WhiteHat Security's open-source Aviator browser has become the focus of a security spat between the company and Google engineers.
On Thursday, WhiteHat Security released its privacy-centric Aviator browser to the open-source community. Available for both Windows and Mac users, the browser is billed as "the Web's most secure and private browser," as the "big browsers" are not doing enough to protect user's sensitive information.
However, within hours of the release, Google security engineers publicly revealed a number of dangerous vulnerabilities which contests WhiteHat Security's claims. The spin-off browser, which is built based on Chromium code, was found to have a severe remote code execution vulnerability as well as a number of other bugs.
In a blog post dated 9 Jan, Google Chrome security employee Justin Schuh said "You probably shouldn't be using the WhiteHat Aviator browser if you're concerned about security and privacy." The engineer went on to say the Aviator browser's branding and superficial changes "seriously complicates the process of tracking upstream security fixes" and is far behind Chrome in patched security flaws, and therefore ships out with dozens of publicly disclosed vulnerabilities which Chrome has already patched.
"Had these branding changes been made more carefully, this simply wouldn't be a problem and Aviator would be able to pull upstream changes and benefit from the security work being done by the Chromium Project," Schuh says.
The blog seems to try and outline how difficult it is to provide a secure web browser, stating that the Google Chrome security team has 30 members of staff, Chrome privacy another dozen or so and none are ever short on work.
The engineer lists a number of bugs and flaws in Aviator's code, and asserts that the bulk of Aviator's enhancements can already be achieved through the Disconnect extension for Chrome and some default setting tweaks.
WhiteHat Security quickly responded to the Google engineer, saying that the firm "never claimed to be as fast as Google at releasing updates" and it would be next-to-impossible for the small company -- especially in comparison to behemoth Google -- to compete in this manner. However, WhiteHat Security admitted there are bugs in the browser's code and while Aviator is not as "elegant" as Chrome, bugs can be fixed.
WhiteHat Security also shook its head at Schuh's belief that changing some settings and using Disconnect will create the same security system that Aviator offers, instead claiming that the company has made changes in Aviator that are "beyond configuration."
The company commented:
"The core issue in all of this is that we set out to create a browser that would provide security and privacy settings by default. We believe that we made very good strides in that effort and when issues around those settings were brought to our attention, we actively made changes, something that Google has been unwilling to do."
Schuh later responded to the blog post, saying that the company's comments didn't clarify a number of original security points made, commenting:
"Even if they fixed all the vulnerabilities they added, I don't see how they could ever keep this up to date against disclosed vulnerabilities already fixed in the stable version of Chrome."
Schuh criticized WhiteHat Security's proclamations of Aviator being the most secure browser available online, as well as the firm's abdication of responsibility for making such "sweeping and inaccurate claims." The Google security employee also said the behavior of WhiteHat Security "is the kind of thing just gives open source a bad name."