Google's Chrome raises security concerns and tastes like chicken feet

I installed Google’s new Chrome web browser (beta) last Thursday to see what all the hype is about. My first impressions of Chrome are not stellar. In fact they ranked similarly to my first impressions after eating boiled chicken feet. Sure it tastes like chicken but theirs really no meat on the bone and the taste is awfully bland.


As is typical of most applications I test, I immediately gravitated toward testing the security features and functions being offered and not just the wiz bang features. Since Chrome’s launch, 5 days ago, close to a dozen vulnerabilities, most with published exploit code have been found by security researchers. That’s about two a day and this is the very first week! Here is a look at a couple of them. Sure this is a beta release and this sort of stuff is somewhat expected. However, this leads to the larger security questions:

• How quickly and effectively will Google eradicate any security vulnerabilities found? Time will tell, but Google has already released an updated Beta version. The problem is that Chrome doesn’t seem to have an auto-update mechanism. I only found the new version because I clicked on wrench/About, it did a version check, and said a new version was ready. I looked for an update menu or button and sadly didn’t find one. Not many users will know to go to the About menu to look for new updates. Auto-update needs to be in the Beta build.




• Another question is, “Will Google build an effective trust relationship with key security researchers or blow them off like some companies have done to their own detriment?” I hope that the abnormally high proportion of researchers that have found vulnerabilities and then posted their exploit code publicly isn’t a leading indicator of that trust relationship and instead has everything to do with the fact that Chrome is just Beta code.




• Given that Chrome is brand new code it is logical to hypothesize that it will be full of bugs and security holes for some time to come. The fact that there are at least two (IE and Firefox) very mature, fairly secure, and powerful browsers available to end-users already should cause many to pass on the immature code of the Chrome browser and wait until 2.0. There is just too much at stake for end-users and corporations to standardize on Chrome before it has been thoroughly vetted in the public domain.




• My first impressions are that Google’s Chrome browser lacks innovative or original features in the browser security category. Given the huge focus other browsers have put on security features lately, this is a colossal misstep by Google. In fact, Chrome trails far behind Firefox’s security plug-ins for preventing things like adware, scripting, and phishing. Chrome’s features in these areas are far from mature and in some cases, like blacklists, have been available on Firefox for a while. How Chrome’s new sandboxing feature works is almost completely unknown and looks to be just a matter of each tab running as it’s own process. That alone doesn’t make it a security feature but rather a reliability feature. If a tab goes down you other tabs still work. I’d like to see more detail on how this is a security feature as well so if anyone has a good reference send it along.

In addition to the larger security questions I just posed regarding Chrome here are some other things I uncovered. The automatic checking for server certificate revocation is not enabled by default. By default, when there is mixed content (secure and non-secure) on an SSL page all content is loaded with no warning. The built in blacklisting feature is not customizable by the end user. I also didn’t see any way to view what was on the black-list from my browser options.

The anti-phishing engine of Chrome seems capable enough. I fed about 10 verified fishing sites into it, some only hours old, and just like Firefox it caught all of them. However, I don’t like their security alert message page compared to other browsers.
On Firefox the message given to the end-user when you hit a phishing site is layman readable. Meaning my mom and dad could understand that this was a bad thing. And the bypass/do it anyway button is hidden in small text in the corner like shown below
Image: Firefox Phishing Alert

Compare that to Chrome’s alert message below. The Proceed anyway button is in the default position and is prominently displayed to the user. Also, the warning message title does not use layman’s terms. It assumes you know what the heck Phishing is. I think the alert formatting lends itself to having more people click the large, default looking, Proceed Anyway button and get themselves into trouble. Especially if the crafted message that got them here was convincing enough that this was a very important matter that needed their attention ASAP. Take a look at the image below; what do you think?

Ok enough with the security “issues”, let’s move on to other stuff.
I’ve only been working with the browser for a few days now so I am still ramping up. And yes this is beta code and I hope many of these things will be fixed before launch. Keep that in mind as I will not mention it again.
Here are my first impressions from Install to today:

• The install was fast and clean. No room for user error. However, many basic install things were missing. For example, it didn’t ask me to import my existing bookmarks and settings from another browser. This should be table stakes for any new browser. I was forced to figure it out and do it manually after install.




• Which brings me to the second point. Importing of my bookmarks was not done in a user acceptable way. It buried my bookmarks in a subfolder called imported from IE which was buried in a folder called other bookmarks which is hidden way on the left side of the browser. Come on! It should have laid out the links in my bookmarks bar on to the bookmarks bar in Chrome. Hopefully this gets fixed before release. Here is an image of the imported bookmarks:
  




• After the initial install the user is left in no man’s land. No tutorial pops up, no instructions are given, and the browser interface is very barren. It doesn’t even have a typical menu bar or a HOME button. What browser doesn’t have a HOME button! Bottom line is the user is left to figure everything out for them selves. Go read the comic book I guess, but you’d have to know that exists because the browser help doesn’t link to it directly. In it’s current form, this is not a browser for newbies.




• No import of your previous homepage settings and as mentioned their isn’t even a HOME button by default. You can get one, but it requires you to navigate through browser options menu. Since I use the HOME button constantly this is a big one for me.




• Chrome doesn’t have a separate search field box like most browsers. You are supposed to use the URL box for both your URLs and your searching. Google touts this as a new feature. Uh, NO. All browsers are capable of doing this but people don’t use it because it’s hokey. I need my search box that nicely lists my previous searches and doesn’t mess with my current pages URL string.




• I’ve noticed several issues on Chrome when loading flash player movies from different sites. Symptoms are unresponsiveness, slowness, and freezing. For example, it took me 90 seconds to start a flash movie on Chrome but only 24 seconds on Firefox.

This brings me to a discussion about Chrome’s performance. Chrome is touted as being a fast barebones browser. I did some off the cuff non-scientific testing to compare it with Firefox. So take these results with a grain of salt.

• Launching Chrome took about the same time as starting Firefox, about 3-5 seconds avg. However, my Firefox browser has tons and tons of plugs-in and extensions that load (over 20 of them) so I thought for sure it would be slower.




• Initial memory usage of Chrome vs. Firefox with just the homepage loaded was just about identical, about 60MB. Chrome started up three separate processes and Firefox had one of course. The separate processes for Chrome with only one page opened is a bit of a mystery to me but I think it is because the page had flash movies on it that open in their own process. Here is a screenshot:
  
  




• Chrome is supposed to use memory more efficiently over time and as you open more and more pages. I didn’t see this materialize; in fact I saw the exact opposite. With the same 6 tabs of various pages opened in both Chrome and Firefox memory usage was higher on Chrome. Chrome used ~135MB vs. ~107MB for Firefox. Chrome had 8 processes running and Firefox of course had only 1. On the screenshot below notice the Chrome process that shows a 17% CPU load. This stayed constant until I closed that particular tab. Not sure why it did that and it was repeatable (I speculate it was the flash plug-in). Here is the screenshot:
  
  




• Chrome’s Inspect Element is a cool feature that shows you the pages html code in a well laid out and searchable fashion.

So that’s my commentary, I’d like to hear your comments.

The opinions and information presented here are my personal views and not those of my employer.