How are YOU hardening Chrome?

Just what the title says, what are your settings and how are you hardening Google Chrome?

 

I am not.

 

After install I do the this changes in advanced settings:

I disable:
-enable auto-fill...
-offer to save passwords...
-offer to translate pages...

I enable:
-send a 'Do-Not-Track' request...

I also instal Adblock Plus and run Chrome under Sandboxie's supervision.

 

Other than what's in my signature: click-to-play, Do-Not-Track, and Google Account sync.

 

I always do this :

Themes : -hxxp://www.chrome-themes.info/downloads/AfterDark.crx-

Rules.

 

i wished you could clean all data on exit like Firefox but you can't have everything i guess.

 

Actually, you can: http://www.howtogeek.com/137681/how-to-automatically-clear-private-data-when-you-close-your-browser/

Another way is to start Chrome in Incognito mode by default.

 

Disable Java
Do not save passwords
Install WOT and TrafficLight
Disable web service for navigation
Disable prediction service to complete searches
Disable autofill
Disable background apps running when Chrome is closed
Added ZenMate and VTchromizer

 

Apparmored
on Linux Chrome utilizes the Seccomp-BPF sandbox
HTTP Switchboard extension
https everywhere extension
Using only the PPAPI (pepper) flash
built-in pdf reader disabled
Selected domains whitelisted

 

wat0114, while I agree with your other points I wonder about that one. Isn't the built-in sandboxed PDF reader more secure that an unsandboxed one (even if apparmored)?

 

You're probably right and I've wondered, too, if this step is necessary. I've been going on the premise that it's better to first download the pdf file rather than it launching automatically through the browser's built-in reader. Maybe just using Chrome's reader is a more secure approach than using a 3rd party program to open it after it's downloaded?

 

chrome://flags > Disable hyperlink auditing > Enable

 

That's what I think. Although I'm running my PDF reader (Okular as I'm using KDE) in an AppArmor profile, I think that the (double) sandbox in Chrome + AppArmor is more secure than AppArmor alone. Having said that, each solution is certainly safe enough - we're probably discussing rather theoretical attack scenarios

 

Good enough! I've re-enabled the built-in reader. This also makes things more convenient. Thanks

 

i don't want to install Click and Clean as it has access to all data on the computer.

Incognito mode seems to not play nice with script blockers and other similar addons.

 

the built in pdf reader is horribly unusable in a business environment as it lacks some of the most basic features needed...what are good/safe alternatives for a built in pdf reader that has features, is safe and no nagware

 

Hmmm.

Apparmor profile with no abstractions - limits down to ownership of libraries. I've removed some of the w's from the profile, as the browser no longer needs them - such as to preferences.

Hardened chroots (for its sandbox), BPF randomization, and other grsec patches relevant to Chrome

PDF.js for PDF reader

HTTP Switchboard, strict mode, 'other'/'plugin'/'frame' blacklisted. Only images whitelisted.

Anything more would likely be overkill. I suppose I could run Chrome as another user, very limited one at that, but I dislike the usability hit that I'd have and I'm very confident that Chrome is not going to be the easiest place to attack on my system (Pidgin is far easier).

 

Running Chrome within Sandboxie (+ restrictions) is good enough for me.

 

On Windows 7, Chrome's cache folder (well actually all sub folders of local/) is set to no execute via Icacls. Other than that, it's the usual stuff, EMET, SRP, Adblock+, auto-update, Javascript disabled.

Linux - No particular hardening. Only Adblock+, disabled javascript.

 

I had used that, too, for a while but went back to the built-in PDF reader. Why?

I'm using the following settings:

1. Plugins globally allowed in HTTP Switchboard
2. Click-to-play selected in the Chrome settings
3. In chrome://plugins the "Always allowed" checkbox is selected for Chrome PDF Viewer (CTP makes no sense here, IMHO, as I have to click a PDF document anyhow in order to open it).

With this "strategy" I can open PDF documents with one click even if javascript is not allowed on that site. That's not possible with PDF.js. And with CTP flash (and other plugins) are still blocked. That's safe enough for me.

 

I like the PDF.js approach - it keeps the attack surface quite small, all of it is handled in the Javascript renderer. With the plugin there's a lot more native code and it's less vetted than the renderer.

For PDF.js all I have to do is allow Javascript, which I'm OK with.

 

In Opera 18 (chromium based so the extensions are compatible) I use Adblock Plus, Ghostery and HTTPS Everywhere.

 

I switched over to chrome on the conviction of others that Chrome is very secure. I quite like the freedom of 'no sandboxie' so far.

 

Great tip. Have implemented it.

 

Just the usual things most people here will do, and using HTTP Switchboard extension.