64bit Chromium Is Building, Chrome To Follow?

Chromium 64bit for Windows appears to be building on Google’s official builtbot. Many users of 64bit Windows will be very happy about this, I’m sure. 64bit leads to potential performance improvements, as well as many security improvements (especially on Windows 8) so this could go very well for everyone.

It will be fun to see what developments come out of Chrome 64bit, and what kind of performance improvements we really see. The potential for performance improvements on a 64bit browser are… mixed, and complicated. Complicated data structures like the DOM won’t enjoy larger pointers and long int values, but there are other performance improvements that will potentially outweigh that.

In terms of security, among other things, Chrome will now be able to use High Entropy ASLR, a feature of Windows 8 that makes ASLR more resilient to specific types of attacks.

Naturally, Linux users have had 64bit Chrome for ages.

Chrome 64bit For Windows Gets A Bit More Progress

Users have wanted a 64bit Chrome browser for quite some time and with Firefox, Opera, and Internet Explorer allhaving 64bit versions (though Firefox does not officially support their 64bit builds) it’s a bit surprising that Chrome hasn’t released one.

The Chromium bug for 64bit support has gotten some activity recently though. We can hope this continues.

The benefits of a 64bit browser are numerous but also variable – 64bit is not magic, you don’t get it to compile for 64bit and suddenly have a super speedy browser, you have to optimize for 64bit and really make sure you take full advantage of the potential that comes along with it.

Some of that potential is directly related to security.

When most people think of 64bit they think of being able to access more RAM. The reason 64bit can access more RAM is because it can address 2^64 bits of data, whereas 32bit can only access 2^32 bits of data. This also means that it can access files of a size up to 2^64bits and that it has an address space of up to 2^64bits (although it’s not that large).

A larger address space will significantly improve ASLR, which relies on randomizing areas of address space. If you want to find random values between 1 and 10, there are only so many times you have to guess no matter how strong the random dumber generator is – make that between 1 and 1,000,000 and things get much harder to guess.

On Windows 8 64bit processes can opt into High Entropy ASLR, which improves the randomization of address space further, by increasing the randomness of memory allocations.

So 64bit Chrome will make things more difficult for attackers, especially on Windows 8.

In terms of performance there may or may not be significant improvements. 64bit comes with a downside, pointers are twice the size, and apparently for a browser that could end up being an issue due to how data is structured. Mozilla was working on 64bit Firefox but dropped the project because the benefits were not outweighing the development costs.

Star the Chromium bug if you’d like to see work on 64bit Chrome and Chromium for Windows continue.

SRWare Iron Browser – A Private Alternative To Chrome?

Iron Browser claims to eliminate “critical points that the privacy concern”, in other words it’s trying to solve Chrome privacy issues.

A noble endeavor. Or at least it would be if there were any credible aspect to the program. The labels “scamware” and “scareware” are fitting here.

Iron v Chrome

The SRWare Iron Browser website has a page called “Iron Vs Chrome” that ‘matches up’ the privacy features. This is actually the easiest thing to point to to say “wow, this browser really is bullshit.” The Iron Vs Chrome page is riddled with misinformation and false implications – it’s incredibly blatant that the iron developer is using scare tactics here.

1) Installation-ID

This is the only privacy ‘concern’ that isn’t optional. Some facts:

  • The installation ID only runs once and then it’s removed.
  • The installation ID contains no personal information, it’s gibberish

2) Suggest

Suggest is referring to the omnibox suggestions. In order to predict what you’re searching for Chrome sends the text in the URL bar to the default search engine (Chrome has no default search engine, you choose on installation.) You are then subject to that search engines privacy restrictions, I use DuckDuckGo so it’s really them logging me.

This is entirely configurable. You can disable it with absolute ease. All the Iron browser has done is disable the option by default and removed the ability to enable it. To disable it check the Chrome Privacy Settings.

3) Alternate Error Pages

The Iron browser developer is really reaching with this one. When Chrome hits a page that can’t be reached it replaces the error message.

A few facts:

  • Navigation errors are first checked locally.
  • Only a hash is sent to google.
  • All GET parameters are removed.

And, of course, it can be easily disabled. Again, all Iron has done is disable a feature and not give you the option to add it back.

4) RLZ-Tracking

The RLZ string is an encoded string that contains no indentifying information. It’s used purely to gauge how well promotional campaigns did ie: if an ad runs on Monday they want to know how many people downloaded it Tuesday. That’s the kind of information in the RLZ String and the source code is provided to decode the RLZ and look inside.

It couldn’t really be less malicious unless you have a problem with Google knowing that someone out in the wide world downloaded their browser on a Tuesday.

You can disable this on Linux. Not Windows. It also doesn’t even exist in typical builds downloaded from Google’s website, only for builds having to do with marketing campaigns.

The RLZ String doesn’t actually exist in Chromium, the browser Iron is based on.

5) Google Updater

Another big reach. Iron is now claiming that this is a privacy failure. I literally have absolutely no idea what the hell this guys point is for this one so it’s incredibly difficult to refute. The updater is open source. At this point it should be clear that the developer has 0 credibility and is just pulling things out of his ass.

6) URL-Tracker

Google stupidly named this feature “URL-Tracker” which sounds really awful. It’s really not, and they just picked a horrible name.

Basically the URL Tracker connects to three random sites. It does this to check your DNS configuration in order to tell whether your DNS tries to resolve error pages or if Chrome should. Nothing scary here and it’s handled in a very nice way.

So, we’ve now discredited the Iron browser in terms of its use. Obviously it offers absolutely nothing to the user in terms of privacy – the only thing it adds is a slightly modified UI, the ability to block ads from a file, and the ability to change your user agent (something you can do from the command line with Chrome already); basically it adds absolutely nothing an extension wouldn’t. I personally think it’s time to discredit the developer on a more personal level, because, honestly, the project just really annoys me.

Why Does Iron Exist?

Since the Iron browser provides nothing to the user you have to ask yourself, why does it exist? Very simple, and a bit obvious – money. The Iron developer plays off of users fear, creating ‘privacy issues’ where none exist in order to turn a profit. And how does he get money? Very ironically he uses Google Adsense.

In a conversation with Chromium devs the Iron developer essentially states that he has no interest in making commits to Chromium to improve privacy and is only after the ad revenue.

<mgreenblatt> Iron.. why not propose a patch based on preprocessor defines that disables the sections you dislike without forking the code?
<Iron> because a fork will bring a lot of publicity to my person and my homepage 
<Iron> that means: a lot of money too ;)
<Iron> i dont take money for my fork 
<Iron> but i have adsense on my page ;) 
<Iron> a lot of visitor -> a lot of clicka > a lot of money ;)
<Iron> we are here in germany 
<Iron> the press will love my fork 
<Iron> i talked to much journalists already 
<DrPizza> Why are you forking? 
<DrPizza> to do what? 
<Iron> to remove all things in source talking to google ;) 
<jamessan> to get fame and fortune 
<Iron> nobody here trusts google 
<Iron> the german people say: google is very evil 
<jamessan> yet you use google's adsense

Sure seems trustworthy! Yes, that’s the Iron developer outright saying that he’s playing off of fears rampant in Germany and he’s in it for the adsense money. If you’re supporting the Iron browser you are supporting a product that provides a false sense of privacy, it outright degrades what privacy is about – disclosure and integrity.

I’m a pretty crappy programmer and I could probably do what Iron’s done. It’s just deleting a few snippets of code, adding in a bit of Iron code (like automatically bookmarking his webpage with ads), and the few features added that could easily be replicated by extensions. Of course, the developer hasn’t really released the source code in forever so… yeah… that also brings me to my point of it not exactly being open source. I think the last I checked I couldn’t find source code for any recent version of Iron.

Chrome and Chromium are pretty privacy oriented. At least to a fair extent. There’s a Chromium privacy team and they are very responsible. I’ve personally bugged Mike West with my questions on multiple occasions and he’s been nothing but quick to respond and helpful, which has lead to a bug fix or two. Recently I dealt with another member of the Chromium privacy team and got another feature request for privacy, which they took seriously instead of simply saying “no go away.”

The Iron browser is a scam and the developer is using you. It’s  snake oil and it’s dangerous. You’re going to be slower to patch and you’re going to think you’re ‘more private’ when you aren’t.

The defense for Iron is that it has a “privacy by default” configuration, that users may not want to “research” to find out how to make Chrome meet Iron’s configuration. It should be plainly obvious that if a user has taken the time to look for Iron it’s a very short step to find guides that explain how to uncheck the boxes clearly marked in Chrome’s settings. The Iron developer is blatantly disingenuous with the claims made, quite a few of which (as you can read above) are just ridiculous.

Don’t support scamware. If you see someone recommending the Iron browser simply link them to some information.

I’ve seen a lot of referrer info from this post on websites and I’m very pleased to say that users are consistently dropping Iron when presented with the facts. PCLinuxOS has dropped the Iron browser from their repositories after reading this post.

For updates and other articles follow me on Twitter: @Insanitybit

Sources

https://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/intl/en/landing/chrome/google-chrome-privacy-whitepaper.pdf

http://neugierig.org/software/chromium/notes/2009/12/iron.html

http://echelog.com/logs/browse/chromium/1262127600 (IRC log)

mikewest.org/2011/09/chrome-privacy

mattcutts.com/blog/google-chrome-communication/

http://blog.chromium.org/2010/06/in-open-for-rlz.html

Why I Sandbox Chrome With AppArmor

Google Chrome is a browser designed with least privilege in mind. The Chrome multiprocess architecture sandboxes each tab, the renderer,  the GPU, and extensions and has them use IPC to talk to the ‘browser’ process, which runs with higher rights. The idea is that all untrusted code (websites) is dealt with on the lowest possible level (the renderer has virtually no rights) and then the renderer deals with the trusted browser process. It’s very effective and there hasn’t been a single Chrome exploit in the wild.

On Linux the Chrome sandbox makes use of a Chroot, seccomp mode 2 filters, SUID, and a few other techniques. On the outside this seems really secure, the problem is that the documentation is outdated and not nearly as clear as the Windows documentation.

To use Chroot you need root, so for the browser process to Chroot the other processes it needs root. Chrome seems to find a way around this using SUID where it runs as root under a separate name, I don’t really know, again the documentation doesn’t cover this at all.

Basically, it sounds really strong but if I don’t understand something I can’t consider it secure.

That’s why I apparmor Chrome. I know how AppArmor works, I know it’s track record, I know what my profile allows and what it doesn’t allow. And I know that even if Chrome is running at root my apparmor profile will limit it.

I would post my AppArmor profile for Chrome up here but it’s fairly specific to my needs. For those of you looking to sandbox Chrome make sure you use a separate profile for the sandbox, chrome itself, and the native client bootstrap.

The Definitive Guide For Securing Chrome

This is Part 2 in a series where I’ll be detailing various settings for specific programs and operating systems. For Part 1 (Firefox) click here. I won’t get to do the Ubuntu/ Windows guides today as both of those will probably take days on their own – don’t expect them before Monday.

Chrome

Google Chrome is based on the open source Chromium project. It differs in that it includes Adobe Flash Player, a PDF viewer, an auto-updater, as well as support for closed source codecs. Chrome makes use of a sandbox based on OS-provided MAC. On Linux it uses a SUID, PID, and Chroot sandbox with Mode 2 Seccomp filters and on Windows it uses various levels of Integrity Access Control.

Chrome is the browser that I consider to be most secure and in this guide I’ll be showing how to lock it down further.

I am choosing Chrome and not Chromium due to including Flash and handling updates automatically.

Privacy Settings

Chrome enables certain features that users may feel pose a privacy concern. You can enable and disable these features in the Chrome ->Settings -> Advanced Settings page.

Image

Those are my specific settings but you can enable/ disable as you please. See this link by Mattcuts to understand communications to Google Chrome.

To make Chrome more private click on the Content Settings.

Chrome allows for a fair level of control over what websites can and can not do. You can disable third party cookies from being set entirely and you can blacklist/ whitelist sites from setting cookies at all.

Image

Next you can type about:flags into the URL bar.

Go enable the feature labeled:

Disable sending hyperlink auditing pings.

Enabling this disables hyperlink audit pings, which can be used to track users.

LastPass

Chrome does not include a master password feature so you’ll have to use LastPass for something similar. I’ve posted a guide to setting up LastPass here.

Adblock Plus

As Chrome does not yet implement a Do Not Track feature if you’d like to use it you need to install Adblock Plus, which will block ads and tracking.

I also suggest you use this filter to block tracking.

UPDATE: Chrome now supports Do Not Track in the Privacy settings.

Security Settings

Credit to m00nbl00d here.

We can set Chrome to block Javascript globally and then allow by top level domain (ie: .com, .org.) This means that we can block Javascript on many sites without it bothering us. By blocking Javascript on domains like .ru and .cn we actually block a fair amount of pages that could otherwise be used against us.

Image

Notice that I’ve done the same thing with plugins. Something I personally like to do is set Click To Play, and not whitelist any sites. This is a wonderful way to prevent attacks. My recommendation is Click To Play and no whitelist.

Image

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

HTTPSwitchBoard

HTTPSwitchBoard is another Chrome extension aimed at providing a more private and secure browser. The extension allows you to limit requests that the browser makes for a wide variety of content – you can allow a website to load its CSS/images and nothing else, or add in scripting, plugins, video tags, etc on a per-request basis.

It’s quite easy to use, maintains a great blacklist that makes whitelisting safe and easy, and is much faster than conventional content blockers.

https://github.com/gorhill/httpswitchboard

 

AppArmor (Linux Only)

Chrome does not have an AppArmor profile by default on any distro that I know of. You’ll have to make one, so have a look at this guide.

Chrome already makes use of a powerful sandbox on Linux but making use of AppArmor is a good idea. There isn’t a ton of up to date documentation on the Linux sandbox so while we can gather that it’s pretty strong we shouldn’t trust it and therefor AppArmor is a very good idea. What we do know is that the Chrome sandbox makes use of Chroot, a call that requires root privilege, so I’m not sure how they’re accomplishing this (I think they use a separate UID for this and then drop from root) but either way I don’t want anything that can Chroot and Chmod having access to more of my system than it needs.

Seccomp (Linux Only)

Chrome now uses Seccomp filters for plugins. Read about seccomp here.

PPAPI Flash Player

UPDATE: Chrome now uses the PPAPI Flash Player by default, which comes in a very powerful sandbox. Make sure you have your Flash using only PPAPI in chrome://plugins.

Remember

Chrome doesn’t update anything other than itself and Flash so make sure to keep your Java, Silverlight, or any other plugins up to date as well as the underlying operating system. And make sure to set your plugins to Click To Play.

And Of Course…

If I’ve missed anything let me know. I don’t think I’ve missed anything worth putting it. I’ve purposefully left ScriptNo (now SafeScript) out as I can’t attest to it actually working correctly 100% of the time and it doesn’t have many important features built into NoScript. I think that m00n’s Javascript trick works fine.

PPAPI Flash For Linux Finally Seems Ready

PPAPI Flash is the Flash plugin built into Google Chrome that allows for more secure Flash by virtue of the Chrome Sandbox. Adobe has declared that Flash 11.3 will not be supported for Linux except for the PPAPI version so if you’re looking for the latest you’re going to need to use Chrome.

The Flash sandbox isn’t very tight in Chrome as we can see by Vupen’s bypass so a tighter sandbox is very welcome.

Until very recently the plugin was super buggy and unusable. This seems to have changed and I’m noticing no issues.

The PPAPI Plugin is limited to Chrome Beta right now so you can either way ~1 month for it to hit stable or you can download the beta now.