[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Google's Chrome Web Browser and Tor

Nick Mathewson wrote:
On Thu, Sep 04, 2008 at 03:20:34PM -0700, Kyle Williams wrote:
Hi all,

I've been playing around with Google's new web browser and Tor.  I thought
it might be good to share my findings with everyone.
After reading Google's privacy policy[1], I for one would not want to use
this on a regular basis, if at all.

The first bug I tried was an old one I found with Firefox; the NEWS:// URI
Any link that has a NEWS:// URI will launch Outlook Express and attempt to
contact the server in the URL...without using Tor.

The second bug I found resulted in local file/folder disclosure.
This is very similar to the one I found in Internet Explorer.

The third bug I found was with MIME-TYPEs, specifically Windows Media Player
supported formats.
The BANNER tag can also leak your IP address when the playlist is loaded
*IF* WMP is not set to use a proxy.
Also, a playlist in WMP can specify protocols that use UDP, hence, no proxy
support...no Tor.

On the flip-side, it is very cool how each browser tab is it's own process,
making several types of attacks much more difficult.
However, with an invasive privacy policy, local proxy bypassing, and local
files/folders able to be read from your hard drive, I've decided not to use
this browser.

It just doesn't feel privacy/anonymity friendly to me.
Anyone else want to chime in on this?

I dig what I've heard of the Chrome architecture, but it seems clear
that, like every other consumer browser, it's not suitable for
anonymous browsing out-of-the-box.  The real question will be how easy
it is to adapt it to be safe.  Torbutton, for instance, has proven to
take some pretty extreme hackery to try to shut down all of Firefox's
interesting leaks.  If it turned out to be (say) an order of magnitude
easier to extend Chrome to be anonymity-friendly, that would be pretty
awesome.  We'll see, I guess.

Has anybody looked into Chrome's extension mechanisms?  It would be
neat to know how hard it would be to address the information leaks
addressed in, say, https://www.torproject.org/torbutton/design/ .

ISTM this thing is more a web 2.0 portal than a browser; it is conceived and designed first and foremost to make user access of Google online services smooth, slick, (and advertisement laden). Its secondary function as a good browser simply allows most users to have only one browser active.

Given it is OpenBSD Open source, if it proves to be a good design (interesting for sure) with potential to become a good privacy browser, and proves to have the very-quick JS engine that some claim, it might be "forked" at some point.

The first thing the sibling would hopefully do is remove the "unique application number" business (see below); the second would be all phone-home features (see below).

Even if it doesn't become officially forked, if it becomes a good package (say, 6 months from now after intense support and development), there will likely be patch files and/or "enthusiast" versions available.

Certainly Linux/TOR users will "repair" the userid business before compiling it (or with a hex editor), and firewall-off any connection with home base.

Thankfully, Opera with plugins removed is already an extremely quick, lightweight, secure, general-purpose TOR and non-TOR browser; FireFox with extensions well-addresses "expanded features", so dual-browser users can comfortably wait for chrome to mature.


"When you type URLs or queries in the address bar, the letters you type
are sent to Google so the Suggest feature can automatically recommend
terms or URLs you may be looking for. If you choose to share usage
statistics with Google and you accept a suggested query or URL, Google
Chrome will send that information to Google as well. You can disable
this feature as explained here.
If you navigate to a URL that does not exist, Google Chrome may send the
URL to Google so we can help you find the URL you were looking for. You
can disable this feature as explained here.
Google Chrome's SafeBrowsing feature periodically contacts Google's
servers to download the most recent list of known phishing and malware
sites. In addition, when you visit a site that we think could be a
phishing or malware site, your browser will send Google a hashed,
partial copy of the site's URL so that we can send more information
about the risky URL. Google cannot determine the real URL you are
visiting from this information. More information about how this works is
Your copy of Google Chrome includes one or more unique application
numbers. These numbers and information about your installation of the
browser (e.g., version number, language) will be sent to Google when you
first install and use it and when Google Chrome automatically checks for
updates.  If you choose to send usage statistics and crash reports to
Google, the browser will send us this information along with a unique
application number as well.  Crash reports can contain information from
files, applications and services that were running at the time of a
malfunction.   We use crash reports to diagnose and try to fix any
problems with the browser."