Chrome?

[Saint_Michael 3]

I don't know why I didn't think about it or rather why not too many people where talking about it, but alas the topic title says it all. So as I reading the article I would have to admit the way Google set up the security for Chrome, but I am no programming/security expert but there could be a flaw with how it is set up as well. The only flaw that I could see that could be a potential danger are in fact two, first no admin privileges in order to install and that googleupdate.exe process, but how man news reports you know of that someone successfully tapped into google servers or their corporate office?

Like I said, the security set up to Chrome is quite good, but alas maybe in this big block of text you might find something google might have missed, or maybe not.

The security model Chrome follows is excellent. Chrome separates the main browser program, called the browser kernel, from the rendering processes, which are based upon the open source WebKit engine, also used by Apple's Safari. The browser kernel starts with all privileges removed, the null SID (a security identifier in Windows Vista that denotes the user as untrusted), and multiple "restrict" and "deny" SIDs enabled. On Windows Vista, Chrome runs as a medium-integrity process.
[Tomorrow: "How secure is Mozilla Firefox?" For more on browser security and protection against Web-borne threats, see Security Adviser and "Test Center: Browser security tools versus the evil Web." ]

Every Web site is given its own separate rendering process, memory space, global data structures, access token, tab, URL bar, desktop, and so forth. Currently, Chrome will open as many as 20 separate processes, one for each Web site, and start sharing processes between Web sites after that. Rendering processes are highly restricted as to what they can and can't do. On Windows Vista, Chrome's rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista's mandatory integrity controls more securely than Microsoft does. For one, Chrome attempts to prevent low-integrity browser processes from reading high-integrity resources, which is not normally prevented. (By default, Vista prevents lower to higher modifications, but not reads.)

Both the browser kernel and rendering processes run with DEP (Data Execution Prevention) and ASLR (Address Space Layout Representation) enabled, and with virtualization disabled. Any supplementary browser add-ons are run in a separate, medium-integrity (or higher-integrity) process. This screen image shows the various browser processes and their security settings, as enumerated by Process Explorer on Windows Vista. Chrome even has its own Task Manager and internal page to show memory and CPU statistics. With respect to the base security model, Chrome is leading the pack. It's beautiful.

Even then it would seem everyone's favorite firefox feature, the add-on won't be coming any time soon and after reading all that up top it is quite understandable. As all of the security will either be nulled out or the add-on would maybe do something to the broswer itself.

Google has also washed its hands of responsibility for the security of add-ons. Reviewers are very mixed on this approach. While it is true that browser vendors should not be ultimately held responsible for others' add-ons and applications, Chrome offers no add-on management. You cannot easily determine which add-ons will render particular content, nor easily disable them.
Many users are perturbed by the treatment of their own saved passwords. Chrome allows the current user to reveal the saved log-on names and passwords in plaintext with a few clicks of the mouse. This is convenient for the user -- and for anyone else who wants to learn all of the user's passwords and finds the computer left unattended for a few seconds. Internet Explorer doesn't allow this at all, and Firefox and Opera at least have the ability to assign another password to protect the saved passwords. On the Password Manager Evaluator testing Web site, Chrome scored the worst among all of the browsers I've tested (including Firefox, Internet Explorer, Opera, and Safari), passing only 4 of 21 tests.

Of course, that is quite disturbing about the passwords though and I didn't even know that could be done and I don't think there is any documentation stating that little fact either. Luckily I don't use chrome that often to store my logins and what not. Even though, someone would have to be familiar about it, but now everyone should be aware of it now. However, though it would seem as though when Chrome first came out they made rookie mistakes with the Buffer Overflows and after working with Mozilla for a few years they would have learned about them in someway. Now the question is, does Chrome have Merit as being a safe browser or does it simplicity have it ready for some fun by the criminal underground?

SOURCE

https://www.yahoo.com/tech/

[galexcd 0]

This is quite interesting. I never expected google to add add-ons to chrome, it just didn't seem like them to take their beautiful light browser and allow users to bloat it up with add-ons and toolbars. Interesting that it stores all the passwords in plain text, I don't think I'll have it remember my saved passwords if it ever comes to Mac or Linux and I start using it.

[Echo_of_thunder 1]

Myself I never trust any add ons for anything for that very reason. But yea and I shouldnt but I have to agree with S_M on this. Kinda makes me think of Google in General.

[abhigyan 0]

I don't know too much about its security issues but I don't have vary positive feedback for this browser although it looks like firefox and although it is beta but i expected more from google.

[galexcd 0]

[...] it is beta but i expected more from google.

I'd have to agree with you there. I was really hoping this would be something more than just a web browser. I was hoping it was an interface to interact with some of google's well-known web applications, and at the very least interface with your google account and have built in functionality that would allow the user to sync their bookmarks with google bookmarks, perhaps add a gmail/google calendar notifier in there... etc. But no. It is just a stable and secure (and after reading this thread perhaps not as secure as we may think) web browser no different than if some other software developer would have made it.