Google shares Chrome browser security principles

Google shares Chrome browser security principles

Summary: Google provides a useful document that helps users understand what's under the Chrome browser's hood, especially as it relates to keeping hackers at bay.

TOPICS: Security, Browser, Google

Earlier this week, I declared Google Chrome the most secure browser available today based on its sandbox, auto-update mechanism and the speed with which the Google Security Team patches vulnerabilities.

I received a lot of e-mail feedback questioning that claim so today I'm happy to see Google sharing its Chrome security principles, a very useful document that helps users understand what's under the browser's hood, especially as it relates to keeping hackers at bay.

[ SEE: 10 things to secure your online presence ]

Some key highlights:

  • follow Ryan Naraine on twitterDefense in depth: Our goal in designing Chrome’s security architecture was to layer defenses, and avoid single points of failure. Chrome’s sandbox architecture represents one of the most effective parts of this strategy, but it’s far from the only piece. We also employ the best available anti-exploit technologies—including ASLR, DEP, JIT hardening, and SafeSEH—along with custom technologies like Safe Browsing, out-of-date plugin blocking, silent auto-update, and verified boot on Chrome OS. And we continue to work towards advancing the state of the art with research into areas like per-origin sandboxing and control flow integrity.
  • Transparency: We do not downplay security impact or bury vulnerabilities with silent fixes, because doing so serves users poorly. Instead, we provide users and administrators with the information they need to accurately assess risk. We publicly document our security handling process, and we disclose all vulnerabilities fixed in Chrome and its dependencies—whether discovered internally or externally. Whenever possible, we list all fixed security issues in our release notes, and make the underlying details public as soon as other affected projects have an adequate amount of time to respond. When we do not control the disclosure timeline for a security issue and cannot list it at the time of release, we make the details of the issue public as soon as disclosure occurs.
  • Community engagement: No software is perfect, and security bugs slip through even the best development and review processes. That’s why we’re grateful for the work of the independent security research community in helping us find and fix vulnerabilities. In response, we do our best to acknowledge and reward their contributions by ensuring proper attribution, paying out bounties, and sponsoring security conferences. We leverage the community to even greater extent where we can, by hiring members directly onto our team and contracting with industry leading, independent security consultancies.

Computer users should always seek to reduce attack surface for attackers and indepth knowledge of under-the-hood security features can help with these decisions.

Topics: Security, Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • But its spyware....

    How can spyware be considered secure?
    • RE: Google shares Chrome browser security principles

      Use Chromium then. Start by examining its fully open source code to rule out that there's spyware. Do you use firefox, ok then do the same there. Next, look through windows source code and prove to yourself that windows isn't spying on you. Do you use IE? Look through its source code. Oh wait, can't do either. Ok, *now* I agree with you. MS spyware is not secure.
      • RE: Google shares Chrome browser security principles

        You are quite right. I principally use Firefox because of the many add-ons, but also use Chromium which is FOSS.

        But, techblogger is also right. All Google apps and services are designed to be secure from others so only Google can spy on you. But, can you blame Google. That is their business model. No spying, no revenue.
      • RE: Google shares Chrome browser security principles

        Google can spy on you

        You have supporting links to what you claim?
      • RE: Google can spy on you

        @daikon Due to past privacy violations, Google has submitted to 20 years of monitoring by the U.S. FTC:

        "Google to be monitored by Feds for privacy for 20 years

        If you trust the U.S. FDA to look out for your interests (as opposed to corporate interests) with food and drugs, then you will similarly trust the FTC to watch over Google's privacy practices. And if you don't, well ...
        Rabid Howler Monkey
  • RE: Google shares Chrome browser security principles

    Oh that's irony, Google sharing security.
    Loverock Davidson-
  • Google's principles can also get distortedly creepy

    [i]We know where you are. We know where you've been. We can more or less know what you're thinking about ... Google policy is to get right up to the creepy line and not cross it." [/i]<br><br>~ Google CEO Eric Schmidt, October 1, 2010 [interview]<br><br>*Obligatory Google disclaimer: Don't be evil*
  • RE: Google shares Chrome browser security principles

    But doesn't IE always surpass it in the detection of malicious downloads, with it's smart screen filter technology? Just that alone is a big downfall for Chrome because most of the malicious stuff that comes from the internet requires downloading a malicious file, usually through social engineering tricks, and most of such stuff is blocked by IE.

    Conclusion: IE is the most secure browser out there but I don't need that much protection (common sense n AVG IS covers all that) and all I want is a slim, fast and extendible browser and that's what Chrome has got :)
    • IE is probably just as secure as chrome, if not more secure

      @MrElectrifyer But, like you, I prefer Chrome...IE is annoying to use.
      • No. You're both wrong. Chrome is more secure than IE9.

        Chrome's blacklisting might not be as good as Microsoft's, but it ships with both Flash Player and PDF Reader plug-ins that are both sandboxed and transparently updated. (While IE9 does sandbox Flash Player, it does not transparently update Flash Player like Chrome does.) And, seriously, blacklisting web sites (just like blacklisting malware using AV sigs) is *always* a step or two behind the miscreants.

        In addition, Chrome blocks Java-enabled web sites from loading if the Java plug-in (read JRE) is out-of-date. And neither Chrome nor IE9 sandbox Java.

        This is why I run Firefox/NoScript sandboxed on my Windows and Linux systems using either a 3rd party sandbox or OS-supplied sandbox. All plug-ins, including Java, are sandboxed. However, I will admit to having applied some elbow grease to further Firefox's default security.

        Out-of-the-box, both Chrome and IE9 are more secure than plain vanilla Firefox.
        Rabid Howler Monkey
    • RE: Google shares Chrome browser security principles


      No, that's not necessarily the case... as the title of this section indicates: Zero Day. A socially engineered piece of malware typically isn't classified as a zero day exploit. However compromised web sites are, and most zero day malware does not require user interaction in order to be installed. And IE is the only browser that allows (via known SIDs) direct kernel access.
  • RE: Google shares Chrome browser security principles

    Thank you for sharing .I send this address to avant browser developer's mail .I think they should more care about security principles.
  • RE: Google shares Chrome browser security principles

    Google products are not even worth discussing...they are not better than pirates and thieves...