Wednesday, December 17, 2008

Google Chrome Security Stuff

Chrome is pretty impressive. My first impression is boy, this is fast. I'm told that it has the fastest Javascript engine in the West, and that's easy to believe.

But that's not the point of this post - Chrome's security makes an impression, all sorts of ways. Like when you visit a secure web site (https://....), and the SSL certificate is not valid. You see something unmistakeable in the address bar. Google puts the "https" in red, with a line through it. Pretty easy to see something's wrong.

It also puts a yellow triangle "Information" symbol at the end of the URL. Click it, and it gives you good info about the web site. If the Certificate is questionable, it tells you. It also tells you what strength your encryption is.

The "You have never visited this site before today" message is more important than it may seem. If someone is faking a site you regularly go to, this would let you know that something is amis.

Porn Incognito mode anatomizes your session - no browsing history, no cookies, no saved passwords, etc. This seems at best marginally useful from a security perspective; a Chrome browser in this mode on a public computer might keep slightly sess session information than a different browser. But anyone who wants to track your browsing has many ways to do it (monitoring DNS lookups, for example).

I like the software architecture a lot - this is maybe the most interesting bit for me. Each tab is it's own process, so data in one tab is not shared with other tabs.

This is more important than it may sound. If I'm online at my bank, and also online on Youtube, any malware embedded in the Youtube flash video will have extra work to do to get to my banking session. Not that this is impossible - expect a whole set of critical security updates for Chrome, just like for any application. However, the security architecture is pretty clearly a step forward. In theory, it's the best we've seen in a browser so far.

No comments: