Google Chrome

It is true what many of you have heard. Google is releasing their own browser. Google Chrome, as they call it, is based on WebKit rendering engine and introduces some novel approaches to interacting with web technologies. I must say, it is very exciting to see all of this happening.

What makes Google Chrome different is its architecture. The browser is no longer single-threaded process. Each tab is actually a separate process with own memspace. I am not sure if we are talking about threads or actual program instances but what is more important is that when you close a tab, you are virtually terminating the process. At least, this is what Google says.

This seams to have some interesting implications on the security of the browser. If you corrupt the tab's memspace then you will crash only that particular process. The browser and all other tabs should continue working just fine like nothing ever has happened. This approach has its own advantages and disadvantages. The advantages are obvious: the user experience is intact. The disadvantages are that pwning might get easier. It is very early to me to say more on this topic because I haven't seen Google Chrome in action, but I have the slight suspicion that there will be some security consequences as a result of this security model.

Google Chrome also implements a new privacy feature. I think they call it incognito or something. Basically if you browser while being in "incognito" mode, nothing ever gets logged. I think that this is a cool feature and I believe that the IE8 team is working on something similar.

Another interesting feature which I need to mention is that popups are not blocked but they open in a minimized window. If you want to see them you just drag the popup icon and there you go. Again, this is very interesting but I can already see how this may be abused. For example, it will make a huge difference if the rendering engine has already processed the content of the popup even if it is minimized. If this is the case, then this feature could turn into a very handy mechanism of hiding malicious activities. For example, if during the attack, the page flickers or the attacker is rendering too many corrupted media files, then certainly, hiding it behind a minimized popup will be a great way of avoiding detection by casual observation. Of course these are pure speculations.

Google Chrome also provides sandboxing functionalities. Apparently each process is sandboxed but I have no details how was that implemented. So taking over a process may not result into an immediate pwnage but it will certainly give the attackers some advantage. I am very interested to learn how this sandboxing mechanism is implemented for the various operating systems if the browser is cross-platformed of course, which I believe is the case.

If everything is implemented correctly, which I hardly doubt (I am a sceptic by heart), then Google Chrome may turn into a very nice technology I may consider using it in the near future. However, none of these security features interest me as much as those that allow me to prevent poorly coded web applications leaking my details over unencrypted channels. Or even features which will prevent certain types of CSRF and XSS attacks. I've said it before! Most of my data does not reside on my computer any more. Of course this philosophy had some bad side effects on me, but my point is that the data is on the Web and therefore I am concerned how my browser protects me when it comes down to Web related bugs. I believe that Google Chrome lacks mostly that and if Google decide to implement any of recommendations then in my eyes, I will certainly have a winner in the upcoming browser wars.

Archived Comments

Browser War

So is it the Third Browser War or the Second Browser War? Which is it? I read a few days ago in this blog gameshogun.ws that its Browser War 2 (under the feature tab)

just me

Grammar mistake? You said: If you corrupt the tab's memspace then you will cache only that particular process You probably mean: If you corrupt the tab's memspace then you will crash only that particular process

pdp

thanks, all fixed now!

Geoffrey Lee

What is less-secure about a security model that isolates each tab in its own process?

pdp

who said it is less secure? though, you have to admit that now the browser game has totally changed. I marely speculate on what I think might be a problem but only time will tell. therefore, you cannot say it is more secure either.

Ian Macfarlane

Interesting that they've gone with WebKit rather than Gecko - reportedly it was on the recommendations of the Android developers. WebKit is LGPL (so effectively LGPL/GPL) whereas Mozilla is MPL/LGPL/GPL. That makes Gecko-to-Webkit code contributions possible, but not WebKit-to-Gecko. Makes you wonder if Mozilla will ever drop the MPL and switch just to the (L)GPL - if they want to take advantage of this new code (such as the V8 JavaScript VM) they'll have to.

Aris

Although you have to admit that the built-in anti-phishing and anti-malware protections seem interesting at first, and definitely promising. And for the moment being, they affect a much larger part of the Internet population than do XSS and CSRF (being mostly targeted to a single person and not to a group o people). The thing is, all we can do for the moment is speculate, not having any executables to run and test.

Aditya

The browser is a good concept, but a little shaky. Some of the fonts rendered are not clear, making it unusable. The rest of the sites which load fine look good. The browser seems fast, and it a sure firefox killer. http://www.techielife.com/google-chrome-initial-review-and-comments/browsers/aditya/2008-09-02/

Corey Creed

The real reason they are doing this was actually admitted during the Q&A today. I quote: “Our hope is that by adding our voice, more users will realize there is a choice.” In other words, “We don’t care if they use Firefox or Google Chrome. We just don’t want them to use IE”

google chrome

http://www.certbible.org/googlechromewinnersand-losers/

media buff

i'm willing to try it out just to see if it works more efficiently than FireFox... if it's faster than Firefox, has tabs and isn't IE, then i'll use it

Google Chrome

The new browser by Google is extremely fast compared to the other browser out there so that alone is a major improvement really. I recommend to download it and try it out, it's very smooth to use. I posted a speed test and some graphics at http://google-chrome.com/?p=104 so you can compare.

Farhan

Its very interesting that Google has decided to take on a project like this. They obviously have such an interest in how people access the web, it was only a matter of time before they took things into their own hands. It is going to be very interesting to see how this pans out. Google Chrome browser Screenshots http://www.tonesall.com/computers-internet/google-chrome-screenshots.html

Google Chrome

This catch will catch on like wildfire once plugins are released. I'm following all the Chrome news/updates at http://ChromeSpot.com

Morgan Storey

Well posting this via chrome as it is so damn fast. There are issue with it is it; seems to die on ssl sites through our proxy server, where as all other browsers are fine. I also miss my no-script and adblock plus... but I am sure plugins will come. It is by and away faster and more responsive than Firefox3 and IE7.

Nick Night

Well, I wonder why some people are so excited about Google Chrome. The only add-ons (by now) are Web Inspector (from WebKit), Chrome’s own Task Manager, and Chrome’s own Java Debugger. The Google Updater software it installs runs as a separate process, it is not a service, and installs itself into the registry to startup at boot. And what about Privacy policy???? This and default configuration should scare all of us worse than Mozilla. Also Google has now an easy way to spy on the users' surfing behavior. Oh my gosh.....who needs such a browser?

Foil

Great browser, but not that great for a powerhouse like Google. One great feature in Firefox is the NoScript add on, block unwanted ads, pop ups, and tracking tools used by Google. Maybe these technologies were why Google decided to create its own browser as it posed a direct threat to the primary revenue stream. Look forward to others thoughts.

roamer

Heheh you and your Chrome xD I'll just continue using my Firefox until Google Bronze comes out. That is gonna be the Browser with the big B! http://ch4ng3d.brb.cz/index.php?lang=enus&page=detail&id=95

treser

I just checked out Google Chrome...i honestly hope it doesnt catch on...im a flash game developer and chrome gets lousy frame rates...compared to FireFox and MS IE. one game im working on gets a solid 25 fps on both FireFox and IE...but in Chrome i get 15 fps.

mindcorrosive

I am usually conservative against a browser that installs itself wherever it pleases, without any options to customize my installation. The additional Google Updater is simply a PITA. If it is needed to install Chrome, then I certainly would appreciate being told *in advance*. That said, the browser rendering is impressive, and memory footprint is lower than a FF 3.0. A large *BUT* here - the feature list of Chrome leaves something yet to be desired, especially on the side of security and customization options (SSL certificates, JS controls, plugin/addon management, RSS capabilities first come to mind). When all those features are in place, *then* we can compare performance among browsers. In an interesting twist - are we going to see an ad-blocking plugin blessed by Google that's going to block their ads? ?hose that bothered to read the EULA might be confused by the fact that Google might be free to push those promotions directly to the browser..

The Star Ruby Shop

Really.. Google is getting everywhere!

brandon miles

Google Chrome has 2 very very important security holes. Which can let some bad webmasters upload exe files to your computers without your prompt !! Go ahead and continue loving Google Chrome. When your computer suddenly shuts down and when you realize all your data is gone dont blame anybody but Google Chrome.. go and read http://www.computersake.com/2008/09/google-chrome-security-hole/ and be aware of that kind of security issues !!!

chrisbdaemon

Yes Chrome does sound pretty good, however I'd recommend checking out this blog post as well as it points out some of the defects (granted it is beta but some of their points are valid imo) http://blog.ncircle.com/blogs/vert/archives/2008/09/the_browser_with_bling.html Also make sure to pay attention to the snippet of the EULA statement quoted in the post.

chi

mock of google cartoons. http://www.surfchrome.com/index.php/gallery/chrometoon-googleville-satire/59-initial-mock-google-cartoons-emerge

NurBo

The new Google Chrome browser is very nice and is surprising really fast. I can't wait to see the final addition of this browser maybe a darker skin and some new add ons and perhaps a spell check. If so I will be using this browser alot. Keep it up Google!

Google Chrome Knowledge Base

I can't believe how quiet all the browser bug hunters are at the moment. I was positive Ronald would have put something together for us by now or Rsnake would have found a post in something bad about the whole Google influence... but nothing. I guess its just a matter of time before ppl get through with analyzing the source code and bam, we will have a flood of 0days. Anyways atm, the 1 common theme I'm seeing from the bugs coming out is that there doesn't seem to be enough data validation (i.e.checking string lengths etc) in its routine processing which seems to be cause for most issues. Finally, I plan to document all the bugs/spoilts for Chrome as they come out and you can keep up to date on them here - http://chromekb.com/vulnerabilities/

pdp

there are vulnerabilities, just we haven't publicly disclosed them just yet. :)

Google Chrome Knowledge Base

haha I new you wouldn't let us down. I'm working on some stuff myself atm and have had mild success in bypassing a few restrictions imposed by the browser but nothing worthy of a post just yet.

Synergy6

Looks good so far, but a lack of Adblock is an issue. Discussion forum at http://wearechrome.com

katy

A few more words on the speed :we've measured the speed of our aplication (http://www.taskwriter.com) on Google Chrome, and it's just a bit faster than Firefox 3.0 . IE is well behind. The graphs are here : http://www.taskwriter.com/blog/how-good-chrome-really-is

Andy

As a new comer, Chrome is good and its right, I'd tried it by myself. Compare to the others internet browser,Chrome apparently take a high position level. toptenreviews.com had reviewed & done the survey and the result is Chrome take 2nd position between Firefox 3 at 1st & IE 8 at 3rd position

PaulusDev

If anyone cannot scroll up, I released a program to quickly and automatically fix the "cannot scroll up using certain touch pads" issue for Google Chrome (until Chrome is fixed officially). Just run chrome_patch.exe. It will modify chrome.dll to fix the issue. You can download/read about it at http://digg.com/software/Google_Chrome_68

Lucian

All new Google Chrome tricks at http://mygooglechrome.blogspot.com

joseph

google chrome is awsom. weeeeeeeeeeeeeeeeeeeeeeeeee.

led

well chrome is a great user experience, as it goes, and it has added tabs which will help a novie user to go back to his pre-page as quikcley as possible

Marketing Man

I think the launch of Google Chrome is going to sink firefox in the long run, and it makes it much more painful for web developers because another browser means another platform they'll have to test their websites on. But I actually like Chrome, it's very robust.

Traian Neacsu

Hi, I am still curious if the launch of Chrome was something "unintentional". I wrote a little piece of article about this, called Google's Chrome, a coincidence?. I also kept a log on how Chrome evolved from search engines point of view. Thanks, TraiaN