An article on security in Google's Chrome browser has been published.
"The Web has become one of the primary ways people interact with their computers, connecting people with a diverse landscape of content, services, and applications. Users can find new and interesting content on the Web easily, but this presents a security challenge: malicious Web-site operators can attack users through their Web browsers. Browsers face the challenge of keeping their users safe while providing a rich platform for Web applications.
Browsers are an appealing target for attackers because they have a large and complex trusted computing base with a wide network-visible interface. Historically, every browser at some point has contained a bug that let a malicious Web-site operator circumvent the browser’s security policy and compromise the user’s computer. Even after these vulnerabilities are patched, many users continue to run older, vulnerable versions.5 When these users visit malicious Web sites, they run the risk of having their computers compromised.
Generally speaking, the danger posed to users comes from three factors, and browser vendors can help keep their users safe by addressing each of these factors:
- The severity of vulnerabilities. By sandboxing their rendering engine, browsers can reduce the severity of vulnerabilities. Sandboxes limit the damage that can be caused by an attacker who exploits a vulnerability in the rendering engine.
- The window of vulnerability. Browsers can reduce this window by improving the user experience for installing browser updates, thus minimizing the number of users running old versions that lack security patches.
- The frequency of exposure. By warning users before they visit known malicious sites, browsers can reduce the frequency with which users interact with malicious content.
Each of these mitigations, on its own, improves security. Taken together, the benefits multiply and help keep users safe on today’s Web.
In this article, we discuss how our team used these techniques to improve security in Google Chrome. We hope our first-hand experience will shed light on key security issues relevant to all browser developers."