Google Chrome's security

Discussion in 'other security issues & news' started by gkweb, Aug 13, 2009.

Thread Status:
Not open for further replies.
  1. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    After having read various articles and forums, I couldn't find the information I was looking at about Google Chrome 2 security details, and how it stands against IE Protected Mode. I finally found the following article :

    http://www.infoworld.com/t/applications/test-center-how-secure-google-chrome-443

    To sume it up, Google Chrome :
    - starts with an "untrusted" SID
    - rendering processes run with a low-integrity level on Vista
    - runs with DEP enabled
    - runs with ASLR enabled on Vista
    - cannot "access/read" higher integrity processes on Vista

    Google Chromes runs in a better "Protected Mode" than IE, has DEP and ASLR enabled. These points are rarely pointed out.

    However there is also drawbacks that have been discussed so many times : privacy concerns, poor password management (no master password), forced updates, no "NoScript" like options, basic cookie management, etc... To add a quick note, Firefox 3.5 also runs with DEP and ASLR enabled, but not with a low-integrity level (no protected mode).

    In the end I'm not for, or against this browser, I just find these details interesting. Sorry if it has been posted and that I missed it.

    Regards,
    gkweb.
     
  2. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    AFAIK Firefox has never supported ASLR. Since when did this change?
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes, A research of Stanford university (PDF is not accessible anymore, they must have protected their servers :) showed that this dual layer policy management approach even prevented against known exploits of the software components used by Chrome (f.i.Webkit).

    GkWeb thanks for the extract, :thumb:

    Use Iron in stead of Chrome, see https://www.wilderssecurity.com/showthread.php?t=250518
     
    Last edited: Aug 14, 2009
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I don't know since when, just a current observation (see attachement).
    I doubt process explorer would return erroneous results.

    @Kees
    I've read about Iron, but didn't bother yet to try it, but I'm going to right now ;)

    Regards,
    gkweb.
     

    Attached Files:

    • aslr.jpg
      aslr.jpg
      File size:
      39.8 KB
      Views:
      721
  5. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I only wish Chrome/Iron had NoScript and better cookie management options.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Chrome has no need for NoScript, it's sandboxed.......
     
  7. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I like blocking google analytics.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Attached Files:

    Last edited: Aug 15, 2009
  9. Sportscubs1272

    Sportscubs1272 Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    340
    So Iron uses the beta 3 version of Chrome? Do you have to go to their website to get an updated version?
     
  10. tlu

    tlu Guest

    o_O Please elaborate how a sandbox would protect against, e.g., XSS.
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I have no idea, I just assumed a sandboxed browser was safe from most exploits touching critical parts of the system....
     
  12. tlu

    tlu Guest

    Threats like XSS have nothing to do with "touching critical parts of the system" ;)
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep, I see, thanks. I guess the main threat would be phishing and things of that nature then....
     
  14. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Google probably has something of their own to guard against scripting exploits (although someone has mentioned to me that NoScript is being released as an add-on for Chrome, so who knows). I would imagine they could well create some scripting control themselves and cut out the third party ability to hinder Googles own advert service.

    XSS exploits are rampant right now so I can't see them leaving this security hole open for too long.

    source
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I just use Chrome and nothing else in Win, frankly, in 15 years online, I've never encountered any issues or problems with any browser. In Linux I use Firefox, but of course that's a different situation altogether.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well, not the sandbox but Chrome's bulld-in translation of Javascript to native machine language. The reason for changing high level un assembled interpretation code into native machine language only provides little performance advantage (since code still has to be intepretated into binaries), but it has the following advantage

    1. The interpretation can be boxed in the overall architecture, therefore providing stronger control on the communication with the JavaScript interpretator to the functional controller and the sandbox.

    2. Having your own interpretator means that you own the conversion to executable code. This means that Chrome can imply limitations (only a subset of script commands) or choose alternative (more secure) implementations of the script conversion. (is comparable effect of the active-X trick bits filter of f.i. Spybot S&D).

    3) The sandbox contains the webpages so client side XSS attacks to allow remote code execution on the clients PC will be paralysed by the Sandbox.

    Not surprisingly the reported XSS vulnabilities of Chrome are therefore reported on execption handling (return error) or interfacing with other web services like PDF/FLASH, or when started from f.i. Internet Explorer. All in all it does a great job in regard to XSS exploits.

    My opinion
    ==> Opera 9.5+, IE8+ (not in IE7 compatability mode) and Chrome are pretty decent browsers when it comes to XSS protection, FF is from a software architects point of view a mess, but on the other side offers the most granularity of control through plug-ins (to close the holes :)

    ==> XSS /Phising/ Cookie info exploits counter measures
    a) always check the URL for phising
    b) check the webshops reputation
    c) use preferably:
    - (best) a debit card which uses a secured puplic private encryption key to validate the transaction or
    - (second best) to pay through a secured safe banking service when your country's pay/transaction service is based on credit cards,
    - NEVER use your credit card directly for web based transactions (it has the same risk as giving your credit card to a restaurant in a shabby neighbourhood, the guy walks away and five minutes later hands over the push print slip to sign, they could have cracked your card with some smart electronics in three minutes time while you phisically handed over the credit card and it was out of your sight)
     
    Last edited: Aug 16, 2009
  17. tlu

    tlu Guest

    Would you care to provide evidence for this statement?
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I got the opinion, just read their release calendar history, plus the way they deal with plug-ins, issues they had following latest OS-hardware developments/features. Call it circumstancial evidence.

    Personally I do not like that developers have to be told what the role of CSS, JavaScript, XUL, C++ and XPCOm is, while these the code can be "inter mingled". This lowers the threshold to use or build add-ons for, but I am old school, you should not allow to use JavaScript for tasks which are more suited for C++. bad luck, just become a professional developer or design and plan the application (and assign parts/modules to developers with different skills) before you start scribbling code.

    I have no access (not bothered to try really) to the source code/software documentation, neither did I tried to reverse engineer it. so I can not give you black on white evidence. Therefore I wrote the "My Opinion" above this statement in bold, to express that it is not FACTUAL information, but an OPINION.

    When I am wrong please tell me

    Cheers Kees
     
    Last edited: Aug 17, 2009
  19. wrongway67

    wrongway67 Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    45
    At present the plug-ins (Flash, Java…) cannot be “sandboxed” by Chrome; they run with the same privileges of the user. Attached you can see the browser’s processes when launched by an Administrator in XP.
     

    Attached Files:

  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes, but Java is something different than JavaScript, JavaScript is executed withing the per tab process as far as I understand it. Again inform me when I am wrong about it.

    For those who want to run Iron without JavaScript, just create a shortcur

    with this in the target

    "C:\Program Files\SRWare Iron\iron.exe" -incognito -disable-javascript

    (run incognito and JavaScript disabled)
     
  21. tlu

    tlu Guest

    I don't know if you're wrong. I'm just saying that without presenting any evidence - particularly how everything you said is specifically related to XSS protection - your statement is rather bold to put it mildly.

    FYI: If you read through http://ha.ckers.org/ you'll find that its author Robert Hansen (aka RSnake), who is one of the most respected authorities if it comes to internet/browser security and one of the authors of XSS Attacks: Cross Site Scripting Exploits and Defense, uses Firefox as his browser. I'm sure he wouldn't do this if he regarded FF as less safe compared to other browsers.
     
  22. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
  23. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    That's what the --safe-plugins switch is for.
     
  24. wrongway67

    wrongway67 Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    45
    Thanks
    It works without any problem
    As they say... "Live and Learn" :)
     
  25. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Why would you need to reverse engineer code that is FLOSS? Essentially, you're saying FF has messy code without having examined the code? Moreover, it appears you don't even know it is FLOSS.
     
Loading...
Thread Status:
Not open for further replies.