Slashdot Mirror
German Government Endorses Chrome As Most Secure Browser
New submitter beta2 writes "Several articles are noting that the German IT security agency BSI is endorsing Google Chrome browser: 'BSI ticked off Chrome's anti-exploit sandbox technology, which isolates the browser from the operating system and the rest of the computer; its silent update mechanism and Chrome's habit of bundling Adobe Flash, as its reasons for the recommendation. ... BSI also recommended Adobe Reader X — the version of the popular PDF reader that, like Chrome, relies on a sandbox to protect users from exploits — and urged citizens to use Windows' Auto Update feature to keep their PCs abreast of all OS security fixes. To update applications, BSI gave a nod to Secunia's Personal Software Inspector, a free utility that scan a computer for outdated software and point users to appropriate downloads.'"
Never underestimates the capacity of politicos to make decisions and pass legislation based upon a knowledge of the subject at hands poorer than that of a 3 year old. Especially high tech subjects...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
As an engineer on Chrome security this particular FUD really bothers me. The BSI takes privacy very seriously, and would never make such a recommendation if Chrome did anything like what you suggest. To the contrary, Chrome has an exceptionally responsive privacy team and a very clear and simple privacy policy. It identifies any feature that can exchange data with Google services, and provides clear instructions for opting out. More importantly, the vast majority of features that can exchange any such data are explicitly opt-in.
I haven't read TFA, but headline says "most secure browser", not most private.
You don't actually know what the BSI is, do you? They're one of the most respected security and privacy organizations in the world.
It would seem to me that "Chrome's habit of bundling Adobe Flash" would be a detriment. But that's just me.
They went on to recommend Adobe Reader X. I agree that pdf readers in a sandbox make a lot of sense, its just that I have no particular reason to trust Adobe, since it was their doing that made PDFs unsafe in the first place. With Chrome's built in PDF render engine, I find I seldom have to use the adobe plugin at all any more. (And when I do, I'm always suspicious).
If Google wanted to do us all a favor they would to with Flash content what they did with PDF documents, and add their own in-browser render engine.
That being said, I do like the sandboxing that Chrome supplies, and Google Chrome is my browser of choice.
Some people don't like keying search terms in the URL bar, and other minor objections that, when investigated, all amount to "its not firefox". I've seen some reports of incredibly slow page fetches, which are usually traceable to external things (chrome likes to use multiple concurrent connections, and swamps some anti-virus packages that operate as a proxy server).
For me, the speed can't be beat on any of the platforms I use (linux and windows - various flavors of each). I prefer Google's builds to those in the Chromium Open Source project but both work very well.
Sig Battery depleted. Reverting to safe mode.
You may personally have the expertise to make good security decisions about your browser. However, all empirical evidence shows that the vast majority of users are not capable of that, and are much better served by a browser that manages updates for them.
That said, you can disable automatic updates and perform them manually if you choose. However, I also consider myself capable of making those security decisions, and I still prefer the silent update dramatically over manually updating.
Perhaps not, but the vast majority of users don't care. Many users are not unlike my mother, who constantly clicks "Later" or "Not Now" whenever programs ask to install updates. For this reason, her computer is routinely several months behind the current updates.
Having Chrome auto-update silently and without needing admin rights (as it by default installs itself only for the user that opened the installer, not system-wide) is enormously convienient (and the right choice) for most people.
I use Firefox because it has NoScript and SSLEverywhere, that Chrome doesn't (or doesn't that have equivilent funcionality); thus making Firefox more secure for my usage paterns.
It's open source, where the fuck are they going to put the backdoor? If you're really paranoid, compile it yourself after reading the source code over.
How exactly is the GP's comment "FUD" when you yourself admit that Chrome does indeed communicate some information to Google?
Google protecting what? If anything, they invade your privacy every day, even more so since the David Drummond asshole rolled out the new privacy policy!
--
Jordyn Buchanan
My comment had nothing to do with giving Google "credit".
It had to do with BSI's decision to cite Chrome's bundling of Flash as a reason for recommendation.
A true security organization would not make that a reason for a recommendation, rather they would cite it as a detriment, a blemish, (even for Flash in a sandbox given Adobe's history).
As for people wanting flash, its value is negative in most people's eyes. People hate it more than you know.
Its nothing but an advertising tool to most people. A source of daily irritation when reading almost any web page due to disruptive graphics dancing around while you try to read. Apple dropped flash both from OSx and iOS , and nobody cared. Even Android users find it mostly an annoyance.
Sig Battery depleted. Reverting to safe mode.
you're wrong
BSI is 100% right for citing Chrome bundling flash as a reason for recommendation
when adobe pushes a security update, chrome automatically pushes a browser update. and if the user leaves the browser running for days, chrome starts politely reminding them they have to close and reopen the browser. this is as good as you can do to make sure flash is as up-to-date as possible
it is not the most ideal model of security, period. it is simply best-of-the-pack security model. and so it deserves a recommendation for that practice from BSI
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Back in the day they started out as an offshoot of the BND (if you want a good laugh dig deeper into the story of how that one came to be and why it shouldn't be trusted) but nowadays they usually serve as a mouthpiece for damage control if some government branch has screwed up again (e.g., electronic identity card).
And if they're not too busy they use some of their idle time to find discover new ways to make themselves look like idiots (e.g., the recent "DNS OK" story).
I, for one, am grateful for the Chrome browser because it works as a very effective sandbox for everything Google. Ever since Google decided to track me through Google+ +1 buttons added to every page I browse, I've had to remove google.com from my whitelist. I've also switched to Bing as my primary search engine in Firefox, and I have to say, I don't mind getting Xbox Live! points for searches I do.
The features that bother me in Chrome include the very coarse scroll bar, which requires me to manually scroll down when reading longer articles instead of just using my touchpad. I have yet to figure out how the search bar/address bar is supposed to function (the awesome bar and search bar in FF is best I've come across). Last I checked, Chrome equivalents of NoScript do not truly block scripts because they allow them to load briefly before stopping them, giving probably enough time to identify the computer or even run an exploit. I also haven't found a cookie manager like Cookie Monster. I regularly see ads in YouTube videos even with AdBlock installed, most especially in embedded videos (I have no memory of ever seeing ads in YouTube in FF).
At this point, for me, Chrome is not very private and a bigger PITA to use than FF. I don't care what the Germans claim.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
I don't see innuendo or unsubstantiated accusations as adding anything to the conversation. But I do think it's useful to address the technical portion of your claim.
If I hit a 404, Chrome phones home with the URI I was trying to reach. And what do you do with that data, I wonder?
I think you undermine the legitimacy of your question by trying to manufacture some evil ulterior motive here. The simple fact is that people often mistype URLs (or clip portions when pasting them), so it's helpful when the correct URL can be easily determined. And if you read through the privacy policy I linked above, you'll see that it very clearly describes what occurs in this scenario:
In order to offer suggestions of alternative or similar webpages, the browser sends Google the URL of the page you're trying to reach whenever the web address does not resolve or a connection cannot be made. Information is logged and anonymized in the same manner as Google web searches. Any parameters in the URL are removed before the URL is sent. The logs are used to ensure and improve the quality of the feature.
So, the submission of the URL is no different than if you'd stripped the parameters and pasted the URL into Google from an anonymous incognito window. If you're uncomfortable with that, then the same link provides instructions for disabling the feature.
I don't care what the Germans claim.
- they said something about security:
"Your internet browser is the key component for the use of services on the Web and thus represents the main target for cyber-attacks," said BSI in its published advice. "By using Google Chrome in conjunction with the other measures outlined above, you can significantly reduce the risk of a successful IT attack." ... "This [sandbox] protection is implemented most consistently in Chrome...[and] similar mechanisms in other browsers are currently either weaker or non-existent," explained BSI.
Chrome is not very private
- and this is correct, they said nothing about privacy.
You can't handle the truth.
Even easier, just download Chromium. No Flash, no auto-updating, no phone-home, fully open source. Complaining about these things in Chrome when its completely open-source counterpart Chromium is available as a free download (binary or source) seems pretty stupid to me.
How exactly is the GP's comment "FUD" when you yourself admit that Chrome does indeed communicate some information to Google?
In a default, opt-out fashion, no less.
The BSI has only a supporting role, their recommendations do not have the force of law and don't need to be followed by anybody. They have in the past recommended Firefox as well, if tomorrow there is an exploit found in Chrome, then they'll recommend Firefox or IE again, and might change the recommendation right back when Google rolls out the fix.
From TFA "Germany's cyber security agency today recommended that Windows 7 users run Google's Chrome browser". They didn't write the summary, you can't really blame them for that.
Ever since Google decided to track me through Google+ +1 buttons added to every page I browse, I've had to remove google.com from my whitelist.
How do you reconcile your statement with Google's stated policy on what the +1 button tracks: http://support.google.com/plus/bin/answer.py?hl=en&answer=1319578 ?
I've seen the claim that the +1 button tracks you in a lot of places, and as one of the people responsible for making it not track you [I work for Google], I'd like to understand better why this claim persists. Thanks!
Chrome is not in fact open source. It includes a bunch of open source code but also various closed-source components. Perhaps you confused Chrome and Chromium? They're not the same thing.
If you compile Chrome yourself, you're not using Chrome, of course (and in particular, some features that this particular security evaluation ticks as positives, like the bundled Flash, will be missing).
(There's the side issue that compiling yourself gives you no particular guarantees either if your compiler is in cahoots with the code you're compiling, but for now the chances of that for Chrome are low.)
Since Germany is saying that Google Chrome being the most secure browser, I'd like to bring in a journal I posted the other day, FWIW
http://slashdot.org/journal/277313/journal-unscientific-testing-of-browsers
In the test above Mozilla Firefox gave the best result, Google Chrome came a distant 2nd
And an update to my journal above ----
It's been 100 hours since I started that test and only Mozilla Firefox is still running, with 5 taps opened.
Google Chrome stopped running some 80 hours after launch.
Muchas Gracias, Señor Edward Snowden !