Slashdot Mirror
German Government Endorses Chrome As Most Secure Browser
New submitter beta2 writes "Several articles are noting that the German IT security agency BSI is endorsing Google Chrome browser: 'BSI ticked off Chrome's anti-exploit sandbox technology, which isolates the browser from the operating system and the rest of the computer; its silent update mechanism and Chrome's habit of bundling Adobe Flash, as its reasons for the recommendation. ... BSI also recommended Adobe Reader X — the version of the popular PDF reader that, like Chrome, relies on a sandbox to protect users from exploits — and urged citizens to use Windows' Auto Update feature to keep their PCs abreast of all OS security fixes. To update applications, BSI gave a nod to Secunia's Personal Software Inspector, a free utility that scan a computer for outdated software and point users to appropriate downloads.'"
As an engineer on Chrome security this particular FUD really bothers me. The BSI takes privacy very seriously, and would never make such a recommendation if Chrome did anything like what you suggest. To the contrary, Chrome has an exceptionally responsive privacy team and a very clear and simple privacy policy. It identifies any feature that can exchange data with Google services, and provides clear instructions for opting out. More importantly, the vast majority of features that can exchange any such data are explicitly opt-in.
I haven't read TFA, but headline says "most secure browser", not most private.
You don't actually know what the BSI is, do you? They're one of the most respected security and privacy organizations in the world.
Back in the day they started out as an offshoot of the BND (if you want a good laugh dig deeper into the story of how that one came to be and why it shouldn't be trusted) but nowadays they usually serve as a mouthpiece for damage control if some government branch has screwed up again (e.g., electronic identity card).
And if they're not too busy they use some of their idle time to find discover new ways to make themselves look like idiots (e.g., the recent "DNS OK" story).
I don't see innuendo or unsubstantiated accusations as adding anything to the conversation. But I do think it's useful to address the technical portion of your claim.
If I hit a 404, Chrome phones home with the URI I was trying to reach. And what do you do with that data, I wonder?
I think you undermine the legitimacy of your question by trying to manufacture some evil ulterior motive here. The simple fact is that people often mistype URLs (or clip portions when pasting them), so it's helpful when the correct URL can be easily determined. And if you read through the privacy policy I linked above, you'll see that it very clearly describes what occurs in this scenario:
In order to offer suggestions of alternative or similar webpages, the browser sends Google the URL of the page you're trying to reach whenever the web address does not resolve or a connection cannot be made. Information is logged and anonymized in the same manner as Google web searches. Any parameters in the URL are removed before the URL is sent. The logs are used to ensure and improve the quality of the feature.
So, the submission of the URL is no different than if you'd stripped the parameters and pasted the URL into Google from an anonymous incognito window. If you're uncomfortable with that, then the same link provides instructions for disabling the feature.
Even easier, just download Chromium. No Flash, no auto-updating, no phone-home, fully open source. Complaining about these things in Chrome when its completely open-source counterpart Chromium is available as a free download (binary or source) seems pretty stupid to me.