← Kartar.Net

• Saturday September 13th, 2008

I downloaded Google’s new Chrome browser (http://www.google.com/chrome) this morning. I installed it and I played with it for about an hour. I read the release notes and watched several of Google’s videos. Overall, it looks cool, seemed to be snappy and quick to respond. I was particularly taken with the focus on tabs. I also thought the multi-process, multi-tab sandbox idea is a really interesting idea - initially from a useability perspective but potentially also from a security perspective. Though there isn’t anywhere near enough information yet to make a proper assessment. I did try to break some tabs and see how effective the sand-boxing was (it seems to hold up from a very brief look but it’ll take some code review from someone with more code-fu than me to determine actually how secure the concept is see below). A few things didn’t inspire me the border decoration was a little unintegrated. And I am always loath to pass judgement on an application that by its very nature needs to be examined in a cross-platform context and I would want to see running on all of Microsoft Windows, OSX, and Linux. This is particularly true of OSX where the graphical environment can make an enormous difference to how an application engages you. But after my play I closed Chrome down with a big sigh to get on with my actual day job. Why the sigh? Did I think the new Chrome browser wasn’t very good? Nope. But my first thought was I wonder how many people in my enterprise have downloaded and installed Chrome over the last few days. This was quickly followed by me asking two questions:

1. What is the change in the enterprise’s risk profile of adding this new application?
2. What’s the operational impact of some, many or all of my users downloading and installing this application?

Obviously (and hopefully) it is only an incremental change in risk profile and not much at that. The browser will probably only be downloaded by power users and innovators in the enterprise, initially at least. On the threat landscape in most enterprises however browsers punch well above their weight in terms of attack surface, are a common source of malware infection and browser exploits are a popular target for hackers. Indeed a (the first?) Chrome vulnerability has already been discovered AND exploited (see http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php) literally hours after Chrome was released.

So Chrome’s potential as a source of compromise and attacks needs to be carefully considered. The answer to the second question is also ambiguous but finding out can add a lot of work for a security team. With any new application, but especially ones like browsers that are such rich sources of malware attack, there is now a potential need to:

• Track bugs and vulnerabilities for the application;
• Add it to software profiles for vulnerability scanning;
• Investigate its behaviour for network behaviour and IDS/IPS;
• Profile it for our Security Event and Incident Management process; and
• Specifically for this application ascertain if its Incognito stealth browsing capability impacts our ability to investigate and gather evidence in incidents.

So most important to me right now is not whether Chrome will outshine Firefox or IE or whether it represents the future of the browser. But rather how much work is this new browser going to create for me :)

P.S. If you’re interested in look at it you can find Chrome’s source code at http://code.google.com/chromium/. There are also build instructions (for which you will probably need to have some developer skills) for OSX and Linux.