I know that Chrome code is open source, but I really wish it wasn’t. Brendan Eich at Mozilla must be quietly spitting chips.

Which brings me to my point. I’m going to go out on a limb here and expand the concept of security momentarily.

As I have spent much of my career coding ways and means of capturing granular, user specific data I’m really not very comfortable with an independent (and for most, foreign) advertising company using their backward propagation technology to track so many of our moves quite so thoroughly.

Its very easy to overlook this concern, but I suspect those who don’t see a problem with their activities being exposed haven’t had, on the rare occasion in the course of their professional careers, various security organisations show an interest in using their work.

So, my biggest security concern is not the specifics of the various functions and objects within Chrome (after all Goggle will get it right over time), but with Chrome itself.

I agree that it’s mostly about the concept at this stage. We know that Google can produce successful large projects, so it’s just a matter of time before they get this one right.

Its a double blind for us. As we are a CMS we permit script insertion, so our users tend to get hit when they permit anonymous script insertion on their sites. Mostly we can detect it but, as these things tend to work, exploits are usually a tad ahead of the game.

Anyway, my post is really about Chrome. Its still really early days yet. Lots of (particularly) javascript related functions arent quite working yet, and their javascript debugger really, really sucks – its a toy.

To name only one obvious general area that affects loads of script – pixel width and height issues. Annoyingly scroll bars appear even when they have been explicitly denied. Chrome is touted as a web 2 application (at least in my local media spin from google) that is ideal for function heavy javascript client server applications. Well… Not yet. It cant even run FCKEditor without stripping javascript from the editor source – not that we use this editor but millions of users do. Google still has a long way go before really function rich applications can even think of seriously coming on board.

Having said that. Seriously good little (big really) product and absolutely going in the right direction. They really need to get some of the mozilla developers on board to sort out the bugs though.

It’s also great that Google is acknowledging the need to keep ahead of the bad guys and their rapidly evolving ways of using exploits, social engineering and other web-borne threats to harm users. The inclusion of the malware and phishing blacklists in Google Chrome is a step in the right direction. Google state that the software checks a URL against their blacklist databases of web pages/sites that are known to have delivered malware and phishing attacks in the past.

Of course, that approach is mostly too slow to protect against transient threats, and most online threats today are highly transient. The bad guys register and invoke domains, or put their exploit payloads onto legitimate web sites they’ve been able to poison, for just the few days they’ll be able to fly under the radar and not make it onto blacklists. The bad guys either shut the exploit down before making it onto the blacklists, or very soon after. So often these days, the threat is gone before it can be recorded into the blacklists. Worse, at least for the operators of legitimate sites that have been compromised, when the threats are detected and the sites added to the blacklists, the sites show up as infected even after the threats are gone.

AVG believes the best approach is real-time scanning that inspects each web page for exploits right when the user clicks on the link to visit it. That’s the approach the AVG LinkScanner technology uses. This real-time scanning functionality is more effective against transient threats. The safe surf AVG LinkScanner Active Surf-Shield module in all paid AVG products does real-time scanning to detect infected and potentially-infected content as you browse the web. This real-time approach delivers the maximum protection simply not able to be provided by blacklists.

Best Regards, Lloyd Borrett
Marketing Manager, AVG (AU/NZ)