Davey Winder investigates whether Google Chrome really deserves its reputation for hardened security – and shows how to make the browser even safer
Ask a roomful of people to name the most insecure web browser and hands will quickly shoot up to answer: “Internet Explorer”. Ask people to pick the safest, and “Chrome” will be the answer on the lips of many. But how true is that in reality?
It depends on how you measure safety. The Secunia Vulnerability Review suggests that known browser vulnerabilities increased from 728 in 2013 to 1,035 in 2014, with most rated as critical. Safari had the fewest, followed by Firefox, Internet Explorer and then Chrome. Secunia also took patch status into account: the more users with unpatched vulnerabilities, the less secure the browser. Using this metric, Internet Explorer is easily the safest, followed by Chrome, Safari and Firefox. Rank them by risk exposure (calculated as market share multiplied by unpatched users) and it all changes again, with Firefox at the top, followed by Chrome, Internet Explorer and Safari.
At the last Pwn2Own zero-day hacking contest, Internet Explorer 11 (64-bit with Enhanced Protected Mode enabled) ranked in last place with four vulnerabilities exploited, followed by Mozilla Firefox on three, Apple Safari (64-bit) on two and Google Chrome (64-bit) with just one.
These four different results from just two reports reveal that, while Chrome may be reasonably secure, it’s not bulletproof. Let’s start by looking at what Chrome does well, and then address how you can improve it.
Sandboxed structure
From the moment Chrome launched, Google made security a priority. The internal sandboxing architecture makes things hard, if not impossible, for those who want to exploit a vulnerability. The HTML rendering and JavaScript execution processes also live in the sandbox, adding a strong layer of protection. Chrome also tries to stop you visiting sites that may infect your computer, by warning you if a site is potentially unsafe. The third prong in Chrome’s security trident is automatic browser updates, which are regularly performed in the background to ensure you always have the most recent – and therefore most secure – version.
It’s possible to switch off the warnings, but thankfully this option is in the browser’s Advanced Settings, which will hopefully stop casual tweakers disabling a useful security feature. You will also find the Do Not Track setting here. Despite being the last of the big players to add such a feature, Chrome has caught up and now allows you to disable cross-site user tracking for the purpose of serving adverts. Not all sites respond, but it’s a privacy option worth having – as are the Chrome Incognito and Guest features for removing history and cookies when you finish a session. Guest mode goes furthest, not allowing the user to modify (or even see) the profile of the browser owner.
Extensions can be both a blessing – providing extra features such as the LastPass password manager – and a curse when developers abuse them. They can also inject malware into the browser. Google has attempted to counter this by insisting that all extensions for Windows Chrome users must be hosted in the Chrome Web Store. In the year since the policy was introduced, there has been a 75% drop in support requests for uninstalling unwanted extensions. The same walled-garden approach is now being rolled out for Mac users, and the Windows developer channel is following suit after some malicious software was found to be forcing users to install off-store extensions.
Password problems
Although security should be seen as a process rather than a product, sometimes a product doesn’t help. For example, Chrome can leave your site passwords exposed to anyone who has access to your computer. Of course, you shouldn’t leave your computer unattended and accessible to others, but if you forget to press Windows+L before you go for a coffee break, you don’t want your web browser making site password retrieval as easy as typing chrome://settings/passwords into the address bar. Do that in Chrome and, if you haven’t locked down the client so as not to “offer to save your web passwords”, a list of sites and associated passwords appears. The passwords are initially hidden behind asterisks, but only until you click on the entry and hit the Show button to reveal them.
Unlike in other browsers, these stored passwords are not themselves password-protected. You shouldn’t let ease of use trump security – don’t let Chrome store your logins like this. Instead, install a dedicated password manager such as LastPass, which encrypts your logins and requires a strong master password to access them. Even if someone gets access to your computer, your logins should remain safe if you’ve opted for a secure master password and two-factor authentication. Chrome doesn’t even make it easy to opt out of this insecure password-storage system: the option is tucked away in Advanced Settings, which is at the bottom of the standard Settings screen and requires a further click to access.
Chrome can also synchronise your settings and saved data across multiple devices, opening an obvious security risk – especially when all that’s required to sync your browser data is your Google account password on a new device. Couple this with a user who saves site passwords in Chrome, and the danger is easy to see. Thankfully, it’s also easy to stop. First, follow our advice about not saving site passwords in Chrome. Then add another layer of security by encrypting your synced data with a passphrase that’s stored on your computer and isn’t transmitted to Google. You’ll find this option in the standard settings by clicking the Advanced Sync Settings button and choosing either to encrypt synced passwords or all synced data (go for the latter) with a passphrase of your choice.
If you forget your passphrase, you can reset the sync from your Google Dashboard, which deletes all synced data from the Google servers and disconnects your synced devices. The data on your devices is not wiped, however, so all your bookmarks and preferences will remain for when you re-enable sync with a new passphrase. As yet another layer of security, turn on two-step verification to prevent anyone else signing in from an unknown device, even if they have got your Google account password.
Speaking of passwords, along with the LastPass extension, you should install the Google Password Alert extension. This only protects your Google account password, but as this is used for an increasing number of applications and services, it’s a worthy addition to your arsenal. It uses a secure thumbnail of your Google account password and compares it with thumbnails of your most recent keystrokes in Chrome, alerting you if your password has been entered into a non-Google site and helping thwart phishing attacks. Initially, researchers were able to bypass the system, but Google fixed this and it now works as expected. It still only operates within the browser when JavaScript is enabled and doesn’t protect apps, extensions or incognito tabs unless configured to do so. You can configure this by typing chrome://extensions into the address bar and scrolling down to the Password Alert options. The “allow access to file URLs” tickbox is only of use to web developers.
Hardened browser
Despite the marketing claims, Google Chrome isn’t secure. No web browser is. They all need to be treated with caution and hardened through configuration, extensions and safe browsing practices. Use Chrome as the basis of this browsing ecosystem and you will be off to a good start.
How secure is your Chromebook?
The browser-based Chrome OS negates many of the risks facing the mobile user. Because a Chromebook can’t install software, many pundits say that you won’t be affected by viruses, Java applets or Flash, or malware attachments in email. However, a Chromebook is not 100% secure.
It’s true that software can’t be installed, but web apps can. The Google Chrome Web Store keeps most dodgy apps at bay, but “safe” apps have been known to turn rogue and inject ads into web pages or act as spyware.
Chrome OS performs a verified boot at every startup to ensure the OS hasn’t been tampered with, and if any signs of this are detected (or if there is any corruption), the system repairs itself to a clean state. There’s no Patch Tuesday to worry about or system security upgrades to look out for. Chrome OS automatically updates itself and downloads the necessary files in the background, installing them at your next startup without any user intervention. So, overall, the Chrome OS is pretty secure, but that doesn’t mean you can drop your guard.
It’s pretty easy to further secure your Chromebook with some quick fettling. Mitigate the web app risk by using Guest mode instead of signing in with Google, as this disables installed apps and prevents the installation of others. Guest mode also erases your session data and downloaded files when you log out. Think of it as Incognito on steroids. Talking of privacy issues, if you lose your Chromebook, your files will remain safe thanks to the built-in encryption, as long as your Google account password isn’t compromised. If you wish to sell your Chromebook, use the Settings | Advanced Settings | Powerwash option to reset the device to its defaults and delete all local data.
For the most part, you rely on being online to use your device, so insecure public internet access is a threat. Mitigation is the same as for a £2,000 Windows laptop: use a virtual private network (VPN). However, using a VPN on a Chromebook can appear daunting, as you can’t just install an app. If your VPN provider supports L2TP over IPsec (or OpenVPN with more fiddling), it’s straightforward. Here’s how to install the Hide My Ass (HMA)VPNona Chromebook.
1 Open your Chromebook Settings screen and select Add Connection, followed by Add Private Network.
2 Enter the chosen IP (from those supplied by your VPN provider) into the Server Hostname space and use any Service Name you wish. Select L2TP/IPSec + Preshared Key from the Provider Type dropdown, then enter the preshared key you have been given. Note that while the username you enter is as you’d expect, in the case of HMA the password is the PPTP password, which you’ll find in your desktop VPN control panel.
3 Click Connect and, if all is well, you will see the chainlinks appear below the signal strength logo, which shows that you’re connected to your VPN.
4 Right-click that logo and, from the Settings screen, select your private network again to reveal a configuration window. From here tick “Automatically connect this network” if you want to use your VPN connection by default, rather than forgetting to enable it while you’re out and about.
5 To delete a VPN go to Settings | Private Networks | Preferred Networks and hover the pointer over the entry you want to delete until the “x” appears.