Will Google Chrome make better browsers of us all?

Filed Under: Google, Malware, Privacy

"It can't have escaped anybody's notice that yesterday Google announced their very own web browser. Paul Ducklin, Sophos's head of technology in Asia Pacific, contributes a guest blog below discussing Google Chrome. Over to you Paul..."

Paul Ducklin

Google just released a web browser - or, more accurately, a beta version of a web browser - which they seem pretty certain will make the web safer by being more secure than existing browsers. It will also apparently complete the Trifecta by improving speed and stability at the same time.

This isn't really an invention or a revolution, though some viewers of Google's breathlessly enthusiastic YouTube videos about the release might let themselves believe that it is.

To be fair to Google, they don't actually present it this way - they do talk about starting from scratch, but they also make it clear that the new browser is about evolution and choice. In that respect, they appear to be delivering.

(At least they are delivering if you are a Windows user. They haven't quite got around to the Linux and OS X versions yet, which seems slightly ironic considering that the rendering code they chose to base their browser on is WebKit, already used in various forms both in Safari on OS X, and in KDE on Linux. But I digress.)

The browser itself, called Chrome, may indeed be the most secure browser yet, but it's much too early to tell yet. Part of this security appears to be that each browser tab is effectively a separate process, so that separate tabs "can't talk to each other", in Google's words.

Quite how this differs, other than visually, from running several separate copies of the browser program in separate windows (or, for Linux nerds using a tabbed window manager like Fluxbox, in separate tabs in the same window) isn't clear.

However, it is reasonable to assume that if Chrome succeeds, it will quickly be supplied with any number of third-party plugins - for example, for running Java, displaying Flash, using Silverlight, for reading and printing PDFs, for viewing Office documents, playing Windows Media Player movies, and more. The web is not entirely about HTML and JavaScript, and all those non-HTML-non-JavaScript plugins will potentially introduce vulnerabilities to the browser itself.

For a good example of this sort of problem, look at MS06-006, a Windows Media Player vulnerability from a couple of years ago. This is a bug in a single DLL used in playing WMV files. Ironically, the bug doesn't affect Internet Explorer, which merely hangs, but does affect Firefox, which can suffer remote code execution when confronted with an offending WMV link.

There also seems to be some conflict between Google's insistence that each browser tab is entirely self-contained and their tagline of "one box for everything". As one of their videos explains, to navigate or search the web, you simply start typing into the address bar. It will suggest popular sites, searches and even pages you have already visited which contain your search term.

So although your own individual browser tabs may be unable to talk to one another, the browser itself can and apparently will tie together the content of your tabs with its "one search window and address bar to rule them all". (This time those are my words, not Google's.)

Google Chrome

Then there's the name of the browser, which is presumably meant to be mildly ironic. "Chrome," at least in Mozilla's parlance, refers to the parts of the browser which represent the user interface, controlled by the browser application itself, as opposed to the content, which is where possibly hostile content from remote web sites is rendered and displayed. Google's take on the browser is that the "chrome" should be minimised - so that the browser itself is effectively invisible, or at least minimalistic, like Google's home page.

But it remains to be seen whether Chrome's minimal chrome will produce a tension with security, since many users have learned to rely on annotations and visual signals in the browser's chrome to help them spot things like phishes, fake sites and misleading linking practices. Perhaps if too much of the browsing experience is left under the visual control of the content - which must always be considered potentially hostile - then security will decrease, and risk will increase.

And some observers are already expressing concerns about Chrome's memory footprint, given that each tab sounds as though it will have its own copy of everything needed to render and operate that tab. Generally speaking, the more carefully and completely you isolate the tabs, the less code and data you can share between them. Indeed, it sounds as though there will be a complete copy of Google's new JavaScript engine, aggressively named "V8", in each tab. V8 motors might be renowned for sheer grunt, but for efficiency and fuel consumption they can hurt your pocket.

So where do we go from here? Is this really the beginning of Web 2.0, as one of Google's developers excitedly implies on YouTube when she describes the previous generation of browsers as being from a time "when the First Web was created"? Will users rush to trust a browser, no matter how secure it is claimed to be, from a web search and online advertising Goliath? Will Chrome speed up our browsing, or will it just allow us to be presented with more content in the same lengths of time?

More importantly, will a better browser program make better browsers of us all? That's a question Google can't really answer, though their developers seem genuinely to want that result.

, , ,

You might like

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog