Google Chrome first look
The bad:
- It’s a front-end to WebKit much like Safari, with no bells-or-whistles
- The only add-ons are Web Inspector (from WebKit), Chrome’s own Task Manager, and Chrome’s own Java Debugger (they could have at least used Drosera which comes with Web Inspector / WebKit)
- The Google Updater software it installs runs as a separate process, is not a service, and installs itself into the registry to startup at boot
- Privacy policy and default configuration should scare all of us worse than Mozilla
- Appears to somewhat utilize the Google Desktop API
- Wouldn’t let me install Scroogle as the default search
The good:
- It does separate tabs by process. It gives them different Windows PID’s, but the parent is still a Chrome process. I am guessing this isn’t secure for XP, but on Vista it might be fairly solid
- Appears to support Flash, Java, QuickTime, et al out-of-the-box (note: this makes it just as secure as Internet Explorer 7 or Firefox on Vista, which we all know have at least a few variations of attacks and exposure to at least some vulnerabilities)
- Does allow future search engines that conform to opensearch.org
My analysis:
Google Chrome is DOA (dead on arrival). Nobody is going to use a browser with such poor support and so completely unpolished. However, I agree with others’ assessments: hopefully Google Chrome will make Mozilla, Microsoft, and Opera aware of the several features such as tab-process separation (so that web application developers can also use this functionality).
Why didn’t Google just do a request-for-comments or a peer-reviewed paper/presentation? What’s the point of this loosely running code? I’m not sure yet, but it is possible that Google has left something out in their announcements and/or plans for this product.
From a risk assessment perspective, I can tell you that my threat-modeling spider sense went off from the moment of the download, was piercing my ears during the install, and became overstimulating during runtime. If security is the goal of this product, I’m afraid that Google has definitely failed.
“We are so, so happy with Google Chrome,” mumbled Mozilla CEO John Lilly through gritted teeth. “That most of our income is from Google has no bearing on me making this statement.” – http://notnews.today.com/?p=57
I’m not exactly sure what view you take on this piece of software, but for me this is an overall good browser for a typical user:
- very fast
- they thought of security simple stuff (sand boxed processes)
- simple
The more I look at Chrome, the more I see a direct competitor for Opera (definitely too light for ffx and IE).
Also, this is the very first public release of this browser, so I guess they will make tons of improvements. It’s for me too early to say anything about the security here but if you find vulnerabilities, let’s say in V8 :)
Since it installs entirely in user mode, and stores itself entirely in the users profile, it does not need anything in the system account. Services are installed into the system account. Using a HKCU run for the updater makes sense then.
I don’t know how good its Javascript support is yet, but it does not seem to work with Sun Java.
It certainly is constantly talking to Google.com while it runs.
Ahhh – worked out the Sun Java – need the 1.6 Release Candidate 10.
I did the following steps (or ones just like them) on my own, and clearly they came up with similar results:
http://erratasec.blogspot.com/2008/09/lookingglass-vendor-of-week-google.html
http://www.disenchant.ch/blog/lets-crash-googles-chrome-browser/184
* It does separate tabs by process.
IE8 has had this (or similar) already, I confirmed this at Tech.Ed last week and found a link here
http://blogs.msdn.com/ie/archive/2008/03/11/ie8-and-loosely-coupled-ie-lcie.aspx
I installed Scroogle no problem as my default search. I used the SSL version, maybe that is the difference?
@ Dominic: thanks for the comment. I’m probably not going to try again, but I did use the SSL Scroogle. It could have been user-error on my part.
I can’t say more about the technical issues for Chrome, as i am not the person from techniques. For me the Chrome really works good. I am satisfied with the speed and all stuff.
To add scroogle, you have to use this url:
http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=%s
where %s is the search phrase