I regularly take Microsoft to task when they fall short of the somewhat lofty standards I’ve set for them in my head. So it’s only fair that I should also level some harsh criticism at some of their competitors when warranted. To that end, while I applaud Google and the Chrome team for a number of the things that they're doing correctly to make browsing safer, there’s still a very ugly problem that Google needs to address before I can take their attempts at improved security as something other than a bit hypocritical.
Win: Chrome is Attempting to Strengthen SSL
A core component of overall web and browsing security is transport layer security (TLS), which is more commonly referred to as SSL. Yet, as important as TLS is to helping browsers verify the identity of the servers they’re connecting to and encrypt communications with them, there’s a big problem with most SSL certificates in use today: They’re using SHA-1, which is so cryptically weak that it’s considered by experts to be on the brink of collapse. Accordingly, and correctly, Google is helping lead the charge in ensuring that site owners are incentivized to upgrade their SSL Certificates to SHA-2 by gradually becoming more aggressive in warning Chrome users when the sites they’re visiting are protected with weak encryption.
In similar fashion, Google also recently announced that they’ll start providing increased SEO rank to sites that are encrypted, as opposed to similar sites that aren’t encrypted. Given the clout that SEO carries with site owners, this too, will help spur increased protections for end users, which is also a great thing.
Win: Chrome is Helping Prevent Malware Downloads
Because I’m quite cautious about what I download and judicious about which sites I visit, I’m personally not a big fan of browsers that try to ‘protect’ me from potentially malicious downloads by keeping an inventory or registry of vetted and potentially suspicious downloads from across the entire internet. However, while I’m not personally a big fan of such features, I think they have a definite place for recreational computer users, or non-tech-savvy folks who typically don’t understand enough about how software works to be as paranoid as the rest of us.
To that end, I applaud Google’s recent efforts to bolster Chrome’s ability to help protect end users from accidentally downloading malware. Though the skeptic in me worries that much of the malware bundled with free utilities and software (like FileZilla and gobs of stuff hosted at SourceForge and similar sites) will get a free pass by Chrome, because the installers for these utilities bundle malware into place as extra services that help users and the malware is optional (though installed by default).
Fail: Chrome’s Extensions are a Security Nightmare
But, despite both of those truly laudable efforts by Google and their Chrome teams, I still can’t take Chrome’s efforts at security seriously because of the train wreck known as Chrome Extensions. Let me illustrate that concern with just two points of interest.
First, as a bit of an anecdote, one of my kids recently managed to deploy a couple of malware extensions into Chrome on either the family laptop or the tablet my kids use for homework. The two extensions in question intercepted pages my kids were visiting and would spin up customized ads that crowded out regular content and were as obnoxious as hell. These ads were an attempt to sell stuff to my kids while browsing any site, not just shopping/retail sites. What was particularly galling about this experience, though, wasn’t just that my kids were able to so easily deploy these extensions into Chrome (“It wasn’t me!” said all of my kids), but was, instead, how much of a pain it was to remove these extensions. Technically, removing extensions should be trivial—simply pull up the settings menu in Chrome, select Extensions and then delete any extensions you don’t want. Only, after doing that on each of my kids' accounts on our family laptop, imagine my surprise when these extensions were back just a day or so later. Turns out that, because my kids have their own login info and accounts on both the laptop and their tablet, removing these malware extensions from Chrome on just the laptop wasn’t enough. Instead, because Chrome synchronizes settings and extensions across machines, I ended up having to remove the extension from both machines or the extensions would simply sync back on to the machine where I had initially removed it.
Second, and much more pernicious, is the fact that Google has yet to address that they have a glaring problem with their extensions: creators of trusted and viable extensions can sell their extensions to third parties, who can then use Chrome’s ability to update extensions as a delivery vehicle for malware against totally unsuspecting users with no warning.
My guess is that the synchronization issue should be fairly easy for Chrome to address. Addressing how to correct the once open and trusting nature of their extensions market will likely be non-trivial. By the same token, it does seem a bit hypocritical that Google is happy to simultaneously start policing the world’s downloads and strong-arm site owners into using or improving SSL, all while Google and Chrome have so many serious problems within their own domain that they haven’t adequately addressed. I’m not saying Google shouldn’t be working on improving SSL or protecting against malware, but the company might want to take a closer look internally before I can take their efforts more seriously.