Showing posts with label browsers. Show all posts
Showing posts with label browsers. Show all posts

Wednesday, February 3, 2010

Chrome's security model

Over the past few months I've been migrating away from Firefox and toward Chrome because I've grown bored of trying to figure out which tab is eating my CPU. I frequently keep a dozen or two tabs open because why not? It's not like a multi-gigahertz CPU and a dedicated graphics chip should have any trouble keeping a dozen or even a hundred web pages up to date, especially if I'm only looking at one of them.

Bill Gates or someone once said that if cars had progressed like computers they would run near light speed and get a zillion miles per gallon. An interesting statement coming from someone on the software side; to factor in software and complete the analogy you'd have the supercar dragging an asteroid behind it and its drive wheels wrapped in several alternating layers of duct tape and gauze.

But I digress.

I mean, I'm all for writing to a nice abstract garbage-collected virtual machine in a type-safe more-or-less high-level language with lots of support for encapsulation and other OO goodness, and I accept that in the real world that means accepting a performance hit. But does making programmability available to the web.world at large really have to mean an all-too-typical script can suck the rest of the world into its vortex?

Sorry, digressing again.

Of course, in a couple of years the hardware will be faster, leaving the world temporarily in search of a way to squander the newly-minted extra cycles. But only temporarily ...

OK, OK, what was I going to say about Chrome and security?

Chrome, like other browsers, will remember passwords for you, a very handy feature. Unlike other browsers, it does not support a "master password" that you would have to type in before using or viewing these saved passwords. Google is quite adamant on this point. Has been for years.

Google's position is that they do encrypt the passwords as they're saved on disk. If you're using Chrome and someone steals your laptop, they're not going to be able to view your passwords unless they can log in as you. If you use your screen lock feature, that means any time you step away from your computer, your password file is protected just like everything else on your account.

Their further assertion is that adding a master password feature to the browser would only provide the appearance of further security. The saved passwords on disk are no more or less protected than before. Conversely, if you give your browser the master password and don't lock your screen, someone could then grab your laptop and log into any account of yours they liked.

On the other side, pretty much anyone who switches over to Chrome will notice that not only is there no master password, but the saved passwords panel in the options actually makes it easier to view saved passwords. This certainly looks like a gaping security hole at first blush. In particular, there's no indication that any encryption is going on, anywhere. Purely as a point of user interaction, having to type a password gives the impression, correct or not, that something secure is happening behind the scenes.

After digging through all this, a couple of finer points came out:
  • On Windows, Chrome uses Windows' built-in encryption which is based on the currently logged-in user's credentials. Why reinvent the wheel? This is the security technology you're already trusting.
  • On Linux, and as far as I can tell on Mac OS as well, the encryption is stubbed out. There really isn't any encryption going on at all.
So, don't trust Chrome to keep passwords safe on Linux or Mac OS unless you're encrypting your disks wholesale. If not, anyone who steals your laptop can just mount the disk and read through ~/.config/google-chrome/Default/Web Data.

On Windows, your Chrome passwords are as safe as your account. If you don't have a password on your Windows account, you effectively don't have encrypted passwords. If your company knows the password for your account, they also know any passwords Chrome has saved. If you exit Chrome and hand your laptop over to your roommate's friend from out of town, you've handed them your saved passwords as well (they just have to restart Chrome).

From a strictly technical, by-the-book security standpoint, Google is right. But I'm still with the hordes of other users on this one. If you put locks on your house doors, you might still want to have a locked drawer on your desk, or a safe embedded in the concrete floor of the garage. Passwords to bank accounts and such are sensitive enough that it makes sense to raise the bar for them, if only slightly.

Yes, someone could still install a keylogger and yes, exiting Chrome or otherwise making it forget the master password is not much different from locking the screen and yes, the plaintext passwords will find themselves in RAM for at least small windows of time and yes, you probably should have a separate guest account for out-of-town friends of roommates. Be that as it may, Google can try to educate the world in the finer points of security models and attack surfaces, or it can give people what they want and pick up more market share from Firefox.

Frankly, I'm surprised they've held out this long.

Tuesday, September 29, 2009

RockMelt deja vu

Writing for The New York Times, Miguel Helft leads a fairly skeptical article on Marc Andreessen venture RockMelt with "It has been 15 years since Marc Andreessen developed the Netscape Internet browser that introduced millions of people to the Internet." (for a more nuanced picture, more or less consonant with that shorthand, see the Wikipedia article on Mosaic). Helft goes on to opine that "Mr. Andreessen appears to want a rematch" in the browser wars.

Given the current glut of browsers and that Google itself has made only a small dent in the browser market with Chrome [a rather larger dent now --D.H. May 2015], which is shipping code and not half bad by the way, it's only natural to wonder what Andreessen and company expect to accomplish. I could be wrong, as I certainly have been before, but I would expect to see either

Déjà vu I: The RockMelt team sets out to Do Browsers Right This Time. Browsers have become de facto operating systems, complete with the ability of one rogue script to grind the whole thing to a halt, so it's plausible that a redesign from a clean sheet could do better. Every time I've seen this trick tried, little things like release schedules and compatibility with the messy outside world intervene. This is a particular stumbling block for companies in the placeholder home page stage where the world is still young, clean and pretty.

Not that, say, Opera or Chrome or <your favorite browser that I'm forgetting> haven't had some measure of success, just that it's not so clear what our new protaganists are going to come up with that the dozens before them have missed.

Déjà vu II: From what I can glean from the article, RockMelt is not trying to be a general-purpose browser. Andreessen is also on the board of FaceBook and RockMelt is explicitly aimed at supporting social networking. This has a number of advantages, particularly the relative lack of competition and the chance to build on a successful existing brand.

But do I really want to use a different browser for socializing than for checking the weather? I'm probably not the right person to ask, since my social networking and my web use hardly intersect, but my personal answer would be "no". My guess is that people will either shrug and continue to use their existing browser for everything, or the new browser will offer more and more plug-ins and apps so it can act just like a regular browser. Which brings us back to item I.

Either way, I can't shake the feeling I've seen this movie before. Didn't AOL used to have its own browser or such?

[In the end, they were bought by Yahoo! in 2013, evidently not such a bad outcome for them --D.H. May 2015]