SRWare Iron Browser – A Private Alternative To Chrome?

Iron Browser claims to eliminate “critical points that the privacy concern”, in other words it’s trying to solve Chrome privacy issues.

A noble endeavor. Or at least it would be if there were any credible aspect to the program. The labels “scamware” and “scareware” are fitting here.

Iron v Chrome

The SRWare Iron Browser website has a page called “Iron Vs Chrome” that ‘matches up’ the privacy features. This is actually the easiest thing to point to to say “wow, this browser really is bullshit.” The Iron Vs Chrome page is riddled with misinformation and false implications – it’s incredibly blatant that the iron developer is using scare tactics here.

1) Installation-ID

This is the only privacy ‘concern’ that isn’t optional. Some facts:

  • The installation ID only runs once and then it’s removed.
  • The installation ID contains no personal information, it’s gibberish

2) Suggest

Suggest is referring to the omnibox suggestions. In order to predict what you’re searching for Chrome sends the text in the URL bar to the default search engine (Chrome has no default search engine, you choose on installation.) You are then subject to that search engines privacy restrictions, I use DuckDuckGo so it’s really them logging me.

This is entirely configurable. You can disable it with absolute ease. All the Iron browser has done is disable the option by default and removed the ability to enable it. To disable it check the Chrome Privacy Settings.

3) Alternate Error Pages

The Iron browser developer is really reaching with this one. When Chrome hits a page that can’t be reached it replaces the error message.

A few facts:

  • Navigation errors are first checked locally.
  • Only a hash is sent to google.
  • All GET parameters are removed.

And, of course, it can be easily disabled. Again, all Iron has done is disable a feature and not give you the option to add it back.

4) RLZ-Tracking

The RLZ string is an encoded string that contains no indentifying information. It’s used purely to gauge how well promotional campaigns did ie: if an ad runs on Monday they want to know how many people downloaded it Tuesday. That’s the kind of information in the RLZ String and the source code is provided to decode the RLZ and look inside.

It couldn’t really be less malicious unless you have a problem with Google knowing that someone out in the wide world downloaded their browser on a Tuesday.

You can disable this on Linux. Not Windows. It also doesn’t even exist in typical builds downloaded from Google’s website, only for builds having to do with marketing campaigns.

The RLZ String doesn’t actually exist in Chromium, the browser Iron is based on.

5) Google Updater

Another big reach. Iron is now claiming that this is a privacy failure. I literally have absolutely no idea what the hell this guys point is for this one so it’s incredibly difficult to refute. The updater is open source. At this point it should be clear that the developer has 0 credibility and is just pulling things out of his ass.

6) URL-Tracker

Google stupidly named this feature “URL-Tracker” which sounds really awful. It’s really not, and they just picked a horrible name.

Basically the URL Tracker connects to three random sites. It does this to check your DNS configuration in order to tell whether your DNS tries to resolve error pages or if Chrome should. Nothing scary here and it’s handled in a very nice way.

So, we’ve now discredited the Iron browser in terms of its use. Obviously it offers absolutely nothing to the user in terms of privacy – the only thing it adds is a slightly modified UI, the ability to block ads from a file, and the ability to change your user agent (something you can do from the command line with Chrome already); basically it adds absolutely nothing an extension wouldn’t. I personally think it’s time to discredit the developer on a more personal level, because, honestly, the project just really annoys me.

Why Does Iron Exist?

Since the Iron browser provides nothing to the user you have to ask yourself, why does it exist? Very simple, and a bit obvious – money. The Iron developer plays off of users fear, creating ‘privacy issues’ where none exist in order to turn a profit. And how does he get money? Very ironically he uses Google Adsense.

In a conversation with Chromium devs the Iron developer essentially states that he has no interest in making commits to Chromium to improve privacy and is only after the ad revenue.

<mgreenblatt> Iron.. why not propose a patch based on preprocessor defines that disables the sections you dislike without forking the code?
<Iron> because a fork will bring a lot of publicity to my person and my homepage 
<Iron> that means: a lot of money too ;)
<Iron> i dont take money for my fork 
<Iron> but i have adsense on my page ;) 
<Iron> a lot of visitor -> a lot of clicka > a lot of money ;)
<Iron> we are here in germany 
<Iron> the press will love my fork 
<Iron> i talked to much journalists already 
<DrPizza> Why are you forking? 
<DrPizza> to do what? 
<Iron> to remove all things in source talking to google ;) 
<jamessan> to get fame and fortune 
<Iron> nobody here trusts google 
<Iron> the german people say: google is very evil 
<jamessan> yet you use google's adsense

Sure seems trustworthy! Yes, that’s the Iron developer outright saying that he’s playing off of fears rampant in Germany and he’s in it for the adsense money. If you’re supporting the Iron browser you are supporting a product that provides a false sense of privacy, it outright degrades what privacy is about – disclosure and integrity.

I’m a pretty crappy programmer and I could probably do what Iron’s done. It’s just deleting a few snippets of code, adding in a bit of Iron code (like automatically bookmarking his webpage with ads), and the few features added that could easily be replicated by extensions. Of course, the developer hasn’t really released the source code in forever so… yeah… that also brings me to my point of it not exactly being open source. I think the last I checked I couldn’t find source code for any recent version of Iron.

Chrome and Chromium are pretty privacy oriented. At least to a fair extent. There’s a Chromium privacy team and they are very responsible. I’ve personally bugged Mike West with my questions on multiple occasions and he’s been nothing but quick to respond and helpful, which has lead to a bug fix or two. Recently I dealt with another member of the Chromium privacy team and got another feature request for privacy, which they took seriously instead of simply saying “no go away.”

The Iron browser is a scam and the developer is using you. It’s  snake oil and it’s dangerous. You’re going to be slower to patch and you’re going to think you’re ‘more private’ when you aren’t.

The defense for Iron is that it has a “privacy by default” configuration, that users may not want to “research” to find out how to make Chrome meet Iron’s configuration. It should be plainly obvious that if a user has taken the time to look for Iron it’s a very short step to find guides that explain how to uncheck the boxes clearly marked in Chrome’s settings. The Iron developer is blatantly disingenuous with the claims made, quite a few of which (as you can read above) are just ridiculous.

Don’t support scamware. If you see someone recommending the Iron browser simply link them to some information.

I’ve seen a lot of referrer info from this post on websites and I’m very pleased to say that users are consistently dropping Iron when presented with the facts. PCLinuxOS has dropped the Iron browser from their repositories after reading this post.

For updates and other articles follow me on Twitter: @Insanitybit

Sources

https://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/intl/en/landing/chrome/google-chrome-privacy-whitepaper.pdf

http://neugierig.org/software/chromium/notes/2009/12/iron.html

http://echelog.com/logs/browse/chromium/1262127600 (IRC log)

mikewest.org/2011/09/chrome-privacy

mattcutts.com/blog/google-chrome-communication/

http://blog.chromium.org/2010/06/in-open-for-rlz.html