With the recent Pwn2own 2012 results now available, I thought the moment seems ripe to look at securing Chrome (or Chromium, in my case). When I talk about browser security, though, I don’t only mean trying to prevent exploits, but also trying to maintain the user’s privacy. Users can’t necessarily protect themselves against fresh exploits like the ones found during Pwn2own, but we can significantly raise the bar.
Below is my recommended setup, and I welcome your additions, corrections, and suggestions.
In Preferences, I’ve set the following:
- Personal Stuff
- Not signed into Chrome / Chromium. This means you don’t have settings stored on their servers, but it also means you don’t have automatic backups and synchronization of your bookmarks and other stuff. Security involves tradeoffs.
- Set Passwords to “Never save passwords”.
- Disable autofill so that personal information does not get stored, including sensitive info.
- Under the Hood
- Privacy – Content Settings
- Allow local data to be set for the current session only
- Block third-party cookies and site data. If you choose “block sites from setting any data”, many sites just won’t work at all due to losing session IDs and such).
- Do not allow any site to track my physical location
- Uncheck “Use a web service to help resolve navigation errors”
- Uncheck “Use a prediction service to help complete searches and URLs typed in the address bar”
- Uncheck “Predict network actions to improve page load performance”
- Leave “Enable phishing and malware protection” checked, as this is handled in a secure fashion involving a list on your client.
- Privacy – Content Settings
Extensions by their nature involve running foreign code within your browser. So think carefully about extensions that can help you, but also be careful with what you enable – because one bad extension could ruin your whole day. I use the following:
- Adblock Plus. I can’t stand the web without it.
- Ghostery does an outstanding job of managing tracking cookies and other web bugs. Chrome will occasionally complain about Adblock Plus misbehaving when you have both of these installed, due to the fact that sometimes they both want to modify a request.
- HTTPS Everywhere allows you to ensure that you only communicate with certain sites over SSL. My home browser only has WordPress.com and Twitter.com enabled, so clearly I need to spend a little more time finding which sites have HTTPS support.
I personally do most of my web browsing from a Unix-style operating system (Xubuntu GNU/Linux), and essentially all of my sensitive browsing like managing my finances. You might consider doing some of this from within a dedicated virtual machine using VirtualBox, but that might also be overkill for some needs.
Think before you click. I never go to any of my financial sites from a link via email or anything else, and if I’m using a public network, I never visit anything insecure and remotely sensitive.
Keep your browser up-to-date, no matter what operating system you use. Chrome can do this automatically in Windows, and under Linux you should run your update manager periodically. Most modern distributions do this for you already, but check your settings.
Keep your plugins up-to-date as well – especially Flash and Java. I believe Chrome has its own built-in Flash interpreter, at least on Windows, but you will want to do this in any case. And Java has had all sorts of problems over the last few years. If the malware I see in my day job is any indication, then this hasn’t slowed down at all.
A little due diligence can go a long way. Use the tools available and try to maintain situational awareness. Hey, let’s be careful out there.