Though there are some of the best security features already found in Google Chrome, the Chrome blog tells of new additions on the way that will make the security tighter still. Some of the add-ons are stated to be in other browsers such as Internet Exploder 8, Firefox, and Safari 4, already. (Imagine Internet Exploder being the first to have anything!)
The notice from PC Magazine brings our attention to the Chrome blog, which explains many of the changes, and the concepts, but does not give a time table to them, some being already implemented, others on the way, but at unknown intervals.
Google has announced a number of security enhancements that are being implemented in Chrome. Some have already been implemented in other browsers, including Firefox and IE and in significant add-ons like NoScript.
Strict-Transport-Security is an HTTP response header that a site can send to a browser to tell it only to communicate with the site via HTTPS. This should provide extra security against snooping, although it’s not bullet-proof. It’s already implemented in NoScript and a native Firefox implementation is being worked on. Some security-conscious web sites, including Paypal, have begun to use it.
The postMessage API is a method of embedding gadgets in web pages with rich communications capabilities to other page code, but retaining better security than previous methods allowed. All the major browsers implement it.
The Origin header allows web sites and browsers to collaborate in order to prevent an attack called CSRF (cross-site request forgery), in which one site steals data provided by another site by tricking the browser into forwarding it on. The spec for the Origin header is still being finalized.
First implemented in IE8 and then Safari 4, X-Frame-Options is an HTTP header that allows a site to instruct a browser not to load it in a frame. This prevents some forms of clickjacking attack.
Finally, one of the most widespread forms of vulnerability on the web is XSS (cross-site scripting) in web sites. IE8 introduced an XSS filter which checks if a script that is about to be run is also present in the HTTP request for the page, which is a strong clue that it is an XSS attack. Some, not all XSS attacks are prevented in this way. Google is implementing their support in the WebKit rendering engine which has some technical advantages and also allows other WebKit-based browsers, such as Apple’s, to get the same benefits.
Of course, my secondary browser, SRWare’s Iron, will undoubtedly be right behind with the changes implemented, so that will make me very happy. The latest revision of Iron, 4.0.280 brought stability and no more of the “Aw, snap!” errors on my Windows 7 x64 machine. Also, the addition of easily added extensions makes it very enticing for those not yet weaned from Firefox (a fix for the StumbleUpon extension from two days ago has it working without problem, so I’m quite happy – as of right now, there is no StumbleUpon widget for Opera)
I’m still a major Opera fan, and probably will be for the foreseeable future, but Chrome (or Iron) is showing much more progress than any other browser ever has – you’d think that the Google guys were working 24 hours a day.
Bureaucrats write memoranda both because they appear to be busy when they are writing and because the memos, once written, immediately become proof that they were busy.
– Charles Peters
≡≡ Ḟᴵᴺᴵ ≡≡