Since I spent a relevant portion of my past two days answering email messages similar to the following, I decided to post a catch-all answer here.

Hi Giorgio,

I just read Google's introduction to its Chrome browser.
I was so impressed with its security features that I may even switch from Firefox to Chrome. (I didn't think that was even possible when I first heard of Chrome.)
Would you consider adapting your NoScript add-on to it?
I tried out Chrome and loved it, but the absence of NoScript was immediately apparent!

Seth

Hi Seth,

I've been playing with Chrome since it's been available, and I cannot say I'm impressed with its security.
I do like its speed, but Fx 3.1 builds with TraceMonkey enabled are already faster.
I really love its taskmanager: opening a random MySpace page and watching CPU and RAM consumption skyrocketing blamed precisely on the Flash plugin (70MB Flash, 28MB the page itself versus 11MB for an empty tab) is kind of cool, even if it comes with the cost of redundant resource allocation (if it was Firefox, crowds would be screaming "memory hog").
On the other hand, there's nothing apparently novel in its security approach, and it doesn't address any in-browser security problem, such as XSS or CSRF, at all.

The worst part, though, is that Chrome is not nearly as extensible as Firefox: cynical people may suspect this is to prevent something like AdBlock Plus or NoScript itself to be ported, biting advertisement bottom lines.
This is such a bummer that Google had to issue a late announcement about an extension API, but if it's gonna be like Opera's widgets (as I strongly suspect) it won't help.

BTW, one of Chrome's most hyped features, stability due to the claim you might crash one tab but not the whole browser, fully justifies the "beta" tag:
Chrome Crash

Cheers
--
Giorgio

11 Responses to “Google Chrome Mail Template”

  1. #1 kuza55 says:

    If you haven't noticed, XSS and CSRF aren't the only issues in security; code exec bugs, especially in browsers, are still a huge problem, even with all the exploit mitigations in place, and Google IS going in the right direction to stop that with it's sandbox: http://dev.chromium.org/developers/design-documents/sandbox

    And yes, browsers crash, yes this sucks as it crashes Google Chrome's 'kernel', but in all other browsers there is no separation and frankly browser DoS issues are a dime a dozen, and mostly irrelevant.
    The fact that they use an outdated version of Webkit is shit, *but* that's an easy problem to fix and one that probably has more to do with the rushed release than anything, so I'm going to give them the benefit of the doubt here for a while (and hope they update soon).

    Don't get me wrong; I'm all for over-reacting and attacking people over small and trivial issues (I think we've all seen this), but this google bashing is seriously getting a bit out of hand.

  2. #2 romain says:

    I'm wondering if they would be willing to integrate a native NoScript like... this is really where the lack is for me right now; the bugs etc. this is okay, this is just a beta! (as long as it doesn't stay a beta for 4 years like GMail...)

  3. #3 Giorgio says:

    @kuza55:
    If you haven't noticed, most people assume there are only code exec bugs, because they've got well understood "solutions" (some of which are just snake oil) which are easier to market.

    Regarding sandboxing, it's all but a new concept.
    Oversimplifying, Google's Sandbox FAQ itself is quite eloquent:

    Is the sandbox like what you get with the Java VM?
    Yeah, kind of... except that to take advantage of the Java sandbox, you must rewrite your code to use Java. With our sandbox you can add sandboxing to your existing C/C++ applications. Because the code is not executed inside a virtual machine, you get native speed and direct access to the Windows API.

    [Safe] like the Java VM, but with direct access to the Windows API :)

    On a side note, I said I "do like" one feature, I "really love" another and I'm just "not impressed" with security. Is this "bashing"?

    @Romain
    Integrating a native NoScript-like is almost surely possible, and probably enjoyable as well, looking at the quality of the codebase. But I'm afraid it would require a Chromium fork, since I cannot see a compelling business incentive for Google to accept such a thing in the "official" Chrome, considering the potential damage for Doubleclick and AdSense.

  4. #4 romain says:

    you're absolutely right... but i'm wondering how much pain/work that would be to create/maintain such a fork...

  5. #5 Jack Stonewall says:

    Giorgio,

    I agree 100% with your Chrome assessment, although if forced I would probably say the Application mode (and the ease in creating new application "links"/icons trumps the Task Manager as my favorite feature.

    Unfortunately I still really can't get my mind around why they just didn't pitch in on the development effort to the Firefox team rather than further clutter the browser world with yet another extensionally-challenged entry.

    I almost wonder whether behind the scenes perhaps there was friction between the Google and Mozilla folks (e.g. perhaps the Firefox team differed on priorities or design direction) and eventually Google just decided to forge their own path.

    Many thanks for NoScript, and warmest regards,

    Jack Stonewall

    PS. As a Canadian, and assuming you've still got some of that maple syrup around, may I suggest trying it in your tea.... that is, assuming you Italians drink tea ;)

  6. #6 Aerik says:

    I have no problem google bashing in this instance, for a few reasons.

    1) Their EULA controversy was the result of some lazy-ass copying and pasting from other apps.

    2) Their version of open-source is not really open-source. I had the same thoughts concerning parallels with Opera's widgets. Overall Google is going to dictate the evolution of the browser because it was made ultimately to work with google apps, and they control the source of google apps, google api be damned. Major trunk changes will always be at their whim, leaving independent developers in the dark.

    3) All the security disappointments you have talked about, Giorgio.

    4) Like you, it's speed is not impressive compared to FF3.1 nightly builds w/ Tracemonkey turned on.

    5) The ultimate snub to Microsoft would've been to create a Gecko browser to facilitate add-on development and compatibilities so fast that it would quickly make IE7 and IE8 a joke, as well as Safari, which is run by Apple, another corporation that, since you have to send your machine in to be repaired, insists that they still own your computer and not you.

  7. #7 Giorgio says:

    @Jack:
    yes we drink tea (usually with lemon juice and sugar or honey), and I'm gonna try the maple syrup thing right now :)
    ... minutes later... good!

  8. #8 NurBo says:

    Nice post I have also been following the Google Chrome Browser sense day one and im high lighting all of the cool new features etc on some of my post please check them out and perhaps comment.

    http://attackingcitizen.blogspot.com/

  9. #9 Shiraz99 says:

    http://www.grc.com/sn/sn-161.htm

    Security Now = Steve Gibson is impressed by the possibilities created by Chrome's underlying architecture, but he is extremely unimpressed by its total lack of critically important security and privacy features.

    After listening to this podcast, I have uninstalled Chrome.

    "Steve: It's nuts. I mean, it is nuts, Leo. And if nothing else, look at the adoption rate. Almost, well, 1.57, 1.6 percent people used it. And I and a lot of other people said, okay, well, no thank you. I'm not using something that is by default storing the passwords I use for logging on and giving me no ability to protect that storage from somebody who might have access to my browser at any time in the future. I mean, that's crazy. It's just crazy.

    Also no provision in cookie handling for distinguishing between session and permanent cookies. Even IE, again, you're able to say, look, I don't mind session cookies, that is, cookies that are persistent only while I'm using the browser, as long as you throw them all away at the end. Other browsers provide that. No provision for handling sites individually. I mean, I truly - I don't get what they're thinking, who they're aiming this at because IE users, who we might say, okay, are just not going to move away, and they're not clued in to security and privacy, so they just stay with IE, well, they're not apt to use some other browser. They're not going to move from IE. People who do, do for a reason, because they want these additional features. And Chrome doesn't have any of them. I mean, any of them. It just boggles my mind. Oh, yeah, I just - and no scripting management, weak cookie handling, I don't know, I'm just... "

  10. #10 sdipn web directory says:

    I know the benchmarks say it’s faster. But am I the first to notice that Flash rendering and framerates are noticeably slower?

  11. #11 Anshul Arora says:

    I have faced one problem in Chrome browser. When you move down any page using mouse pad, and then try to move upwards using the same, it will not allow the user to go up. As this is an issue with Chrome only so it should be fixed asap.

    Thanks
    Anshul

Bad Behavior has blocked 2242 access attempts in the last 7 days.