Tag Archives: Chrome

HOWTO: Securing Chrome and Chromium

Posted on 2012-03-17 | 1 Comment
Secure browsing

Unnecessary and probably ineffective against most threats

With the recent Pwn2own 2012 results now available, I thought the moment seems ripe to look at securing Chrome (or Chromium, in my case). When I talk about browser security, though, I don’t only mean trying to prevent exploits, but also trying to maintain the user’s privacy. Users can’t necessarily protect themselves against fresh exploits like the ones found during Pwn2own, but we can significantly raise the bar.

Below is my recommended setup, and I welcome your additions, corrections, and suggestions.

Settings

In Preferences, I’ve set the following:

  • Basics
  • Personal Stuff
    • Not signed into Chrome / Chromium. This means you don’t have settings stored on their servers, but it also means you don’t have automatic backups and synchronization of your bookmarks and other stuff. Security involves tradeoffs.
    • Set Passwords to “Never save passwords”.
    • Disable autofill so that personal information does not get stored, including sensitive info.
  • Under the Hood
    • Privacy – Content Settings
      • Allow local data to be set for the current session only
      • Block third-party cookies and site data. If you choose “block sites from setting any data”, many sites just won’t work at all due to losing session IDs and such).
      • Allow all sites to run JavaScript. This actually isn’t the most secure setting, but until Chromium supports the model that NoScript uses, I’ve had to make this usability concession.
      • Do not allow any site to track my physical location
    • Uncheck “Use a web service to help resolve navigation errors”
    • Uncheck “Use a prediction service to help complete searches and URLs typed in the address bar”
    • Uncheck “Predict network actions to improve page load performance”
    • Leave “Enable phishing and malware protection” checked, as this is handled in a secure fashion involving a list on your client.

Extensions

Extensions by their nature involve running foreign code within your browser. So think carefully about extensions that can help you, but also be careful with what you enable – because one bad extension could ruin your whole day. I use the following:

  • Adblock Plus. I can’t stand the web without it.
  • Ghostery does an outstanding job of managing tracking cookies and other web bugs. Chrome will occasionally complain about Adblock Plus misbehaving when you have both of these installed, due to the fact that sometimes they both want to modify a request.
  • HTTPS Everywhere allows you to ensure that you only communicate with certain sites over SSL. My home browser only has WordPress.com and Twitter.com enabled, so clearly I need to spend a little more time finding which sites have HTTPS support.

Practices

I personally do most of my web browsing from a Unix-style operating system (Xubuntu GNU/Linux), and essentially all of my sensitive browsing like managing my finances. You might consider doing some of this from within a dedicated virtual machine using VirtualBox, but that might also be overkill for some needs.

Think before you click. I never go to any of my financial sites from a link via email or anything else, and if I’m using a public network, I never visit anything insecure and remotely sensitive.

Keep your browser up-to-date, no matter what operating system you use. Chrome can do this automatically in Windows, and under Linux you should run your update manager periodically. Most modern distributions do this for you already, but check your settings.

Keep your plugins up-to-date as wellespecially Flash and Java. I believe Chrome has its own built-in Flash interpreter, at least on Windows, but you will want to do this in any case. And Java has had all sorts of problems over the last few years. If the malware I see in my day job is any indication, then this hasn’t slowed down at all.

Conclusion

A little due diligence can go a long way. Use the tools available and try to maintain situational awareness. Hey, let’s be careful out there.

→ 1 Comment

Posted in Notes

Tagged , , , ,

Qualys BrowserCheck social engineering

Posted on 2011-10-20 | Leave a comment

Something triggered in my mind today that reminded me to go take a look again at Qualys BrowserCheck. I really appreciate the idea behind it: to “perform a security analysis of your browser and its plugins to identify any security issues.”

But I sort of wonder if it’s not also teaching users to fall for malicious plugins that use social engineering tricks:

Their FAQ gives more details, but still, I hesitate to recommend this to other people because I don’t want them getting the idea that they should normally give plugins those permissions. (And no, I didn’t install it, either.) I don’t know whether Chrome and other browsers offer a better model that could allow a plugin to check those details, but for now I’ll go with the less intrusive quick scan.

→ Leave a comment

Posted in Notes

Tagged , , ,

Spyware Chrome extensions considered harmful

Posted on 2011-08-26 | 6 Comments

'Carefull what you wish for' by Robbert van der SteegMessing around on Reddit tonight, I found a post that disturbed me greatly – not in the usual sense people mean for Reddit.

According to khoker, the Smooth Gestures extension for Chrome is spyware.


function pl_track(){
if (window.location.protocol == "https:") return;
if (window === window.top)
{
if (!document.getElementById('hummingtrack'))
{
trackerimg=document.createElement('img');
trackerimg.id="hummingtrack";
trackerimg.src="http://www.smoothgesturesapp.com/tracking/tracking_ss.gif?events="+window.location.href.split(/\/+/g)[1]+"&r="+Math.random();
trackerimg.height="1";
trackerimg.width="1";
document.body.appendChild(trackerimg);
}
}
}
setTimeout(pl_track(),1500);

If somebody has a reasonable explanation for this other than ‘spyware’, I’d love to hear it.

The Google Code issue has quite a few comments discussing it further, and you may wish to report it to Google as I did.

For myself, I’ve disabled it for now until this gets resolved. I use my browser for internal corporate stuff as well, and I don’t think anybody needs to know about those sites (though I don’t particularly care about them seeing me waste time on G+ and Reddit :P ). This is very sneaky and potentially illegal. At the least, it’s almost certainly a violation of their terms of service with Google.

→ 6 Comments

Posted in Links

Tagged , , , , , ,