Improving Google Chrome
Google Chrome is a fact. It is a nice and slick looking browser. It is open source and it has some nice security features. However, these security features strive to protect the user from attacks which try to takeover your browser and operating system. As I explained here, because nowadays most of the data is located on the Web, it makes sense to have built-in security features to prevent the various forms of information leaks, XSS, CSRF, etc. attacks as well.
So let’s start with the things which are easy to fix, such as leaking session identifiers while being on untrusted network. This can be fixed so easily yet we don’t have that as a built in feature. Here is my suggestion:
This is a nice simple feature which can be easily implemented with minimum programming overhead. So what do you think?
Comments
Sure, it is a great idea, and it’d be easy to do in Firefox via an extension. But it doesn’t protect you from either XSS attacks or CSRFs.
yep, correct. the anti XSS and CSRF features should be global to all browser modes.
yeah it’s a very nice idea but the browser honestly sucks, they need first fix all the simple bugs and bofs in the software; your idea it’s a good begin, btw “big company, bad software” I don’t want to say that about google but something it’s wrong here
I think privacy is very important. I didn’t realize there was that problem with leaking session identifiers. Do you think google will be fixing this soon (especially since you say it’s a quick and easy fix)? That’s one thing I’d like fixed before I fully commit to google chrome.
Yeah the Google Chrome browser is a great piece of work but they still have a few big bugs to fix. And I also don’t like how the browser itself doesn’t support flash games and videos that we’ll. But its the beta version :)
I like the idea of having an encrypted mode. One of the things that puzzles me about Chrome, is that even though the tabs run as different processes, session cookies are still shared between the tabs. If they were not shared, that might make XSRF harder, because the sessions were not available when visiting a malicious site in another tab.
@ Erlend:
I understand your concern, but if session cookies (and sessions in general) aren’t shared between tabs, there would be no possibility for child-sessions or childprocesses communicating with the parent. Although I’m not fund of the use of childprocesses, somethimes they come in handy. Lots of webapps would have to be rewritten, even the encrypted onces.
Reasonable idea but I doubt they would ever implement it since it will break many (most) websites.
“Let’s have another Chrome Mode which is called Encrypted Mode -> New encrypted window Ctrl + Shift + E. Once inside this window, HTTPS is forced on all requests. No exceptions!”
Can you elaborate a bit more, please? Would this mean that use of HTTPS would be mandated by the browser as opposed to by the web app?