Slashdot Mirror
German Government Endorses Chrome As Most Secure Browser
New submitter beta2 writes "Several articles are noting that the German IT security agency BSI is endorsing Google Chrome browser: 'BSI ticked off Chrome's anti-exploit sandbox technology, which isolates the browser from the operating system and the rest of the computer; its silent update mechanism and Chrome's habit of bundling Adobe Flash, as its reasons for the recommendation. ... BSI also recommended Adobe Reader X — the version of the popular PDF reader that, like Chrome, relies on a sandbox to protect users from exploits — and urged citizens to use Windows' Auto Update feature to keep their PCs abreast of all OS security fixes. To update applications, BSI gave a nod to Secunia's Personal Software Inspector, a free utility that scan a computer for outdated software and point users to appropriate downloads.'"
As an engineer on Chrome security this particular FUD really bothers me. The BSI takes privacy very seriously, and would never make such a recommendation if Chrome did anything like what you suggest. To the contrary, Chrome has an exceptionally responsive privacy team and a very clear and simple privacy policy. It identifies any feature that can exchange data with Google services, and provides clear instructions for opting out. More importantly, the vast majority of features that can exchange any such data are explicitly opt-in.
I haven't read TFA, but headline says "most secure browser", not most private.
You don't actually know what the BSI is, do you? They're one of the most respected security and privacy organizations in the world.
It would seem to me that "Chrome's habit of bundling Adobe Flash" would be a detriment. But that's just me.
They went on to recommend Adobe Reader X. I agree that pdf readers in a sandbox make a lot of sense, its just that I have no particular reason to trust Adobe, since it was their doing that made PDFs unsafe in the first place. With Chrome's built in PDF render engine, I find I seldom have to use the adobe plugin at all any more. (And when I do, I'm always suspicious).
If Google wanted to do us all a favor they would to with Flash content what they did with PDF documents, and add their own in-browser render engine.
That being said, I do like the sandboxing that Chrome supplies, and Google Chrome is my browser of choice.
Some people don't like keying search terms in the URL bar, and other minor objections that, when investigated, all amount to "its not firefox". I've seen some reports of incredibly slow page fetches, which are usually traceable to external things (chrome likes to use multiple concurrent connections, and swamps some anti-virus packages that operate as a proxy server).
For me, the speed can't be beat on any of the platforms I use (linux and windows - various flavors of each). I prefer Google's builds to those in the Chromium Open Source project but both work very well.
Sig Battery depleted. Reverting to safe mode.
You may personally have the expertise to make good security decisions about your browser. However, all empirical evidence shows that the vast majority of users are not capable of that, and are much better served by a browser that manages updates for them.
That said, you can disable automatic updates and perform them manually if you choose. However, I also consider myself capable of making those security decisions, and I still prefer the silent update dramatically over manually updating.
Perhaps not, but the vast majority of users don't care. Many users are not unlike my mother, who constantly clicks "Later" or "Not Now" whenever programs ask to install updates. For this reason, her computer is routinely several months behind the current updates.
Having Chrome auto-update silently and without needing admin rights (as it by default installs itself only for the user that opened the installer, not system-wide) is enormously convienient (and the right choice) for most people.
I use Firefox because it has NoScript and SSLEverywhere, that Chrome doesn't (or doesn't that have equivilent funcionality); thus making Firefox more secure for my usage paterns.
you're wrong
BSI is 100% right for citing Chrome bundling flash as a reason for recommendation
when adobe pushes a security update, chrome automatically pushes a browser update. and if the user leaves the browser running for days, chrome starts politely reminding them they have to close and reopen the browser. this is as good as you can do to make sure flash is as up-to-date as possible
it is not the most ideal model of security, period. it is simply best-of-the-pack security model. and so it deserves a recommendation for that practice from BSI
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I, for one, am grateful for the Chrome browser because it works as a very effective sandbox for everything Google. Ever since Google decided to track me through Google+ +1 buttons added to every page I browse, I've had to remove google.com from my whitelist. I've also switched to Bing as my primary search engine in Firefox, and I have to say, I don't mind getting Xbox Live! points for searches I do.
The features that bother me in Chrome include the very coarse scroll bar, which requires me to manually scroll down when reading longer articles instead of just using my touchpad. I have yet to figure out how the search bar/address bar is supposed to function (the awesome bar and search bar in FF is best I've come across). Last I checked, Chrome equivalents of NoScript do not truly block scripts because they allow them to load briefly before stopping them, giving probably enough time to identify the computer or even run an exploit. I also haven't found a cookie manager like Cookie Monster. I regularly see ads in YouTube videos even with AdBlock installed, most especially in embedded videos (I have no memory of ever seeing ads in YouTube in FF).
At this point, for me, Chrome is not very private and a bigger PITA to use than FF. I don't care what the Germans claim.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
I don't see innuendo or unsubstantiated accusations as adding anything to the conversation. But I do think it's useful to address the technical portion of your claim.
If I hit a 404, Chrome phones home with the URI I was trying to reach. And what do you do with that data, I wonder?
I think you undermine the legitimacy of your question by trying to manufacture some evil ulterior motive here. The simple fact is that people often mistype URLs (or clip portions when pasting them), so it's helpful when the correct URL can be easily determined. And if you read through the privacy policy I linked above, you'll see that it very clearly describes what occurs in this scenario:
In order to offer suggestions of alternative or similar webpages, the browser sends Google the URL of the page you're trying to reach whenever the web address does not resolve or a connection cannot be made. Information is logged and anonymized in the same manner as Google web searches. Any parameters in the URL are removed before the URL is sent. The logs are used to ensure and improve the quality of the feature.
So, the submission of the URL is no different than if you'd stripped the parameters and pasted the URL into Google from an anonymous incognito window. If you're uncomfortable with that, then the same link provides instructions for disabling the feature.
Even easier, just download Chromium. No Flash, no auto-updating, no phone-home, fully open source. Complaining about these things in Chrome when its completely open-source counterpart Chromium is available as a free download (binary or source) seems pretty stupid to me.