An article on security in Google's Chrome browser has been published.
"The Web has become one of the primary ways people interact with their computers,
connecting people with a diverse landscape of content, services, and applications.
Users can find new and interesting content on the Web easily, but this presents
a security challenge: malicious Web-site operators can attack users through their
Web browsers. Browsers face the challenge of keeping their users safe while providing
a rich platform for Web applications.
Browsers are an appealing target for attackers because they have a large and complex
trusted computing base with a wide network-visible interface. Historically, every
browser at some point has contained a bug that let a malicious Web-site operator
circumvent the browser’s security policy and compromise the user’s
computer. Even after these vulnerabilities are patched, many users continue to
run older, vulnerable versions.5 When these users visit malicious Web sites, they
run the risk of having their computers compromised.
Generally speaking, the danger posed to users comes from three factors, and browser
vendors can help keep their users safe by addressing each of these factors:
- The severity of vulnerabilities. By sandboxing
their rendering engine, browsers can reduce the severity of
vulnerabilities. Sandboxes limit the damage that can be caused by an
attacker who exploits a vulnerability in the rendering engine. - The window of vulnerability. Browsers can reduce
this window by improving the user experience for installing browser
updates, thus minimizing the number of users running old versions that
lack security patches. - The frequency of exposure. By warning users
before they visit known malicious sites, browsers can reduce the
frequency with which users interact with malicious content.
Each of these mitigations, on its own, improves security. Taken together, the
benefits multiply and help keep users safe on today’s Web.
In this article, we discuss how our team used these techniques to improve security
in Google Chrome. We hope our first-hand experience will shed light on key security
issues relevant to all browser developers."
