News last week about Google Chrome and their intention to make it faster still… at the expense of security. I’m not sure I agree with this line of thinking. Basically the article talks about how Google are going to stop checking for revoked SSL certificates because it slows down the web browser too much. Other main vendors Microsoft and Mozilla are not at this point following in this course of action. The certificate revocation is designed to ensure that when you got to a website, the SSL certificate is in fact valid and not been revoked by the Certification Authority. A revoked certificate normally happens when hackers have gained control over the SSL certificate and the entire mechanism is designed to protect you. Google on the other hand have decided that speed is more important than security. Yes – speed is important, but not at the expense of security. There are other mechanisms in place such as DNSSEC which are designed to help ensure that you are going to the websites you think you are, but they are in their infancy. If Google were to implement this change further down the track once DNSSEC was widely used, then it might be acceptable. To do so now is reckless.
I may well be wrong too you know… I don’t know everything but based on what I do know, I’m even more concerned about using Google Chrome for ANYTHING.
Robert Crane says
Wayne,
Let’s take a deep breath and have a look at this without the sensationalism that abounds. I agree that not checking for revocation is bad and that it weakens security. However, I would say that not using Chrom for ANYTHING is a tad sensationalist.
The majority of sites that people visit have valid SSL certs. The issue will occur when some is trying to spoof users, which again is bad. However, in the majority of cases this is not going to be the case. Smart hackers probably have a work around for SSL issues on other browsers anyway. Most drive by attacks are going to happen on non SSL sites so again simply saying not using CHROME for anything is blowing the issue beyond the problem.
Like I said, what Chrome has done is insecure and not in the best intertests of users but again let’s look at IE’s record. Not that impressive when it comes to security at all. This needs to be kept in perspective rather than allowed to by hyped to the point of hysteria.
This is normal case of technology as it becomes consumerized. End users want easy of use and security doesn’t provide that generally. Look at bank pin numbers, 4 digits, how secure is that? Emails are unencrypted how secure is that? Yet everyone still uses them. It is simply the trend in IT, like it or not.
Again, this is not a positive move at all from Chrome, but I’ll bet that it gets changed or someone will come up with an addin to rectify the problem. Agreed that most end users won’t install it and remain vulnerable but please let’s keep this in perspective for if you cry wolf at the top of your lungs all the time sooner or later people won’t listen to you when there is a real emergency.
Thanks
Robert
Wayne Small says
I hear you Rob, but here’s the problem… how do you tell users that it’s OK to use Google Chrome for these group of websites, but not this other group of sites? Is it not better to not use a product at all if there is a known (or soon to be known) issue? Let’s face it, users are not thinking about these types of things in the same way that we are… therefore I feel it’s not crying wolf, but it’s more preventing potential issues. Hope that helps you understand why I suggest we don’t use Chrome for anything 🙂
Robert Crane says
Wayne,
Hang on here, isn’t that a bit of a double standard? IE (All versions) is riddled with security issues and gets updated only when you run Windows Update. Chrome on the other hand updates constantly in the background so it is always current. So doesn’t that actually make Chrome far more secure? Isn’t the major security issue on the web out of date browsers that get attacked via know vulnerabilities?
IE has many ‘known’ issues. Are you telling people not use those versions as well? You can’t because people will. All browsers are insecure, however Chrome is certainly more secure than most in my experience.
I agree that this is downgrade in security for Chrome is not something you want to see but if you actually read the technical issues behind what and why the security risk is it simply not as bad as is being made out in the general IT press.
My point being to simply make a blanket statement like that and NOT apply it to other browsers, which in many cases far worse known security issues, is not being objective in my opinion.
Thanks
Robert
Wayne Small says
Rob,
I don’t think it’s double standards at all – every software package has security vulnerabilities. IE in my client environments anyway, gets updated automatically via WSUS therefore i can see centrally what client machines do and do not have those patches. I can’t do that with non Microsoft apps as easily – therefore those apps present a risk to the business. Chrome may update constantly in tbe background but without central visibility of it my SMB clients are more vulnerable than they are with IE.
For now – IE will remain my browser of choice and the one I recommend to clients to use because I can see what is going on with patching. I have a responsibility to them to do my best to ensure that they are patched. I can’t do that with Chrome OR Firefox.
I’ve seen recent comment from Dana Epp however that makes me think long and hard about the entire certificate issue – he’s certainly someone I respect and he’s made some interesting comments about how easy it is for HIM to highjack things… let’s hope that there’s not too many of “HIM” out there 🙂
Wayne
Rikki says
Your client environments are quite a different playing field, being domains under your monitoring.
What are our opinions on this: http://www.itproportal.com/2012/02/07/google-chrome-most-secure-web-browser-german-government-says/