Nick Mathewson wrote:
On Thu, Sep 04, 2008 at 03:20:34PM -0700, Kyle Williams wrote:Hi all, I've been playing around with Google's new web browser and Tor. I thought it might be good to share my findings with everyone. After reading Google's privacy policy[1], I for one would not want to use this on a regular basis, if at all. The first bug I tried was an old one I found with Firefox; the NEWS:// URI type. Any link that has a NEWS:// URI will launch Outlook Express and attempt to contact the server in the URL...without using Tor. The second bug I found resulted in local file/folder disclosure. This is very similar to the one I found in Internet Explorer. The third bug I found was with MIME-TYPEs, specifically Windows Media Player supported formats. The BANNER tag can also leak your IP address when the playlist is loaded *IF* WMP is not set to use a proxy. Also, a playlist in WMP can specify protocols that use UDP, hence, no proxy support...no Tor. On the flip-side, it is very cool how each browser tab is it's own process, making several types of attacks much more difficult. However, with an invasive privacy policy, local proxy bypassing, and local files/folders able to be read from your hard drive, I've decided not to use this browser. It just doesn't feel privacy/anonymity friendly to me. Anyone else want to chime in on this?I dig what I've heard of the Chrome architecture, but it seems clear that, like every other consumer browser, it's not suitable for anonymous browsing out-of-the-box. The real question will be how easy it is to adapt it to be safe. Torbutton, for instance, has proven to take some pretty extreme hackery to try to shut down all of Firefox's interesting leaks. If it turned out to be (say) an order of magnitude easier to extend Chrome to be anonymity-friendly, that would be pretty awesome. We'll see, I guess. Has anybody looked into Chrome's extension mechanisms? It would be neat to know how hard it would be to address the information leaks addressed in, say, https://www.torproject.org/torbutton/design/ .
ISTM this thing is more a web 2.0 portal than a browser; it is conceived and designed first and foremost to make user access of Google online services smooth, slick, (and advertisement laden). Its secondary function as a good browser simply allows most users to have only one browser active.
Given it is OpenBSD Open source, if it proves to be a good design (interesting for sure) with potential to become a good privacy browser, and proves to have the very-quick JS engine that some claim, it might be "forked" at some point.
The first thing the sibling would hopefully do is remove the "unique application number" business (see below); the second would be all phone-home features (see below).
Even if it doesn't become officially forked, if it becomes a good package (say, 6 months from now after intense support and development), there will likely be patch files and/or "enthusiast" versions available.
Certainly Linux/TOR users will "repair" the userid business before compiling it (or with a hex editor), and firewall-off any connection with home base.
Thankfully, Opera with plugins removed is already an extremely quick, lightweight, secure, general-purpose TOR and non-TOR browser; FireFox with extensions well-addresses "expanded features", so dual-browser users can comfortably wait for chrome to mature.
<http://www.google.com/chrome/intl/en/privacy.html> "When you type URLs or queries in the address bar, the letters you type are sent to Google so the Suggest feature can automatically recommend terms or URLs you may be looking for. If you choose to share usage statistics with Google and you accept a suggested query or URL, Google Chrome will send that information to Google as well. You can disable this feature as explained here. If you navigate to a URL that does not exist, Google Chrome may send the URL to Google so we can help you find the URL you were looking for. You can disable this feature as explained here. Google Chrome's SafeBrowsing feature periodically contacts Google's servers to download the most recent list of known phishing and malware sites. In addition, when you visit a site that we think could be a phishing or malware site, your browser will send Google a hashed, partial copy of the site's URL so that we can send more information about the risky URL. Google cannot determine the real URL you are visiting from this information. More information about how this works is here. Your copy of Google Chrome includes one or more unique application numbers. These numbers and information about your installation of the browser (e.g., version number, language) will be sent to Google when you first install and use it and when Google Chrome automatically checks for updates. If you choose to send usage statistics and crash reports to Google, the browser will send us this information along with a unique application number as well. Crash reports can contain information from files, applications and services that were running at the time of a malfunction. We use crash reports to diagnose and try to fix any problems with the browser."