Improving Google Chrome

Google Chrome is a fact. It is a nice and slick looking browser. It is open source and it has some nice security features. However, these security features strive to protect the user from attacks which try to takeover your browser and operating system. As I explained here, because nowadays most of the data is located on the Web, it makes sense to have built-in security features to prevent the various forms of information leaks, XSS, CSRF, etc. attacks as well.

So let’s start with the things which are easy to fix, such as leaking session identifiers while being on untrusted network. This can be fixed so easily yet we don’t have that as a built in feature. Here is my suggestion:

Let’s have another Chrome Mode which is called Encrypted Mode -> New encrypted window Ctrl + Shift + E. Once inside this window, HTTPS is forced on all requests. No exceptions! This feature should be derived from the incognito mode, which means that private data wont be saved as well.

This is a nice simple feature which can be easily implemented with minimum programming overhead. So what do you think?

Comments

Ryan Patterson responds:

Sure, it is a great idea, and it’d be easy to do in Firefox via an extension. But it doesn’t protect you from either XSS attacks or CSRFs.

pdp responds:

yep, correct. the anti XSS and CSRF features should be global to all browser modes.

Julian A. Rodriguez responds:

yeah it’s a very nice idea but the browser honestly sucks, they need first fix all the simple bugs and bofs in the software; your idea it’s a good begin, btw “big company, bad software” I don’t want to say that about google but something it’s wrong here

Clefty responds:

I think privacy is very important. I didn’t realize there was that problem with leaking session identifiers. Do you think google will be fixing this soon (especially since you say it’s a quick and easy fix)? That’s one thing I’d like fixed before I fully commit to google chrome.

NurBo responds:

Yeah the Google Chrome browser is a great piece of work but they still have a few big bugs to fix. And I also don’t like how the browser itself doesn’t support flash games and videos that we’ll. But its the beta version :)

Erlend responds:

I like the idea of having an encrypted mode. One of the things that puzzles me about Chrome, is that even though the tabs run as different processes, session cookies are still shared between the tabs. If they were not shared, that might make XSRF harder, because the sessions were not available when visiting a malicious site in another tab.

FilipM responds:

@ Erlend:
I understand your concern, but if session cookies (and sessions in general) aren’t shared between tabs, there would be no possibility for child-sessions or childprocesses communicating with the parent. Although I’m not fund of the use of childprocesses, somethimes they come in handy. Lots of webapps would have to be rewritten, even the encrypted onces.

Hubert responds:

Reasonable idea but I doubt they would ever implement it since it will break many (most) websites.

radi responds:

“Let�s have another Chrome Mode which is called Encrypted Mode -> New encrypted window Ctrl + Shift + E. Once inside this window, HTTPS is forced on all requests. No exceptions!”

Can you elaborate a bit more, please? Would this mean that use of HTTPS would be mandated by the browser as opposed to by the web app?

GNUCITIZEN Products

Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.

Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.

Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.

Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation