A Closer Look At Chromium and Browser Security 109
GhostX9 writes "Tom's Hardware's continuing series on computing security has an interview with Adam Barth and Collin Jackson, members of Stanford University's Web Security Group and members of the team that developed Chromium, the open-source core behind Google Chrome. The interview goes into detail regarding the sandboxing approach unique to Chromium, comparisons between the browser and its competition, and web security in general."
Good (Score:4, Insightful)
These are all great ideas, and I hope Firefox and/or MSIE pick up on them, simply because I can't stand the Chrome UI.
Sorry, but that thing just isn't what a browser is supposed to be.
The uhderlying technology can be the greatest ever, but if the interface sucks, well, I won't use it.
Re:Good (Score:5, Informative)
Re:Good (Score:5, Informative)
It supports greasemonkey scripts if you append --enable-user-scripts to its shortcut. And theres a script for it that works exactly like adblock.
Re: (Score:2)
It supports greasemonkey scripts if you append --enable-user-scripts to its shortcut.
And now you have two problems.
Re: (Score:1)
Yeah, but neither one is as bad as herpes.
Re: (Score:1, Insightful)
Re: (Score:2)
So you're just going to open a huge security hole in the process? You shouldn't have to sacrifice!
OK, let's here it: why is user scripting a security hole?
Re:Good (Score:4, Informative)
OK, let's here it: why is user scripting a security hole?
With early versions of GreaseMonkey, the way the user scripts were applied to pages would allow the page to affect easily the GM in ways that could lead to cross-site attack vectors.
That is why GM had a fairly complete redesign around the middle of 2005, remove the issue(s) that affected all scripts, but individual scripts can still be vulnerable depending on their design - hence you should be careful not to let a script apply globally for security reasons as well as efficiency ones. For a decent description of the problems with earlier GM versions and problems that you can still create for yourself in the latest versions, this article [oreillynet.com] does a decent job.
The other major problem with user scripting is using scripts from other sources without performing an exhaustive code review first. How do you know that the script you have just enabled isn't subject to one of the flaws? How do you know it isn't intentionally malicious? There have been several cases of this in the past, hence the warning message before you add a script to GM in recent versions and the warning message that appeared on userscipts.org for some time (as malicious scripts were found in their archive).
Like many things, user scripting isn't a problem if both programmers and users are educated, careful and care. There lies the problem.
I use GM myself, with scripts of my own devising or those from elsewhere that I have sufficiently reviewed, but I would not recommend it (or equivalents) to the general populous as they do not need any further ways to dig themselves into a malware riddled hole.
Re: (Score:2, Insightful)
As to Adblock, yeah, wow, there are a lot of ads out there I didn't even know existed! Using OpenDNS I manage to block most of them just by domain through their blacklist service, though. It's not perfect, but better than nothing for now!
Re: (Score:1, Interesting)
There are 2 features of chrome that have annoyed me to the point of recently switching back to Firefox.
1. When you scroll it scrolls like half a page at a time, rather than 3 lines at a time like every other browser. There is a setting in windows for how many lines an app should scroll when you scroll the mouse - why doesn't chrome follow this?
2. Also have you noticed that when you close chrome, any downloads get cancelled and there's no way to resume them without restarting the download. And the only way
Adblock for Chrome -- Use SwWare Iron "Chrome" (Score:5, Interesting)
Srware Iron is Chrome compiled without all the Google spyware crap and it has adblock built in.
I LOVE IT! Firefox (all versions) is sooooo slow compared to Chrome/Iron.
http://www.srware.net/en/software_srware_iron.php [srware.net]
Re: (Score:1, Insightful)
I just used that, went to the Slashdot Home page and began scrolling up and down, which made my computer lagged. CPU usage spiked heaps.
It's a good idea, and I hope they can improve it, but for now, it's not as good.
So alas I will continue to run both Chrome (for gmail and gcal) and FireFox (for everything else).
Re: (Score:1)
I just used that, went to the Slashdot Home page and began scrolling up and down, which made my computer lagged. CPU usage spiked heaps.
It's a good idea, and I hope they can improve it, but for now, it's not as good.
So alas I will continue to run both Chrome (for gmail and gcal) and FireFox (for everything else).
Weird, works perfectly for me.
Re: (Score:1)
Re:Adblock for Chrome -- Use SwWare Iron "Chrome" (Score:4, Interesting)
So what about its adblock, the thing doesn't render pages correctly. From what I can tell it is a badly compiled version of chrome.
When they get it right, then I might think about using it... uninstall time.
Re: (Score:3, Interesting)
So what about its adblock, the thing doesn't render pages correctly. From what I can tell it is a badly compiled version of chrome.
When they get it right, then I might think about using it... uninstall time.
I get some weird font smoothing occassionally on Slashdot, otherwise works perfectly for me. It's so blazing fast when I go back to Firefox I am shocked how agonizingly slow the browser is to render pages...
Re: (Score:2)
Re: (Score:1)
Using the 3.1b3 firefox. Pages are instantly rendered in Chrome, Firefox takes forever. I see this on multiple computers.
Javascript performance doesn't matter, its the engine rendering speed that is the differentiator.
Re: (Score:2)
Re: (Score:3, Insightful)
rware Iron is Chrome compiled without all the Google spyware crap and it has adblock built in.
Unfortunately, they don't have a download in RPM or source form, so I can't install it on my Fedora Core 10 laptop.
Without *nix support, Chrome(ium) is a non-starter.
Re: (Score:3, Informative)
It's the last two download links. Good luck compiling it on F10 since it looks like a Windows app...
Re: (Score:3, Interesting)
Thanks for the link man. I'm sick of firefox cause of its slowness, but I was also getting sick of Chrome, so this should be a good alternative.
Does anyone have the following problems I have with Chrome?
(1) It freezes up continually, and when it does freeze up, it effects the entire computer.
(2) When accidently clicking on a PDF link the entire thing crashes, and computer freezes up.
I love chrome cause of its speed, but goddamn. The amount of restarts of my computer I've had with it I'm seriously looking for another browser (NOT firefox).
Are you using Adobe Acrobat for PDFs? That's likely your problem and not the browser.
Uninstall that crap and use Foxit PDF Reader instead.
Re: (Score:1)
Re:Good (Score:4, Informative)
Chromifox [mozilla.org] makes firefox look a lot like Chrome. Chrome is a nice toy, but it's UI is pretty lacking when you want to do something like maximize screen space on a 1024x600 screen.
Re: (Score:2)
F11.
It works on Chrome's Dev branch, which any self-respecting slashdotter would use to provide useful feedback to the developers of Chrome.
Re: (Score:3)
In firefox I can go full screen, but still keep the URL bar, so I know what site I'm on. I can get a menu bar by pressing Alt once. I can put the NoScript button on the URL bar. I can even put a button to toggle fullscreen, since it's often easier to trackpad to a button than find F11 on a small non-backlit keyboard. Or firefox can drop down this UI when the cursor is at the top.
Chrome can do none of these things, even in the current beta version. The UI in many ways is restrictive and lacks many nicet
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
Maybe instead of complaining about a browser that displays ads, you might want to stop visiting websites that have intrusive and overwhelming ads.
I use Slashdot and Chrome and don't see any ads because I'm a subscriber, but even if I wasn't, the low number of ads here is one reason I like it.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
I love the interface! What I don't love, however, are the millions of ads that I forgot existed. I'll move to Chrome the minute it supports plugins and AdBlocker is ported to it. Chrome's plugin API will be finished later this year.
Just use privoxy http://www.privoxy.org/ [privoxy.org] Works great and you can configure it quite easily to block just what you want blocked. It will do the same for IE if for some strange reason you want to use that POS.
Re: (Score:1)
Um... this is an opinion that many other people definitely do not share. I for one love the ability to focus on the web content, rather than the mess of toolbars to be found on other browsers.
Re: (Score:2, Insightful)
The uhderlying technology can be the greatest ever, but if the interface sucks, well, I won't use it.
That describes in a nutshell why OS/2 never caught on big.
Re: (Score:3)
Insightful? The OS/2 interface was extremely consistent and extremely configurable. e.g. make a template for a file which containe certain context menu options. etc...
Re: (Score:2, Interesting)
Re: (Score:2)
bad OS/2 Warp interface (Score:2)
Yea, OS/2 Warp [os2bbs.com] never came near to matching Windows 95 [google.com] in GUI functionality.
Re: (Score:3, Informative)
Yeah, right. If the UI was the easy part, why do almost all UI's suck?
If you think skins are gonna fix a UI, I've got news for you. Having the ability to add girls sitting on the hoods of of cars wearing tightly clad bikinis does not make a good UI.
Re: (Score:2)
Skinning seems to hurt performance, a lot...
Take any app where skinning was added later, and compare the old and new versions side by side... windows media player is a good example since it would leave the old unskinnable version installed when you installed the skinnable version 7, on a machine in those days (p3/600) i had a bunch of video files which would play fine in the old player, and skip when using the new one.
Re: (Score:2)
I agree the interface is lacking, but that is why I can whole heartedly recommend it to all my novice friends and family. It is secure, it is simple, and it does exactly what people who know little about computers want to do - get online and go to a specific web site.
Gmail is also great. Simple, secure, and uncluttered. Create an app icon and add it to the start menu, and you have a very simple email solution. The only problem I have though is their grouping of threads, which is unnecessary. That should be
Re: (Score:2, Informative)
Gmail is also great. Simple, secure, and uncluttered. Create an app icon and add it to the start menu, and you have a very simple email solution. The only problem I have though is their grouping of threads, which is unnecessary. That should be a lab feature if any. And why can't they just add folders? Who cares which is better. Some people just want folders, not labels, and if its so easy to give it to them, denying it is selfish. Just give it up, and give people what they want!
Labels can work _exactly_ like folders if that's all you want. The main difference is that a message can be in more than one "folder" if you need it to be.
Re: (Score:2)
Right. Except such explaining and adjusting is precisely what is inconvenient to someone who already learned how to use folders over a long period of time, and isn't very competent with computers.
Labels can work _exactly_ like folders if that's all you want. The main difference is that a message can be in more than one "folder" if you need it to be.
You might be surprised at how hard this sentence is for some people to comprehend.
Re: (Score:2)
Labels can work _exactly_ like folders if that's all you want.
You can use labels in GMail to create subfolders? How do you do that?
Re: (Score:1)
when the preferences can set fonts that override the fonts specified in the page (which firefox can do) then i will be happy with chrome. fucked if i'm going to look at some dipshit's site in Times...
Re:Good (Score:4, Interesting)
Re: (Score:2)
openbox --replace &
:p
Re: (Score:1)
Use ReplayOnTop instead (Vista only?)
Re: (Score:2)
Re: (Score:1, Interesting)
For the majority of browser security as of late, JavaScript seems to be the culprit of causing malware to even professional IT people due to browsing habits and such. Chrome will and had made this far worse by not allowing a user to pick web scripts to run. I use Firefox with NoScript addon, which gives options to enable JavaScript individually on page or by an icon that reveals all sites with scripts. Since this has eliminated virtually all browser vulnerabilities (except for user stupidity), I dislike all
Re: (Score:2)
And the google updater (alongside the apple updater, adobe updated, and whatever else updater) you have running only exist to get around a flaw in windows - the lack of a consistent package management system such as apt. If you install enough apps with updaters on windows they will eventually bog your system down real badly, and start using your bandwidth when you least expect it.
Re: (Score:2)
That's a very interesting point - I'm not sure that apt is the right model, but why am I not updating all of my commercial software through the add/remove programs UI? Or perhaps instead through Microsoft Update, since I go there every second Tuesday anyhow. Microsoft has clearly found a way to patch arbitrary apps, as most MS products now update through Microsoft Update.
Re: (Score:2)
I read Playing in the sandbox - page and I really don't see what is so great in there compared to IE on Vista. Same NTFS Access Control Lists are used as any other Windows application. And I'm not 100% sure about this, but doesn't Chrome run on user privileges when IE (on Vista) uses more restricted privileges?
My understanding is that you can't totally sandbox browser unless you do it on kernel level like FreeBSD jail does. And even then browser must be able to access user files if user wants to upload some
Re: (Score:3, Interesting)
I used to run a browser in a chroot on linux, partly because i had a 64bit system but needed some 32bit plugins (java, flash) and partly for the security benefit...
In terms of user files, you simply leave them in the sandbox, the host system can access the sandbox but the sandbox can't access the host which is how it should be.
Re: (Score:2)
Hi. Thanks for the reply. I'm not really familiar with sandboxing technology and your reply cleared things up a bit.
But still if we go back to Windows (I don't know much about *nis OSes) even if you are running in the sandbox, you would able to use Win32 API, right? Now if you are running browser with user credentials, like Chrome/Chromium does, you are able to access plenty of stuff through Win32 API. This, of course, would need a sophisticated attack but in theory I think it is possible. Now even if you a
Re: (Score:2)
Re: (Score:1, Informative)
Chrome's superior safety comes from the independence between tabs :
- Each tab is a separate process (i.e no memory sharing with other tabs)
- Each tab runs it's own copy of JavaScript
The process-per-tab design also has the major advantage that if one web site is slow or hanging it won't affect the other tabs at all as it does in most other browsers where the whole browser can lock up while a slow page is loading.
Re: (Score:2)
Firefox won't pick up on those ideas in the foreseable future, perhaps never. I hope you enjoy your IE experience!
(for the record, I think the Crhome UI is excellent. Nothing superfluous, and rather pleasant to look at)
Google Main Page Says To Use Chrome Only In IE (Score:5, Interesting)
Re:Google Main Page Says To Use Chrome Only In IE (Score:5, Insightful)
Perhaps. My guess is they have logic like the following:
If you use Firefox, you probably already have heard about Chrome, and have decided not to switch. If you use IE, you probably have no idea that other browsers even exist, but you may know and like Google, so would be willing to give this Chrome thing a try.
Re:Google Main Page Says To Use Chrome Only In IE (Score:5, Funny)
Or maybe they just wrote the page such that standards-compliant browsers won't show the advert.
Re: (Score:2)
That would be good marketing though...
As only the people with crappy browsers like IE would have their experiences improved by switching, while those with browsers that follow the rules probably already have satisfied users who would be meh about leaping from one cloud to another.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2, Insightful)
Of course they are!
Firefox has the "Tell me if the site I'm visiting is a suspected attack site" option checked by default. (Tools --> Options --> Security) This option sends every site one visits to Google for verification, so Google is already getting a complete history of each site visited for FF users. [IE sends this information to Microsoft.]
Thus, Google has more incentive to switch an IE user to Chrome than a FF user.
Re:Google Main Page Says To Use Chrome Only In IE (Score:5, Informative)
I am sorry but that's incorrect. Firefox uses a local database of suspicious URLs that is updated every 30 min. URLs are never send to Google, Google sends suspicious URLs to Firefox.
The functionality you describe was optional in older versions of Firefox (to eliminate the max 30 min. delay for ultra paranoid people) but was removed on request of Google because it caused them too much load.
Re: (Score:1)
Re: (Score:2)
It's interesting that they are attacking IE8 and not just IE6 & 7. They had good technical arguments for attacking IE6. IE7 somewhat, but almost none for IE8. This brings them 1 step closer to getting into monopolist problems with Chrome - they can hardly go to town claiming Microsoft is pushing IE unfairly on Windows when they themselves are cross-fertilizing their own browser from their search business.
Re: (Score:2, Interesting)
IE8 may be a significant improvement from 7, but it is still massively behind other browsers... It has no SVG support, it's javascript engine is still massively behind the other browsers (javascript is very important for google) and it's css support while a big improvement is still behind other browsers...
Also, doesn't IE8 require you to insert a non standard tag into your site in order to make it attempt to follow standards?
Re: (Score:2)
IE is a browser controlled by a company that competes with google's profitable business areas, and is used by that competitor to drive traffic to it's services which compete with google...
Firefox is not a competitor, google make no money from chrome, they just want users to be running a browser that defaults to google, which firefox also does. I imagine they also want users to be running standards compliant browsers, as it makes life much easier for them to write apps for them.
Re: (Score:2)
It's because IE users don't know any better. Firefox users are not going to switch to something else, at least not easily.
Re: (Score:1)
Re: (Score:2)
To be honest I have noticed a slowdown when launching firefox, I only reboot once a month so I wasn't sure if I was just imagining it.
Re: (Score:2)
> Is google singling out IE users?
Firefox defaults to google's search, IE doesn't (at least until the OEM gets paid).
Not so good. Time to make gooder. (Score:4, Insightful)
I like Chrome's Home Page web thumbprints.
I dislike that I cannot control these. For example right now, I have two timesonline.uk up. Permanently it seems. The "tool" icon does not allow Home Page editing. It should.
So,
A. If anyone out there can enlighten me on how to adjust Home Page icons. Go ahead.
B. If not Chrome developers, are you listening? Add web page adjustments to the Home Page. Pretty please?
Thanks
Re: (Score:2, Informative)
The current dev branch of chrome just added support for adjusting thumbnails of new pages.
Re: (Score:2)
Thanks, I hope it grows out of dev branch soon.
I use winxp on my eeepc for chrome (Score:1)
Re: (Score:1)
Hopefully this Summer we'll see a stable release of Google Chrome for Mac OS X and GNU/Linux
Sandboxing lie... (Score:1)
Re: (Score:2, Informative)
Have you read the article, where he discusses IE7, IE8, Firefox and Safari's own sandboxing techniques for comparison to Chromes?
portable chrome (Score:2)
Re: (Score:2)
At the install stages it tries to go online and install 'stuff', which is strange for a portable app
Re: (Score:1)
3. Run "IronPortable.exe". It will download the latest version of Iron from SRWare and install Flash from your computer!
Ummm.... pretty sure it's just updating itself.
Unique? (Score:2)
What's unique about the sandboxing in Chrome. Doesn't IE8 do the same?
Is Google Chrome really good? (Score:1)