The latest update to Google Chrome came with a few new bells and whistles, and lots of talk about speed. But what about security?
Browser vendors have been struggling to keep pace with the growing Web threat landscape. Internet Explorer 8 added a number of security features. In the latest release of the browser, Google has included some new protections behind the scenes, including defenses against cross-site request forgery and clickjacking. CSRF is an attack whereby a user is forced to execute unwanted actions in a Web application the user is authenticated in. To guard against CSRF in Chrome 2.0, origin information is sent for POST requests for which the server might change state.
“If you’re a bank, you would check the request to make sure that it came from your own site and not from the attacker’s site,” explained Adam Barth, a software engineer for Chrome. That, he said, is where the origin information would come in handy.
In addition to CSRF protection, Google also added HTML 5’s PostMessage to help Website developers build more secure mashup applications.
“As we get into sites that try to do mashups and you take gadgets and interesting things from all over the place, so maybe there’s a cool little gadget that shows a bunch of ponies dancing around, and people like ponies so they want ponies on their Web page,” Chrome Product Manager Ian Fette said. “I might be fine with having ponies on my Web page, but I don’t want to give that gadget permission to muck around with my password … so the PostMessage API allows me to communicate with the ponies gadget … but it doesn’t actually give that gadget the ability to reach out and directly control the rest of my page.”
Google also followed in the footsteps of IE 8 with clickjacking protections and the ability to remove thumbnails from the New Tab page for added privacy.
When the browser was first launched in September 2008, Google tried to make a big splash about its security features, touting Chrome’s sandboxing of the rendering engine, for example. But the company also experienced a few challenges-the initial release of the browser used a vulnerable version of WebKit, and other vulnerabilities appeared as the security community took the browser for a test run.
Looking ahead, Google has said it has no immediate plans to add Website security zones as in Internet Explorer or to add the ability to disable JavaScript within the user interface. It is possible, however, to disable JavaScript through the command line if that seems to be a way to thwart attacks.
“Our approach with Google Chrome has been to make things as secure as possible by default without the user having to take any actions to go and configure settings,” Fette said.