Archive for the ‘chrome’ category

Google Chrome

September 13th, 2008

I downloaded Google’s new Chrome browser (http://www.google.com/chrome) this morning. I installed it and I played with it for about an hour. I read the notes and watched several of Google’s videos. Overall, it looks cool, seemed to be snappy and quick to respond. I was particularly taken with the focus tabs. I also thought the multi-, multi-tab sandbox idea a really interesting idea – initially from a useability perspective but potentially also from a perspective. Though there isn’t anywhere near enough information yet to make a proper assessment. I did try to break some tabs and see how effective the sand-boxing was (it seems to hold up from a very brief look but it’ll take some review from someone with more -fu than me to determine actually how secure the concept – see below).

A few things didn’t inspire me – the border decoration was a little … unintegrated. And I am always loath to pass judgement an application that by its very nature needs to be examined in a cross-platform context and I would want to see running all of Microsoft Windows, OSX, and Linux. This particularly true of OSX where the graphical environment can make an enormous difference to how an application engages you.

But after my play I closed Chrome down with a big sigh to get with my actual day job. Why the sigh? Did I think the new Chrome browser wasn’t very good? Nope. But my first thought was “I wonder how many people in my enterprise have downloaded and installed Chrome over the last few days”. This was quickly followed by me asking two questions:

1. What the change in the enterprise’s risk profile of adding this new application?

2. What’s the operational impact of some, many or all of my users downloading and installing this application?

Obviously (and hopefully) it only an incremental change in risk profile and not much at that. The browser will probably only be downloaded by power users and innovators in the enterprise, initially at least. the threat landscape in most enterprises however browsers punch well above their weight in terms of attack surface, are a common source of malware infection and browser exploits are a popular target for hackers. Indeed a (the first?) Chrome vulnerability has already been discovered AND exploited (see http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php) literally hours after Chrome was released. So Chrome’s potential as a source of compromise and attacks needs to be carefully considered.

The answer to the second question also ambiguous but finding out can add a lot of work for a team. With any new application, but especially ones like browsers that are such rich sources of malware attack, there now a potential need to:

• Track bugs and vulnerabilities for the application;
• Add it to software profiles for vulnerability ;
• Investigate its behaviour for network behaviour and IDS/IPS;
• Profile it for our Event and Incident Management ; and
• Specifically for this application ascertain if its Incognito “stealth” browsing capability impacts our ability to investigate and gather evidence in incidents.

So most important to me right now not whether Chrome will outshine Firefox or IE or whether it represents the future of the browser. But rather how much work this new browser going to create for me… :)

P.S. If you’re interested in look at it you can find Chrome’s source at http://.google.com/chromium/. There are also build instructions (for which you will probably need to have some developer skills) for OSX and Linux.

No comments »

Posted in chrome, google, security

Tags: