Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Chrome Google Security

German Government Endorses Chrome As Most Secure Browser 174

New submitter beta2 writes "Several articles are noting that the German IT security agency BSI is endorsing Google Chrome browser: 'BSI ticked off Chrome's anti-exploit sandbox technology, which isolates the browser from the operating system and the rest of the computer; its silent update mechanism and Chrome's habit of bundling Adobe Flash, as its reasons for the recommendation. ... BSI also recommended Adobe Reader X — the version of the popular PDF reader that, like Chrome, relies on a sandbox to protect users from exploits — and urged citizens to use Windows' Auto Update feature to keep their PCs abreast of all OS security fixes. To update applications, BSI gave a nod to Secunia's Personal Software Inspector, a free utility that scan a computer for outdated software and point users to appropriate downloads.'"
This discussion has been archived. No new comments can be posted.

German Government Endorses Chrome As Most Secure Browser

Comments Filter:
  • Yes, beacuse silent updates let you know which security problems you may have been exposed to.

    • by Anonymous Coward

      If you took a moment to Google this information I think you would find it quite adequate:

      For example:

      That is pretty thorough if you ask me. I am not sure what else you would want there.

      • Does the silent update give me a link to that page?

        • Re:Yes, because... (Score:5, Insightful)

          by heypete ( 60671 ) <> on Saturday February 04, 2012 @04:47PM (#38929453) Homepage

          Perhaps not, but the vast majority of users don't care. Many users are not unlike my mother, who constantly clicks "Later" or "Not Now" whenever programs ask to install updates. For this reason, her computer is routinely several months behind the current updates.

          Having Chrome auto-update silently and without needing admin rights (as it by default installs itself only for the user that opened the installer, not system-wide) is enormously convienient (and the right choice) for most people.

          • I don't appreciate apps consuming bandwidth without my permission. I need to get work done, often involving traffic to remote sites (ica, vnc, ajax etc.) I don't want such obnixious behaviour to even be the default.
        • Yeah it should because it is *so* hard to find.
    • Re:Yes, because... (Score:4, Insightful)

      by Justin_Schuh ( 322319 ) on Saturday February 04, 2012 @04:47PM (#38929449)

      You may personally have the expertise to make good security decisions about your browser. However, all empirical evidence shows that the vast majority of users are not capable of that, and are much better served by a browser that manages updates for them.

      That said, you can disable automatic updates and perform them manually if you choose. However, I also consider myself capable of making those security decisions, and I still prefer the silent update dramatically over manually updating.

  • I take a look at Chrome every few versions or so, but I do not use it, for various 'comfort' reasons; I haven't decided whether it's useful for me to install Chromium since I seem to get by just fine with Opera and Firefox.

    Unless it's absolutely needful to run anything from Adobe, I prefer to use open-source alternatives, because they suit my admittedly pedestrian needs.

    On Windows systems, I've used Secunia to good effect since their on-line scanner became available; later I used PSI on Vista and Windows 7.

    • Secunia PSI tool ( [] ) is very usefull, I agree. It knows the most common software products, so I have to manually take care over a rather small list of software products.
      IMHO it should come preinstalled on every new Windows machine.
  • Adobe worship much? (Score:5, Interesting)

    by icebike ( 68054 ) * on Saturday February 04, 2012 @04:19PM (#38929249)

    It would seem to me that "Chrome's habit of bundling Adobe Flash" would be a detriment. But that's just me.

    They went on to recommend Adobe Reader X. I agree that pdf readers in a sandbox make a lot of sense, its just that I have no particular reason to trust Adobe, since it was their doing that made PDFs unsafe [] in the first place. With Chrome's built in PDF render engine, I find I seldom have to use the adobe plugin at all any more. (And when I do, I'm always suspicious).

    If Google wanted to do us all a favor they would to with Flash content what they did with PDF documents, and add their own in-browser render engine.

    That being said, I do like the sandboxing that Chrome supplies, and Google Chrome is my browser of choice.

    Some people don't like keying search terms in the URL bar, and other minor objections that, when investigated, all amount to "its not firefox". I've seen some reports of incredibly slow page fetches, which are usually traceable to external things (chrome likes to use multiple concurrent connections, and swamps some anti-virus packages that operate as a proxy server).

    For me, the speed can't be beat on any of the platforms I use (linux and windows - various flavors of each). I prefer Google's builds to those in the Chromium Open Source project but both work very well.

    • Yes, I would point out it uses the same chromium sandbox. But yes, adobe have only just started to secure it.
      • Flash is not yet in the Chrome sandbox (except on Chrome OS), but there's a work in progress that you can experiment with on canary or dev channels. []. On Windows, Chrome stable's Flash is in an enhanced Low IL sandbox, which is a bit tighter than the Internet Explorer sandbox, but much weaker than the full Chrome sandbox. (Basically, sandboxing an existing piece of software takes quite a bit of work to get right.)

        • No, the sandbox in adobe reader X is the chrome one.
          • No, the sandbox in adobe reader X is the chrome one.

            It is the Chrome sandbox, but the architecture lets you select the degree of sandboxing. IIRC the Reader X sandboxed process runs at sandbox::USER_LIMITED, which means it can access resources as the Users and Everyone SIDs, and it runs on the interactive desktop. Whereas Chrome runs its sandbox at sandbox::USER_LOCKDOWN, which is a deny only token plus an isolated window station and desktop (along with some additional restrictions).

            I don't want to undersell Adobe's accomplishment with Reader X, however. It'

            • Yeah, I just thought it was a major bit of information missing from the article, now back to a nice light pdf reader myself.
        • by icebike ( 68054 ) *

          I always run Dev channel, and have had very little problems with it.

          I'm going to try sandboxing Flash for a while.

          Where can we find definitions of "enhanced Low IL sandbox" to see what is or is not allowed therein?

    • it's called HTML5, and it will eventually kill flash

      'It would seem to me that "Chrome's habit of bundling Adobe Flash" would be a detriment. But that's just me.'

      and you are wrong. people want to see flash. and if a browser did not offer them flash, they simply wouldn't use the browser

      so give google credit for meeting users half way: "look, you want flash, and you don't care about your security, so we are going to give you what you want in the most secure way possible, in spite of yourself"

      don't hold against

      • by icebike ( 68054 ) *

        My comment had nothing to do with giving Google "credit".

        It had to do with BSI's decision to cite Chrome's bundling of Flash as a reason for recommendation.
        A true security organization would not make that a reason for a recommendation, rather they would cite it as a detriment, a blemish, (even for Flash in a sandbox given Adobe's history).

        As for people wanting flash, its value is negative in most people's eyes. People hate it more than you know.

        Its nothing but an advertising tool to most people. A source o

        • you're wrong

          BSI is 100% right for citing Chrome bundling flash as a reason for recommendation

          when adobe pushes a security update, chrome automatically pushes a browser update. and if the user leaves the browser running for days, chrome starts politely reminding them they have to close and reopen the browser. this is as good as you can do to make sure flash is as up-to-date as possible

          it is not the most ideal model of security, period. it is simply best-of-the-pack security model. and so it deserves a recommendation for that practice from BSI

          • by icebike ( 68054 ) *

            Actually, the only part of that I like is the Sandboxing of Flash.

            The bundling I attribute to clever Adobe Marketing.

            If the sandboxing was half as good as Google seems to think it is, keeping Flash up to date would not be that critical, would it?

            • yes, that is true

              but the BSI recommendation is still good

              not because the BSI is in the business of making absolute security recommendations, but because it is in the business of making best-of-the-pack recommendations

      • It is the chicken and the egg. If a large sizable audience wont have flash then the bosses who own these websites wont demand their webmasters to include it.

        THe reason HTML 5 is not here is because of IE. Old IE actually as even IE 9 is struggling to gain traction a year after it was released. Companies after being burned with IE 6 only sites did not learn their lesson and simply made them IE 8 only which has no HTML 5 support. These users need flash unfortunately.

        What killed IE 6 finally last year was that

        • by mcgrew ( 92797 ) *

          It is the chicken and the egg

          Would someone please come up with a better cliche? One that actually had merit?

          1. The egg came first. Dinasaurs layed eggs millions of years before they evolved into chickens.

          2. Who has chicken for breakfast?

          Companies after being burned with IE 6 only sites did not learn their lesson

          Then they should die. We should not reward mediocrity and incompetence.

          and simply made them IE 8 only which has no HTML 5 support. These users need flash unfortunately.

          No, they need to use a

    • Bundling of Flash is a plus because basically everyone ends up installing it, and by having it in the browser, then theoretically it's kept up to date better for non-technical users. I don't know if there's a way to disable it for the very paranoid though, I'd hope so.

      • by icebike ( 68054 ) *

        Yes, you can disable Flash in Chrome, either by keying in the address bar "about:plugins" with no quotes,
        or by using the menus and navigating to /Options / under the hood / Content settings button / Disable link.

        On Android, you have the option of running Flash only on demand, (my preferred way), but on Google Chrome you really don't have that option in the same easy way.

        I leave flash on most of the time on those platforms that have the horsepower to handle them. I don't like it, its an annoyance, but its n

        • I'm not familiar with the Android Flash only on demand feature but Chrome can be configured to run Flash only when you click on it:
          1. Type in URL: chrome://flags and enable the
          "Click to play" option (Enables a "click to play" option in the plug-in content settings.)
          2. Restart Chrome.
          3. Type in URL: chrome://settings/content and under "Plug-ins" choose "Click to play" instead of the default "Run automatically".
          From now on, Flash will only run if you click on it.

    • Perhaps Google Chrome is the only browser than can take care of Flash Cookies and (the many) Flash Vulnerabilities in a secure manner. Good thing flash is free. I'd never pay to install a security hole in my computer.

    • by makomk ( 752139 )

      Chrome's built in PDF reader is a proprietary bundled plugin, and I think it's largely developed by Adobe too. Certainly it's not available to users of the open source Chromium; neither is the bundled Flash plugin. (Of course, downloading the Flash plugin installer from the Adobe website will try and install Google's proprietary version Chrome if you're a Windows user and not very careful about which download you choose. Apparently it even does it silently and without prompting unless you manage to find and

    • Chrome feels fast because the ui stays responsive while the browser is busy. But on rendering any huge and complex pages, Firefox wipes the floor with chrome, not to mention Chrome using obscene amounts of RAM, which makes it an unusable nightmare on machines just a few years older.

  • saw this coming (Score:1, Interesting)

    Well, IE is IE but the reason I'm really not surprised is all my repair customers who have Firefox give me an extra headache. You can uninstall Firefox completely then reinstall it from scratch with nothing preserved and you'll still have the MyWebSearch toolbar and basically any other malware that was on it before. You have to actually delete the plugins folder out in Program Files to actually clear it. The add/remove plugins menu is confusing and non-exhaustive compared to IE8 and 9. It's really, real
  • But this newest update they sent... is blowing my CPU util of the charts...

    I can open just Gmail, come back 8hrs later (ie, going to sleep), come
    back and my laptop fan is roaring like a jet taking off, utilization is well
    above 50%, with kernel involved and both cores.

    I don't know if it's new Chrome update interacting with SWF or something
    that they (Google) did to their pages. When I run Chrome taskman, it
    shows the tabs that have Google apps on them, just smoking the CPU.

    This isn't flamebait or trolling... i

    • by Anonymous Coward

      Start by upgrading that 40-characters-wide monitor of yours, then we'll talk about your Chrome problems.

    • I've been using Chromium for a few months with Gmail, and haven't had any problems at all. I wouldn't be too surprised if it's that Flash crap. I used to have all kinds of problems with Flash processes pegging the CPU when I used Firefox. Anything that Flash touches turns to shit.

  • by ChadL ( 880878 ) * on Saturday February 04, 2012 @04:49PM (#38929459) Homepage
    I use Firefox because it has NoScript and SSLEverywhere, that Chrome doesn't (or doesn't that have equivilent funcionality); thus making Firefox more secure for my usage paterns.
    • by Anonymous Coward

      Sorta, except that when a security vulnerability is identified and exploited in Firefox that browser doesn't do anything to mitigate the extent of possible damage. Aside plugins themselves there have been vulnerabilities in common image libraries in the past which have been exploitable through a web browser. In Chrome (and IE) such would land arbitrary code within a sandbox, but in Firefox that code runs as the same context as your user and can trash your profile (or set up a zombie, which generally doesn

  • Adobe in the same sentence as secure?

    I do not know what world they are living in but post 2008 since the death of IE 6 the number one infection of the web is not javascript or browser exploits but infected flash, java, and adobe files. They infect all platforms regardless of browser and is a nice run around since browsers generally have huge resources put in security development. I am shocked most geeks still allow flash and java enabled in work computer browsers outside the intranet and allow adobe acrobat

    • The Network Predictions option can be toggled in Under The Hood>"Predict network actions to improve page load performance" and I thought it might even ask you if you want it on when you first set up Chrome? (unsure)
  • Do they have people who know absolutely nothing about computers writing these recommendations?

    Go to first and decide whether that update is going to break your computer! There's nothing good about automatic updating - it just breaks things and adds bloat!

  • Fanboys argue amongst each other about which browser is the best. This quickly snowballs into a heated debate about which OS is more secure, and which browser is most secure on what operating system. In the end, after the thread is left in a smoldering heap of baseless accusations, groundless conjecture and a little bit of superstition, we all end up looking like basement dwellers to the casual observer.

    If you must know, my browser is made from alien technology and does some of them there fancy things.
  • Assuming Google doesn't have a "sendCopyOfUsersDataToGoogle()" function buried in the Chrome code base.....which is a very real possibility, Chrome *might* be the most secure browser in that if anyone rapes the user, it will be Google themselves.

    If Chrome is that well built, it might be worthwhile to use one of the open source recompilations that check for and remove spy code.

    Still, you have to trust that the developers are good enough to spot it.

    • Additionally, they may not rape you now but can easily add the rape function via silent update.

      Oh, right, I can disable updates... and that's more secure? Sorry, no it's not.

      I only trust browsers that I compile myself -- Before you ask: Yes, I do read through every line of code & diff-logs of updates looking for evilness therein. I'm actually two of those "many eyes" out there that help improve security and fix bugs... I can't compile Chrome, I don't use it. IMHO, I can't trust Chrome -- It has so

Today is a good day for information-gathering. Read someone else's mail file.