If you would like to read the other parts in this article series please go to
- Web Browser Security Revisited (Part 1)
- Web Browser Security Revisited (Part 2)
- Web Browser Security Revisited (Part 3)
- Web Browser Security Revisited (Part 5)
- Web Browser Security Revisited (Part 6)
- Web Browser Security Revisited (Part 7)
Introduction
In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they’re implemented. In Part 3, we looked at how to configure IE for best security. Now, in Part 4, we’ll examine how to do the same with Google Chrome.
Configuring Google Chrome for best security practices
First, of course, you need to be sure you’re running the most recent release version of Chrome. If you’re new to Chrome, figuring out what that is can be a little confusing sometimes because the Chrome download site doesn’t tell you, at least in any obvious place, what version you’re downloading. You may also get confused, if you do a web search, by the fact that there are downloads/information about both the Chrome browser and the Chrome operating system. You’ll also see references to “stable editions” and that means the release version (as opposed to beta).
Security updates
At the time of this writing (November 22, 2013), the latest stable release is version 31.0.1650.61 and the beta is v32. By default the Windows version of Chrome is set to automatically update, and it will detect and install the latest stable version when released. Turning off auto updates requires you to either use the Google Update administrative templates for Group Policy or edit the registry. This is not recommended for best security practices, but if you have a situation where you need to turn off auto updates (for example, to test new versions before they’re installed on users’ computers), you can down the administrative templates here.
The relevant registry key is:
HKLM\SOFTWARE\Policies\Google\Update\AutoUpdateCheckPeriodMinutes and you would set the REG_DWORD value to 0.
Configure security and privacy settings
Google has garnered a reputation over the years for aggressively collecting users’ personal information to an even great extent than other online companies and for cross-linking user identities and information among its many services. Microsoft – which does the same sort of cross-linking with Microsoft accounts that are increasingly used to sign into multiple Microsoft services, sometimes automatically – has extended its “scroogle” ad campaign accusing Google of misusing users’ personal information, reinforcing that perception.
There are a number of cases where the browser sends certain information about the pages you attempt to access or the searches you make to Google by default. You can change that. Some of the other privacy settings are about protecting your personal information from being collected by the web sites you visit, not about protecting it from the browser vendor. You’ll find all of these settings by clicking Settings near the bottom of the Chrome menu (indicated by three small horizontal lines in the top right corner of the browser window). Then Click Show advanced settings… at the bottom of the Settings page.
If you’re concerned about Google collecting information (which it does for various reasons, such as helping to resolve navigation errors, suggesting/predicting sites you might want to visit, and speeding up performance by pre-fetching links), uncheck the first three checkboxes under the Privacy section that are checked by default:
- Use a web service to help resolve navigation errors
- Use a prediction service to help complete searches and URLs typed in the address bar
- Predict network actions to improve page load performance
Also note that if you’ve enabled Use a web service to resolve spelling errors (which is not enabled by default), Chrome sends text you type to Google’s servers in order to check the spelling.
For best security practices, you probably want to check the fourth box, Enable phishing and malware protection, but be aware that this will send a partial copy of the URL for the sites you visit to Google, so it can check it against the list of phishing sites.
You might also be curious about what gets sent to Google if you select to Automatically send usage statistics and crash reports to Google (not enabled by default). In that case, the information about preferences, button clicks and usage of memory are sent as aggregated statistics, but the crash reports can contain system information, URLs and personal information. Unfortunately, you can’t choose to send usage statistics but not crash reports; it’s an “all or nothing” decision.
Note that enabling Send a ‘Do Not Track’ request with your browsing traffic also is not enabled by default. Enabling it will theoretically prevent web sites from tracking your visits with cookies. However, it really is a “request” only – not a command. Some web sites may not comply with the request and may still collect your browsing data.
You can more finely tune how the browser handles cookies by clicking the Content Settings button, which gives you options to allow local data to be set (the default), keep local data only until you close the browser, block sites from setting data, or block third party cookies and site data. You can also create exceptions to allow, block or clear on exit cookies from specific sites (via the Manage exceptions button), and you can see the stored cookies (and remove them) via the Cookies and site data button.
The Content Settings page is also where you can block sites from running Javascript, and again you can make exceptions to block Javascript from specific sites if you’ve chosen to allow it generally, or to allow Javascript to run on specific sites if you’ve chosen not to allow it. Under the Plug-ins section, you can allow installed plug-ins to run automatically, block them all, or require a click to play a plug-in. Again, you can create exceptions to the general rule you’ve selected, and you can disable individual plug-ins. The Pop-up section works the same way; you can allow all sites to show pop-ups, block them from all sites, and create exceptions to your chosen rule.
As we discussed in the section on Internet Explorer, location tracking is now popular. By default, Chrome is set to ask you when a site tries to track your physical location, but you can set it not to allow such tracking or to allow all sites to track you without asking, and you can create exceptions for specific sites.
Other privacy settings that you might want to double check include whether to identify for protected content, whether to block sites from accessing your computer’s or device’s microphone and camera (with the ability to create exceptions), and whether or not web sites can use an unsandboxed plug-in to access your computer, with or without asking (Some web sites require that you allow plug-ins to bypass Chrome’s sandboxing and have direct access in order to stream video or install software you buy).
An important setting and the last one on this page is where you can ensure that web sites can’t automatically download multiple files to your computer without asking. The default setting is to ask whenever a site tries to do this, but you can also completely block sites from multiple automatic file download (and of course, you can set exceptions for sites that you trust).
In most cases, the most secure practice is to disallow everything and then create exceptions for any sites that need to do what you’ve blocked. This is in keeping with the principle of least privilege that is the underlying foundation of a high-security strategy. It’s more trouble than taking the easy way (allowing all and hoping nothing malicious gets through) or the middle road (having sites ask every time they want to do something – which in theory is a great idea but often has the unintended consequence of becoming so tiresome that users start just automatically clicking “allow” whenever the question pops up).
Some privacy-related settings aren’t found under the Privacy Settings heading; you may have to go hunting for them. For instance, you can clear items from the search history through the History setting on the main Chrome menu (Clear browsing data… button). You can select and remove only individual items, as well.
Note that you can also select, by clicking Signed in as <your ID> and then Advanced sync settings, whether to encrypt your synced passwords with your Google credentials or with your own passphrase that’s stored only on your local computer, not on Google’s server. You can also disconnect your Google account from Chrome here. This is the most secure setting; when you sync, preferences, autofill information and more (along with passwords) are stored on Google’s servers. To prevent Chrome from saving autofill information, in the Advanced Settings section under Passwords and forms, uncheck Enable Autofill to fill out web forms in a single click. Here you can also uncheck Offer to save passwords I enter on the web.
Chrome for Business
The configuration settings referenced above are applicable to both the regular version of Chrome that you can download from www.google.com/chrome and the Chrome for Business version. Both have the same features, but with Chrome for Business, you can use Group Policy and have more control over automatic updates. In the next installment of this series, we’ll discuss Chrome for Business.
Summary
In this, Part 4 of our series on web browser security, revisited, we discussed how to adjust Google Chrome’s security and privacy settings for best security practices. Next time, we’ll look at the benefits of using Chrome for Business and then move on to configuring Mozilla Firefox for best security.
If you would like to read the other parts in this article series please go to
