A Closer Look At Chromium and Browser Security

GhostX9 writes "Tom's Hardware's continuing series on computing security has an interview with Adam Barth and Collin Jackson, members of Stanford University's Web Security Group and members of the team that developed Chromium, the open-source core behind Google Chrome. The interview goes into detail regarding the sandboxing approach unique to Chromium, comparisons between the browser and its competition, and web security in general."

Re:Good

[mhousser]

I love the interface! What I don't love, however, are the millions of ads that I forgot existed. I'll move to Chrome the minute it supports plugins and AdBlocker is ported to it. Chrome's plugin API will be finished later this year.

Re:Good

[Anonymous Coward]

It supports greasemonkey scripts if you append --enable-user-scripts to its shortcut. And theres a script for it that works exactly like adblock.

Re:Good

[cryptoluddite]

Chromifox [mozilla.org] makes firefox look a lot like Chrome. Chrome is a nice toy, but it's UI is pretty lacking when you want to do something like maximize screen space on a 1024x600 screen.

Re:Good

[i.of.the.storm]

There is actually something handy called AdSweep [adsweep.org] that works with Chrome, but it's not regex based like Adblockplus so it seems to only work on sites that are built into it. It's better than nothing, I guess, but there are still about 300 other things that Firefox does for me that Chrome is far from doing, and a lot of them hinge on a good extension platform. I just don't think it can get better than XUL/js for extension writing.

Re:Good

[cbrocious]

If you use Privoxy [privoxy.org], the majority of those ads will go away, and you can do custom filtering for fun and profit easily.

Re:Not so good. Time to make gooder.

[Anonymous Coward]

The current dev branch of chrome just added support for adjusting thumbnails of new pages.

Re:Good

[coryking]

UI is the easy part.

Yeah, right. If the UI was the easy part, why do almost all UI's suck?

skinning

If you think skins are gonna fix a UI, I've got news for you. Having the ability to add girls sitting on the hoods of of cars wearing tightly clad bikinis does not make a good UI.

Re:Good

[voidphoenix]

Gmail is also great. Simple, secure, and uncluttered. Create an app icon and add it to the start menu, and you have a very simple email solution. The only problem I have though is their grouping of threads, which is unnecessary. That should be a lab feature if any. And why can't they just add folders? Who cares which is better. Some people just want folders, not labels, and if its so easy to give it to them, denying it is selfish. Just give it up, and give people what they want!

Labels can work _exactly_ like folders if that's all you want. The main difference is that a message can be in more than one "folder" if you need it to be.

Re:Google Main Page Says To Use Chrome Only In IE

[Anonymous Coward]

I am sorry but that's incorrect. Firefox uses a local database of suspicious URLs that is updated every 30 min. URLs are never send to Google, Google sends suspicious URLs to Firefox.

The functionality you describe was optional in older versions of Firefox (to eliminate the max 30 min. delay for ultra paranoid people) but was removed on request of Google because it caused them too much load.

Re:Sandboxing lie...

[downix]

Have you read the article, where he discusses IE7, IE8, Firefox and Safari's own sandboxing techniques for comparison to Chromes?

Re:Good

[Anonymous Coward]

Chrome's superior safety comes from the independence between tabs :

- Each tab is a separate process (i.e no memory sharing with other tabs)
- Each tab runs it's own copy of JavaScript

The process-per-tab design also has the major advantage that if one web site is slow or hanging it won't affect the other tabs at all as it does in most other browsers where the whole browser can lock up while a slow page is loading.

Re:Good

[asdf7890]

OK, let's here it: why is user scripting a security hole?

With early versions of GreaseMonkey, the way the user scripts were applied to pages would allow the page to affect easily the GM in ways that could lead to cross-site attack vectors.

That is why GM had a fairly complete redesign around the middle of 2005, remove the issue(s) that affected all scripts, but individual scripts can still be vulnerable depending on their design - hence you should be careful not to let a script apply globally for security reasons as well as efficiency ones. For a decent description of the problems with earlier GM versions and problems that you can still create for yourself in the latest versions, this article [oreillynet.com] does a decent job.

The other major problem with user scripting is using scripts from other sources without performing an exhaustive code review first. How do you know that the script you have just enabled isn't subject to one of the flaws? How do you know it isn't intentionally malicious? There have been several cases of this in the past, hence the warning message before you add a script to GM in recent versions and the warning message that appeared on userscipts.org for some time (as malicious scripts were found in their archive).

Like many things, user scripting isn't a problem if both programmers and users are educated, careful and care. There lies the problem.

I use GM myself, with scripts of my own devising or those from elsewhere that I have sufficiently reviewed, but I would not recommend it (or equivalents) to the general populous as they do not need any further ways to dig themselves into a malware riddled hole.

Re:Adblock for Chrome -- Use SwWare Iron "Chrome"

[Ian Alexander]

http://www.srware.net/en/software_srware_iron_download.php [srware.net]

It's the last two download links. Good luck compiling it on F10 since it looks like a Windows app...