Friday, February 20, 2009

bling_bling_browser



Bling,
Bling for your Web Browser








Bling, Bling for Your Web Browser










Google
Chrome Security Issues: Style vs. Safety



By


Philena
Rush






Introduction
to Scripting and Database with Lab


DeVry:
Comp230 Security Research Paper


February 20, 2009






Table of
Figures



Figure 1 Tech Terms Searched Dec.
08 2


Figure 2 Task Manager: Local
Processing Example 5


Figure 3 Error Image in Vista &
Google Chrome 6












Table of Contents



Table of Figures i


Introduction 1


Web browser
Security Issues 2


Updates and
Patches 3


Cross Site
Scripting (XSS) 4


No browser is perfect 6


Password
Security 7


Future Problems 7


Third party
extensions 8


Conclusions 9


References 10





















Introduction






Google Chrome is
Google’s newest application that was build for streamlining
complex web applications for simplicity, safety, and speed. (Google)
I've been experimenting with Google Chrome for almost 4 months now,
and love the speed. But does this speed cause security risks? This
paper will explore the many features of Google Chrome and discuss
these new trends of web development. These comparisons will also
examine common security issues and how Google Chrome handles them.











Web browser Security Issues


 


Many users have
experience malicious software some time or another. Usually after
losing important data, or having your computer completely locked down
due to a pop-up ad to...”How I made $10,000 in 10 days!"
and next thing you know, your browser and computer is rendered
useless. Brett Burney from the Legal Tech newsletter agrees,
stating: “We've
all been warned that simply visiting a Web site can immediately
compromise the security of our computer -- along with the
confidential data that it stores
.”

(Burney, 2009) The default
settings for web browsers are Javascript enable. The problem with
malicious scripts is browsers cannot tell the difference between
scripts generated by the website versus scripts generated by users,
for example, comments on a blog or a forum. Google Chrome has been a
popular topic and search team recently posted in eWeek, (Figure 1)


Figure
1
Tech Terms Searched
Dec. 08




Note:
From eWeek "In Search Of…" eWeek (2009),
volume 26 (1), p. 13-13.


 


Updates and Patches


 


With new patches and
versions to address these security issues, our web browsers need to
be consistently updated. Not long ago, updates needed to be done
manually, or you had to create your own script to check for updates.
But many programs come with auto-updates build in the application.
Another
interesting concept is Chrome's virtual JavaScript machine, called
V8. Google's Chromium team built its own virtual environment for all
JavaScript execution
.”
(Grimes, 2009) The Chief Information Officer’s community
and website has written numerous articles and white papers about the
Google chrome because of its innovative team up with Chromium.
(Chromium) Since Chromium has come up with their
own virtual Javascript machine, this minimizes the risk of malicious
scripts being executed.


Cross Site Scripting
(XSS)


 


When you surf a
site, a common attack is cross site scripting. JavaScripts are
scripts for the user interface to extract information about user's
activity from browser cookies and the information is used for related
links, content or events. You get an email notification from a social
network like Myspace and Facebook, and you click on the link and it
looks just like the site. Unfortunately, you may not notice the URL
of the network is slightly different or extremely long compared to
your regular reference link to check messages. Once you enter
personal information on these “phishing” sites, malicious
script now has your login information, and if it's a financial
company like Paypal, they can begin using your account information to
make thousands of dollars worth of purchases in less than 60 seconds.


 


 


Google came up with
a different solution called the sandbox. The new IE browser 8 beta
version, also has similar capacities. (Fierce, 2009)
Sylvain from the Google Chrome Browser website explains the sandbox
as follows: “If
an attacker is able to exploit the browser in a way that lets him run
arbitrary code on the machine, the sandbox would help prevent this
code from causing damage to the system. The sandbox would also help
prevent this exploit from modifying and even reading your files or
any information on the system

(Sylvain, 2008)


 


In other words, the
sandbox is like a separator for website processes. If you go to your
Task Manager (Figure 2), you can click on the processes tab, look at
each application you have running on your computer, and how much
memory the processes are using. What Google chrome does differently
is separating all of these processes in their own sandbox, like the
URL bar, tabs, access tokens, plugins, etc. Then Chrome will share
the common processes between websites which will increase the browser
speed and add extra security.


Figure
2
Task Manager: Local
Processing Example



The more javascript
on a website, the more local processing is required to load the page.
That's why many dynamic websites that have javascript takes longer
to load.


 





This will prevent an
attacker from going any further than the original application its
hiding under. Because according to Google chrome, it's already in
its own sandbox. Once I do have a process go down, I have the
familiar image of a dead puzzle piece on my Vista (Figure 3), but
only for that tab. Other tabs that are open within the browser are
not affected, while with other browsers, the whole application could
freeze up.


.


Figure
3
Error Image in Vista &
Google Chrome



 


No browser is perfect


 


But even with the
sandbox, Google Chrome doesn't have robust security options. And I'm
use to my Firefox adblocker, which increases the speed of firefox
browser by blocking scripts. Chrome does not give you the option to
disable Javascript like other browsers. The primary reason Google
doesn't condone disabling scripts is because that is their primary
source of revenue, Google Adsense and Adwords. While looking at
YouTube videos of my favorite computer geeks, I found a comment about
this issue, and it was suggested to use privoxy. Privoxy is a web
proxy that acts as my adblocker for Google Chrome. I was very happy
it works with Google Chrome, because now the speed is increased even
more with the sandbox. Now you can compare the two browsers with an
adblocker on both of them, and Google chrome still comes out on top.
Even without additional plug-ins. (JunkBusters)
Sites
you visit during a private session generally won't be able to access
cookies, history, or other browser data created or saved before you
entered the session”
(Larkin,
2008)

p. 50


 Incognito mode
is a feature of Google Chrome that offers these features as many
other web browsers. I would definitely use the Incognito mode in
public access terminals. For example, I'm surfing the web at my
local public library, and using IE to check my emails and check my
social network status. Usually, I'm asked if I would like to "save
my password" of course, I always check, “Not now”,
or “never”. But if I was in a private session, I don't
have to worry about this issue. Larkins in the PC World article,
also realize that private web sessions can be considered misleading
because an average user may see this feature as an added security
stating: “Just keep in mind that they're not a panacea, and
that they're for secrecy, not additional safety”
(Larkin, 2008) p.50. The security this may add is for a
multi-users network to prevent seeing each other private information,
especially if users use the same computer like home networks. You
may also install Google Chrome without requiring Administrator-level
access. (Metz, 2008)


Password Security


 


You can't protect
the password manager like other browsers.
“Chrome allows the current user to reveal
the saved log-on names and passwords in plaintext with a few clicks
of the mouse”
(Grimes,
2009)
.
At first, I thought this feature was very cool, especially when using
another browser and you may forget a password, or need to have text
file for passwords. Hopefully, Google will see this oversight and
let users secure their passwords. This may be overconfidence on
Google's security features. But this doesn't prevent someone copying
your info once you walk away from the computer.


 


Future Problems


 


There are many sites
I cannot access with Google Chrome. An example, of course, is the
DevryU website. There are other know issues that the Google support
(Team) knows about. Here are some of their
security flaws:



  • Google Chrome
    does not support SSL client authentication


  • Does
    not support the embedding of
    ActiveX
    controls (I can't use Microsoft Outlook module for Igoogle in
    chrome)


  • Google Chrome
    doesn't work with NTLM authentication



Third party extensions


Google is starting
registration for developers to create extensions for Google Chrome.
Since Google used Chromium, they have strict guidelines for
extensions. “Extension components will typically be
implemented using web technologies like HTML, JavaScript and CSS with
a few extra extension APIs that we design. Extensions will run in
their own origin, separate from any web content, and will run in
their own process”. (Chromium) Some of
their requirements for security include:




  • It must not be possible for third-party code to get access to
    privileged APIs because of the extension system.


  • Extensions
    should be given only the privileges they require, not everything by
    default.


  • Extensions
    should run in sandboxed processes so that if they are compromised,
    they can't access the local machine.


  • It
    should be trivial for authors to support secure auto-updates for
    extensions.



  • We must be able to blacklist extensions across all Chromium
    installations.



Conclusions






Google Chrome a
great browser for social networking and streaming media. But without
added security features, and expansions of utilities with 3rd-party
development, the Google chrome browser still needs a lot of work, as
its recent development for Mac’s OS and Linux, are recent
releases, it is not recommended to make it your default browser until
you know what you’re doing. Remember, Google Chrome is still in
beta, and it may take months, or even years, for a stable release.
Incognito mode is recommended with multi-user workstations and shared
computers. Finally, I recommend a proxy should be used “Under
the Hood” of Chrome’s browser management settings to
prevent malicious scripting activities.











References


Burney, B. (2009,
February 10). Can Google Chrome Power Your Browser? Retrieved
February 10, 2009, from Legal Tech Newsletter:
http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202428125776&pos=ataglance


Chromium. (n.d.).
Extensions. Retrieved February 15, 2009, from Chromium
Development Documentation:
http://dev.chromium.org/developers/design-documents/extensions


eWeek. (2009). In
Search Of... eWeek , 26 (1), 13-13. From Database ESBCO
# 36025648


Fierce, D. (2009,
January 27). Internet Explorer 8 RC1 Released. Retrieved
February 10, 2009, from Efluxmedia:
http://www.efluxmedia.com/news_Internet_Explorer_8_RC1_Released_33967.html


Google. (n.d.). Google
Chrome
. Retrieved February 15, 2008, from Google:
http://www.google.com/chrome


Grimes, R. A. (2009,
January 26). How Secure is Google Chrome? Retrieved February
10, 2009, from CIO:
http://www.cio.com/article/477895/How_Secure_is_Google_Chrome_


JunkBusters, I.
(n.d.). Privoxy. Retrieved December 2008, from Privoxy:
http://www.privoxy.org


Larkin, E. (2008,
December). How Private--or Secure--Is So-Called Private Browsing? PC
World
, 26 (12), pp. 50-50. From Database ESBCO #
35200700


Metz, R. (2008,
September 5). Google's Chrome Browser Prompts Privacy Concerns.
Retrieved February 10, 2009, from Associated Press:
http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202425790725


Sylvain, N. (2008, 10
2). A new approach to browser security: the Google Chrome Sandbox.
Retrieved February 10, 2009, from Google Chrome Browser:
http://google-chrome-browser.com/new-approach-browser-security-google-chrome-sandbox


Team, G. C. (n.d.).
Known Issues. Retrieved February 10, 2009, from Google Chrome
Help:
http://www.google.com/support/chrome/bin/static.py?page=known_issues.cs















No comments: