Wednesday, February 3, 2010

Chrome's security model

Over the past few months I've been migrating away from Firefox and toward Chrome because I've grown bored of trying to figure out which tab is eating my CPU. I frequently keep a dozen or two tabs open because why not? It's not like a multi-gigahertz CPU and a dedicated graphics chip should have any trouble keeping a dozen or even a hundred web pages up to date, especially if I'm only looking at one of them.

Bill Gates or someone once said that if cars had progressed like computers they would run near light speed and get a zillion miles per gallon. An interesting statement coming from someone on the software side; to factor in software and complete the analogy you'd have the supercar dragging an asteroid behind it and its drive wheels wrapped in several alternating layers of duct tape and gauze.

But I digress.

I mean, I'm all for writing to a nice abstract garbage-collected virtual machine in a type-safe more-or-less high-level language with lots of support for encapsulation and other OO goodness, and I accept that in the real world that means accepting a performance hit. But does making programmability available to the at large really have to mean an all-too-typical script can suck the rest of the world into its vortex?

Sorry, digressing again.

Of course, in a couple of years the hardware will be faster, leaving the world temporarily in search of a way to squander the newly-minted extra cycles. But only temporarily ...

OK, OK, what was I going to say about Chrome and security?

Chrome, like other browsers, will remember passwords for you, a very handy feature. Unlike other browsers, it does not support a "master password" that you would have to type in before using or viewing these saved passwords. Google is quite adamant on this point. Has been for years.

Google's position is that they do encrypt the passwords as they're saved on disk. If you're using Chrome and someone steals your laptop, they're not going to be able to view your passwords unless they can log in as you. If you use your screen lock feature, that means any time you step away from your computer, your password file is protected just like everything else on your account.

Their further assertion is that adding a master password feature to the browser would only provide the appearance of further security. The saved passwords on disk are no more or less protected than before. Conversely, if you give your browser the master password and don't lock your screen, someone could then grab your laptop and log into any account of yours they liked.

On the other side, pretty much anyone who switches over to Chrome will notice that not only is there no master password, but the saved passwords panel in the options actually makes it easier to view saved passwords. This certainly looks like a gaping security hole at first blush. In particular, there's no indication that any encryption is going on, anywhere. Purely as a point of user interaction, having to type a password gives the impression, correct or not, that something secure is happening behind the scenes.

After digging through all this, a couple of finer points came out:
  • On Windows, Chrome uses Windows' built-in encryption which is based on the currently logged-in user's credentials. Why reinvent the wheel? This is the security technology you're already trusting.
  • On Linux, and as far as I can tell on Mac OS as well, the encryption is stubbed out. There really isn't any encryption going on at all.
So, don't trust Chrome to keep passwords safe on Linux or Mac OS unless you're encrypting your disks wholesale. If not, anyone who steals your laptop can just mount the disk and read through ~/.config/google-chrome/Default/Web Data.

On Windows, your Chrome passwords are as safe as your account. If you don't have a password on your Windows account, you effectively don't have encrypted passwords. If your company knows the password for your account, they also know any passwords Chrome has saved. If you exit Chrome and hand your laptop over to your roommate's friend from out of town, you've handed them your saved passwords as well (they just have to restart Chrome).

From a strictly technical, by-the-book security standpoint, Google is right. But I'm still with the hordes of other users on this one. If you put locks on your house doors, you might still want to have a locked drawer on your desk, or a safe embedded in the concrete floor of the garage. Passwords to bank accounts and such are sensitive enough that it makes sense to raise the bar for them, if only slightly.

Yes, someone could still install a keylogger and yes, exiting Chrome or otherwise making it forget the master password is not much different from locking the screen and yes, the plaintext passwords will find themselves in RAM for at least small windows of time and yes, you probably should have a separate guest account for out-of-town friends of roommates. Be that as it may, Google can try to educate the world in the finer points of security models and attack surfaces, or it can give people what they want and pick up more market share from Firefox.

Frankly, I'm surprised they've held out this long.

1 comment:

David Hull said...

Note to self: much of this could have been written today, some not