Tuesday, December 16, 2008

Google Chrome Browser

Since Internet Explorer is a security mess, what about Google's new Chrome browser? I haven't tried it, because it doesn't run on Linux. However, there is one thing I like a lot about it.

Each tab runs as its own process. This is a pretty big deal, from a security perspective. Right now in Netscape and Opera (maybe in the new IE), you have a single process that has multiple browsing tabs. This means that something that corrupts one tab can corrupt them all. A tab can have access to data in another tab. This is an exceptionally bad thing:
  • Tabs run javascript.
  • Javascript is downloaded from web servers.
  • Lots of web servers are vulnerable to SQL injection.
  • This means that Joe Random Hacker can get his code to run in all of your tabs.
If each tab is a separate process, I can have one open to a secure site (like my bank, shudder shudder), and a different one open to Facebook (shudder), and not worry about facebook poking around my banking tab.

Chrome is now officially version 1.0 now, which is also interesting. It seems that Google is interested in getting this pre-installed on new computers, and the manufacturers won't ship beta code. Google's taking a run at Microsoft, and a hard run at that.

Alas, this brings us to why I won't run it, even when they get Linux support. The biggest problem that Internet Explorer has is 80% market share. The Bad Guys target it, because that's the easiest way to attack 80% of the market. If Chrome gets, say 40% of the market, it becomes a target, too.

Use Opera for online financial transactions. It's likely not any more secure, but its low market share will be one of the ways it will protect you.

UPDATE 17 December 2008 10:56: I'm trying Chrome on my laptop at work.  It's interesting - 9 tabs, 11 processes.  I'll let you know how things go.  In the meantime, the "Most Visited" tab has some good security features: notice that my Gmail tab doesn't show any information.

No comments: