Google's Chrome security team unveiled yesterday its guiding principles on how they build a safer browser.
The manifesto declares seven key guidelines for Chrome security. The first one, "Don't get in the way," both echoes Google's unofficial motto, "Don't be evil," and reflects what many Windows security vendors have learned the hard way about keeping people safe. If security negatively affects performance, users will look to alternatives. For a browser which has built its user base on speed, sluggish response times have the potential to wreak great havoc.
"It's great to see invisibility and automatic background updates as the first principal. Good security is transparent and inescapable," said Chris Wysopal, chief technology officer at Veracode. "The less security decisions that involve the user the better. Every security decision made by the user is a chance that something with be postponed or forgotten or worse, an opportunity for social engineering."
Privacy is not mentioned in the list of principles, and that may raise the hackles of some security experts. "I think Google's approach to privacy is a little bit different than others," said Jeremiah Grossman, WhiteHat Security's chief technology officer. "They make the assumption that you trust them, but if you don't trust them then you have to separate the two. You can't protect your data that's on Google, from Google, because it's contrary to their business model."
A Google representative told me that the Chrome security team works in close conjunction with Google's overall security team, as well as the Chrome team itself. "We protect users by embedding security deeply into our culture, as well as our process for designing and developing products. This relentless focus on security often benefits the web more broadly as well, either through our own action or through others who adopt similar approaches," the representative said.
The need for speed has found its way into Chrome security, and the representative pointed to regular release note updates as evidence of this. "We've demonstrated that we will shine a light on security topics that are relevant to our users, even when most companies wouldn't," he said, with tough benchmarks set for response time and how long systems are left unpatched.
Of course, Google is hardly the only company to take this approach. Mozilla also regularly publishes security update release notes, and Microsoft has become so regular at publishing security updates to Internet Explorer and its other software that Patch Tuesday has become lingua franca in the computer security world.
Microsoft recently touted a decade of security achievements, and it's practically universally accepted that the company learned some tough lessons in the past 10 years.
Not surprisingly, Microsoft's current policies of a company-wide approach to security echo Google's similar stance with Chrome. Chrome's third core principle states that security is a "team responsibility," which was explained to me as meaning that browser security concerns go beyond the realm of just the Chrome security team to include Google's general security group and the general Chrome group. While this may sound obvious to some, cross-department communication has had an impact on the browser's development, said the Google representative.
"Engaging the security community makes Google part of the security community. More technology companies should take this approach. They have set up a cooperative and non-adversarial posture. Microsoft pioneered this approach, but Google has taken it a step further with their bug bounties," said Wysopal.
Google has said that the quality of the bug reports has helped it fix vulnerabilities much faster. The company has paid out more than $200,000 for Chrome and Chromium-related security bugs found by bug hunters. The open-source basis for Chrome, Chromium and Chrome debuted together in September 2008.
While likely familiar to many who keep tabs on browser security, the principles document stands as a place where Google can point to its achievements in the field as well as its goals. Some of the Chrome features referenced in the document include the mention of anti-exploit technologies such as JIT hardening along with Google-sourced innovations like the Safe Browsing API. The "Make the Web safer for everyone" section notes numerous public security standards like public key pinning, SPDY, and Native Client.
Grossman concluded that despite some concerns about Chrome, that the project has been a boon for the Web. "I think they're doing a lot more right than wrong when it comes to browser speed and security," he said.
Correction, January 18 at 10:57 a.m. PT: This story had the incorrect time frame for Chromium's debut. Chromium was launched at the same time as Chrome, on September 1, 2008.