Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Closer Look At Chromium and Browser Security

Posted by Soulskill on from the such-as-it-is dept.

GhostX9 writes "Tom's Hardware's continuing series on computing security has an interview with Adam Barth and Collin Jackson, members of Stanford University's Web Security Group and members of the team that developed Chromium, the open-source core behind Google Chrome. The interview goes into detail regarding the sandboxing approach unique to Chromium, comparisons between the browser and its competition, and web security in general."

9 of 109 comments (clear)

  1. Good by maz2331 · · Score: 4, Insightful

    These are all great ideas, and I hope Firefox and/or MSIE pick up on them, simply because I can't stand the Chrome UI.

    Sorry, but that thing just isn't what a browser is supposed to be.

    The uhderlying technology can be the greatest ever, but if the interface sucks, well, I won't use it.

    1. Re:Good by mhousser · · Score: 5, Informative

      I love the interface! What I don't love, however, are the millions of ads that I forgot existed. I'll move to Chrome the minute it supports plugins and AdBlocker is ported to it. Chrome's plugin API will be finished later this year.

    2. Re:Good by Anonymous Coward · · Score: 5, Informative

      It supports greasemonkey scripts if you append --enable-user-scripts to its shortcut. And theres a script for it that works exactly like adblock.

    3. Re:Good by asdf7890 · · Score: 4, Informative

      OK, let's here it: why is user scripting a security hole?

      With early versions of GreaseMonkey, the way the user scripts were applied to pages would allow the page to affect easily the GM in ways that could lead to cross-site attack vectors.

      That is why GM had a fairly complete redesign around the middle of 2005, remove the issue(s) that affected all scripts, but individual scripts can still be vulnerable depending on their design - hence you should be careful not to let a script apply globally for security reasons as well as efficiency ones. For a decent description of the problems with earlier GM versions and problems that you can still create for yourself in the latest versions, this article does a decent job.

      The other major problem with user scripting is using scripts from other sources without performing an exhaustive code review first. How do you know that the script you have just enabled isn't subject to one of the flaws? How do you know it isn't intentionally malicious? There have been several cases of this in the past, hence the warning message before you add a script to GM in recent versions and the warning message that appeared on userscipts.org for some time (as malicious scripts were found in their archive).

      Like many things, user scripting isn't a problem if both programmers and users are educated, careful and care. There lies the problem.

      I use GM myself, with scripts of my own devising or those from elsewhere that I have sufficiently reviewed, but I would not recommend it (or equivalents) to the general populous as they do not need any further ways to dig themselves into a malware riddled hole.

  2. Adblock for Chrome -- Use SwWare Iron "Chrome" by blahbooboo · · Score: 5, Interesting

    Srware Iron is Chrome compiled without all the Google spyware crap and it has adblock built in.

    I LOVE IT! Firefox (all versions) is sooooo slow compared to Chrome/Iron.

    http://www.srware.net/en/software_srware_iron.php

  3. Google Main Page Says To Use Chrome Only In IE by Anonymous Coward · · Score: 5, Interesting

    When I go to the main google page in IE 8, it has this huge icon telling me to use Chrome in the top right corner. When I go there in FF, its not there. Is google singling out IE users?

    1. Re:Google Main Page Says To Use Chrome Only In IE by Tacvek · · Score: 5, Insightful

      Perhaps. My guess is they have logic like the following:

      If you use Firefox, you probably already have heard about Chrome, and have decided not to switch. If you use IE, you probably have no idea that other browsers even exist, but you may know and like Google, so would be willing to give this Chrome thing a try.

      --
      Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
    2. Re:Google Main Page Says To Use Chrome Only In IE by Anonymous Coward · · Score: 5, Funny

      Or maybe they just wrote the page such that standards-compliant browsers won't show the advert.

    3. Re:Google Main Page Says To Use Chrome Only In IE by Anonymous Coward · · Score: 5, Informative

      I am sorry but that's incorrect. Firefox uses a local database of suspicious URLs that is updated every 30 min. URLs are never send to Google, Google sends suspicious URLs to Firefox.

      The functionality you describe was optional in older versions of Firefox (to eliminate the max 30 min. delay for ultra paranoid people) but was removed on request of Google because it caused them too much load.