blog about iron (vs chrome). Note: blog is not that new

I ran across this blog today.
It is more than a year old, but I didn't see it posted here. It comments on (supposedly) srware and iron.

IMO the complaints the blogger makes mostly circle around "what he is providing is unnecessary" and "this person is after money" rather than "this person is not providing what they claim". While the blogger points out that chrome allows you (or is supposed to) to turn off all the tracking or invasive things chrome is supposed to allow, the fact remains, they are still in there, and NOT turned off by default. I guess if you don't trust google to actually turn off all the invasive stuff after you've changed the settings to turn it off, would you trust the rest of the code as well? Once those settings are changed to turn off the invasive stuff, is iron any "safer" than chrome?

I don't run chrome and the blog is more than a year old. Newer versions of chrome may allow you to turn off all the things that may be of privacy concerns. I don't know.

 

Pretty old news, and if I remember right, that RLZ business is gone now. Though, all it ever amounted to was tracking where Chrome was downloaded from, possibly also tracking your search terms in the "Omni-bar"(again, if I remember right). I really don't care if they want to know where I downloaded a free browser from, and I know, Omni-bar or not, a Google search results in your terms being recorded by Google anyway, as most search engines do. Also, all you had to do was switch default search engines and that RLZ tag was gone.

I'm not saying there weren't some unnecessary things about Chrome at that time, but they were hardly "scary", and, after a good amount of bad PR, a lot of that was changed by Google.

Edit: Here are my thoughts regarding the differences as laid out on Irons page:



*Client-ID


Depending on brand and version Chrome creates a unique ID through which a user can be theoretically identified.*

Hardly frightening. You have a unique ID regardless, your IP address.



*Timestamp


Depending on brand and version Chrome remembers up to the second exactly when the software was installed.*


So? What possible invasion of privacy or harm can come from Google knowing when I installed their browser?




*Suggest


Depending on the configuration, each time you put something in the address line,this information is sent to Google to provide suggestions.*

That's a "feature" now, and reviews show it's welcome. Funny how people are, isn't it? They hate something, get used to it, then adore it.




*Alternate Error Pages

Depending on the configuration, if you have typed a false address in the adress bar, this is sent to Google and you get an error message from Google's servers.*


So do a lot of alternate DNS services like OpenDNS. Nobody is complaining about that are they?




*Error Reporting


Depending on the configuration, details about crashes or failures are sent Google's servers.*


IE, Firefox, your own OS, shall I go on?




*RLZ-Tracking


This Chrome-function transmits information in encoded form to Google, for example, when and where Chrome has been downloaded.*

I believe this to be gone now, and, as stated earlier, it's a free browser you can't pirate, and, if downloaded from Google itself, of course they'll know. So, the big deal is?




*Google Updater


Chrome installs a updater, which loads at every Windows in background.*

Completely depends on if you're the manual updater type or would rather let the software update itself. Nothing bad here, simply personal preference.





*URL-Tracker

Calls depending on the configuration five seconds after launch the Google homepage opens in background*

URLs are tracked by just about everything on the internet now. Search engines, previous websites, your own ISP. Does it need to be there? No. Is it avoidable? Yep.

 

The code is open-source. The Iron guys (and everyone else) has full access to the code. If there were some mechanism that allows the browser to compromise privacy, even when the user turns those features off, the Iron people (and others) would have found it by now. So I am skeptical of these conspiracy theories.

 

While I generally agree it's a load of nonsense, and I also agree on the point that this is old/has been discussed before, I'd also like to point out that the argument of open soure being read has also been debated to death, open source =/= being read by everyone.

That being said I've been using dev versions of Chrome since... and never noticed any "privacy" issues. I'm now on v11, I wonder how long it will take SRWare to get there?

 

In the case of Chrome, I can assure you the code has been examined by a lot of people that are not developers of the project. There's a blogger/developer out there that went through the major differences in Chromium and Iron. He examined the source code to illustrate the differences (of which there are few).

And then you have Google offering people thousands of dollars for any exploit, so there's another incentive for code auditing.

 

Good point

 

I know this: reference to the blog has been made in Wilders. I wonder just why it is hard to find.

 

I posted this because I though it might be of interest, not because I have strong feelings one way or the other about chrome or iron. With my original comments and the ones below I am kind of playing devil's advocate. Google, and SRWare for that matter, are profit driven. While that doesn't mean their motives are morally ambiguous, it doesn't mean I have to assume their motives are altruistic either.

I did originally see reference to the blog in another forum, and some of the comments in my original post were sparked but what I read there and may make it look like I'm more biased than I am (in particular a post that asked "why should we trust the blogger").

FWIW, I came across it while doing a search to see if there was any reason I should prefer iron over chrome. I may still stick with firefox.

I know chrome is open source, but I've been in the position before of having to debug or enhance someone else's code. Sometimes trying to decipher what it does can be very difficult, at least it was for me, so putting in unwanted code is hardly out of the question. That is not to say it is the situation here, nor do I think google has done that, but I don't think it is beyond the realm of possibility.

Google has not exactly been a tower of virtue when it comes to guarding peoples privacy, and it took the bad PR about chrome for them to address some of the concerns the public had about features which were of no value to us, but would help them make money. OTOH, Iron's whole reason for existence is to remove code which might compromise your privacy.

All that being said, I certainly don't expect to find any code in chrome meant to subvert security, and by all accounts it looks like the model and code does a pretty good job of maintaining security. I'd MUCH rather use a browser that allowed some tracking of my surfing habits than use one that tried to prevent tracking but had unplugged holes which might compromise my online banking or personal documents, and here I don't mean chrome vs. iron but more chrome/iron vs. any other browser.

I seem to have upset you a little by creating this thread. I apologize for that. I certainly didn't intend to.

 

As is pretty much 99% of companies really.

 

Altruism of the highest order. Would have been more noteworthy if the browser was built from the ground up rather than by tweaking the code of others.

 

Whatever flavor you choose, be aware of this - If certain conditions are met, all of them will be running outside of the sandbox (low integrity level), running with a medium integrity level/high integrity level (standard user account/administrator account, respectively. The latter one, I'm thinking of UAC disabled, otherwise will also run with medium level.)!

Google developers have not been able to reproduce such issue (serious security bug) according to user Kees1958. Kees1958, Sully (the user who actually found such issue, in the first place), one other user I don't recall his/her nickname and I were able to reproduce it.

I personally run Chromium with an explicit low integrity level, which KILLs this issue straight away.

Regarding the privacy issues, you can just disable whatever you believe is a privacy issue. Using SRWare Iron only for such is useless, IMO, as it simply has them disabled, no?