How are YOU hardening Chrome?

Discussion in 'other software & services' started by CrusherW9, Dec 25, 2013.

Thread Status:
Not open for further replies.
  1. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    516
    Location:
    United States
    Just what the title says, what are your settings and how are you hardening Google Chrome?
     
  2. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I am not. :D
     
  3. tomazyk

    tomazyk Guest

    After install I do the this changes in advanced settings:

    I disable:
    -enable auto-fill...
    -offer to save passwords...
    -offer to translate pages...

    I enable:
    -send a 'Do-Not-Track' request...

    I also instal Adblock Plus and run Chrome under Sandboxie's supervision.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Other than what's in my signature: click-to-play, Do-Not-Track, and Google Account sync.
     
  5. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    536
    Location:
    Europa
    I always do this :

    Themes : -hxxp://www.chrome-themes.info/downloads/AfterDark.crx-

    Rules.
     

    Attached Files:

  6. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i wished you could clean all data on exit like Firefox but you can't have everything i guess.
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Disable Java
    Do not save passwords
    Install WOT and TrafficLight
    Disable web service for navigation
    Disable prediction service to complete searches
    Disable autofill
    Disable background apps running when Chrome is closed
    Added ZenMate and VTchromizer
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Apparmored
    on Linux Chrome utilizes the Seccomp-BPF sandbox
    HTTP Switchboard extension
    https everywhere extension
    Using only the PPAPI (pepper) flash
    built-in pdf reader disabled
    Selected domains whitelisted
     
    Last edited: Dec 26, 2013
  10. tlu

    tlu Guest

    wat0114, while I agree with your other points I wonder about that one. Isn't the built-in sandboxed PDF reader more secure that an unsandboxed one (even if apparmored)?
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    You're probably right and I've wondered, too, if this step is necessary. I've been going on the premise that it's better to first download the pdf file rather than it launching automatically through the browser's built-in reader. Maybe just using Chrome's reader is a more secure approach than using a 3rd party program to open it after it's downloaded?
     
  12. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    238
    Location:
    Neo Tokyo
    chrome://flags > Disable hyperlink auditing > Enable
     
  13. tlu

    tlu Guest

    That's what I think. Although I'm running my PDF reader (Okular as I'm using KDE) in an AppArmor profile, I think that the (double) sandbox in Chrome + AppArmor is more secure than AppArmor alone. Having said that, each solution is certainly safe enough - we're probably discussing rather theoretical attack scenarios ;)
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Good enough! I've re-enabled the built-in reader. This also makes things more convenient. Thanks :)
     
  15. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
  16. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    the built in pdf reader is horribly unusable in a business environment as it lacks some of the most basic features needed...what are good/safe alternatives for a built in pdf reader that has features, is safe and no nagware
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Hmmm.

    Apparmor profile with no abstractions - limits down to ownership of libraries. I've removed some of the w's from the profile, as the browser no longer needs them - such as to preferences.

    Hardened chroots (for its sandbox), BPF randomization, and other grsec patches relevant to Chrome

    PDF.js for PDF reader

    HTTP Switchboard, strict mode, 'other'/'plugin'/'frame' blacklisted. Only images whitelisted.

    Anything more would likely be overkill. I suppose I could run Chrome as another user, very limited one at that, but I dislike the usability hit that I'd have and I'm very confident that Chrome is not going to be the easiest place to attack on my system (Pidgin is far easier).
     
    Last edited: Dec 26, 2013
  18. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Running Chrome within Sandboxie (+ restrictions) is good enough for me.
     
  19. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    On Windows 7, Chrome's cache folder (well actually all sub folders of local/) is set to no execute via Icacls. Other than that, it's the usual stuff, EMET, SRP, Adblock+, auto-update, Javascript disabled.

    Linux - No particular hardening. Only Adblock+, disabled javascript.
     
  20. tlu

    tlu Guest

    I had used that, too, for a while but went back to the built-in PDF reader. Why?

    I'm using the following settings:

    1. Plugins globally allowed in HTTP Switchboard
    2. Click-to-play selected in the Chrome settings
    3. In chrome://plugins the "Always allowed" checkbox is selected for Chrome PDF Viewer (CTP makes no sense here, IMHO, as I have to click a PDF document anyhow in order to open it).

    With this "strategy" I can open PDF documents with one click even if javascript is not allowed on that site. That's not possible with PDF.js. And with CTP flash (and other plugins) are still blocked. That's safe enough for me.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I like the PDF.js approach - it keeps the attack surface quite small, all of it is handled in the Javascript renderer. With the plugin there's a lot more native code and it's less vetted than the renderer.

    For PDF.js all I have to do is allow Javascript, which I'm OK with.
     
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    In Opera 18 (chromium based so the extensions are compatible) I use Adblock Plus, Ghostery and HTTPS Everywhere.
     
  23. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    I switched over to chrome on the conviction of others that Chrome is very secure. I quite like the freedom of 'no sandboxie' so far.
     
  24. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Great tip. Have implemented it.
     
  25. guest

    guest Guest

    Just the usual things most people here will do, and using HTTP Switchboard extension.
     
Loading...
Thread Status:
Not open for further replies.