How secure is Chrome? While IT professionals may be divided on it, most security professionals I know prefer and recommend it. There are a number of good reasons for that.
I was late to adopt Chrome. I started using Firefox when it was called Phoenix or Firebird, and I stayed with it until 2014. Then I switched to Chrome to get a 64-bit browser and other modern security features, and while I miss a couple of things Firefox had, I haven’t switched back. I keep Firefox as a backup browser, but use Chrome more than anything else.
What about the number of vulnerabilities?
The biggest knock on Google Chrome is the number of vulnerabilities that Google fixes in each update. The snarky answer to that is that I prefer known vulnerabilities to unknown ones. Google subscribes to the modern Devops concept of failing fast and fixing fast.
I’ve also noticed a significant uptick the last couple of years in how many vulnerabilities Microsoft fixes in its monthly updates. I think this is an industry trend, and Google was further out in front than some other vendors.
The other thing that impresses me about Chrome is that it auto-updates, and it auto-updates reliably. I hear security professionals claim all the time that their home PC updates fine, so why can’t their corporate PCs? I scan my home PCs with Qualys and Tenable tools rather regularly, and while some products auto-update rather poorly, I’m still waiting to see a Chrome update fail. Your Adobe and Microsoft products may say they’re up to date, but they’re more likely to miss a vulnerable file than Chrome is.
The combination of finding vulnerabilities quickly and fixing them effectively automatically is lethal to attackers. In 2017, the industry collectively found and fixed almost 15,000 vulnerabilities. While an attacker can develop malicious code for a vulnerability in a week in theory, in practice it takes several months to perfect it so it works reliably. So out of those 15,000 vulnerabilities, only around 2,000 of them stand the test of time. By keeping the window of opportunity on Chrome vulnerabilities short, Google makes it much more difficult to create malicious content for web pages that works in the Chrome web browser than for other browsers, such as Internet Explorer.
Unsung security features
Google doesn’t just do the big things with Chrome. They do the little things too, like using any available advanced compiler options to enforce security measures. In effect, Chrome makes anti-exploit tools like Microsoft EMET and Malwarebytes Anti-Exploit redundant, at least for Chrome, because all those tools do is make Chrome do things it would do by default anyway.
Using Chrome with those tools doesn’t really hurt anything, but if every software vendor did what Google did, those tools wouldn’t be necessary.
Chrome shares certain open source components with other browsers, including Apple Safari. I’m not completely convinced that open source software is inherently more secure than closed source software, but in this case, if Apple finds and fixes a bug in a shared component, Google inherits it. There’s certainly nothing wrong with that.
Google’s Safe Browsing feature provides bold warning pages if you’re about to visit a site Google knows is malicious. This certainly encourages safer online behavior.
Uses as something other than a web browser
Chrome isn’t just my primary web browser. I also use it as my primary PDF viewer, for exactly the same reason. Google finds and fixes flaws faster than Adobe does, and Google’s auto-update mechanism is far more robust and reliable than Adobe’s.
Any competent security professional will tell you there is no perfect security, only acceptable risk. Chrome poses a much lower risk as a PDF viewer than the native Adobe viewer does. For a couple of years, my job responsibilities included dealing with PDF files on a daily basis. Even then, I used Chrome, rather than Adobe Reader, to view the PDFs people sent me, fill out the forms, and send them on to their destination.
Improving security awareness
One thing I really like about Chrome is how it drove web content providers to encrypt connections by providing feedback right in the address bar. Google used its dominant market position to encourage encryption, which improved security for everyone. Today, encrypted connections are more common than unencrypted, and Chrome had a lot to do with that.
Chrome’s password manager can be fooled, so it isn’t perfect. But by offering to save passwords, it helps to encourage users not to recycle passwords and to use passwords with more complexity. Chrome’s password manager is easier to fool than external password managers, but that problem is less bad than people using “gmcsonoma” as their password for everything, like they did in the bad old days.
Things you can do to improve Chrome’s security
I try to never rely on just a single layer of security if I have a choice in the matter. I use Cleanbrowsing.org’s DNS servers because they block more malicious web sites than any other service I’ve tried. It’s one thing to pull down malicous content and view it safely. It’s even better to block it so you don’t even pull it down in the first place.
Ironically, Microsoft provides a Chrome extension to improve its security as well. Microsoft claims Edge blocks more bad content than Chrome does by default, and they promote it with their Windows Defender Browser Protection extension for Chrome. They claim it blocks 12 percent more malicious links than Google’s own Safe Browsing does. That’s an incremental improvement, but improvement is improvement. If Microsoft wants to give me a second opinion, I’m glad to take it.
Between what Chrome does on its own, and the additional protection from Microsoft’s Chrome extension and Cleanbrowsing.org, I’ve never seen a fake antivirus popup on any of my own computers. My kids used to occasionally get one, but that was before I learned about Cleanbrowsing.org and before Microsoft released its extension.
How secure is Chrome, in conclusion
Once I got into the private sector in 2013, I noticed most of my security colleagues used Chrome rather than other browsers. When I transitioned to firms that specialize in security, Chrome users in those firms are even more numerous. The cofounder of the company I work for now actually asked all of us to use Chrome at an all-hands meeting in early 2018.
While a handful of my coworkers prefer another browser, usually Safari or Firefox, the majority use Chrome. How secure is Chrome? Being the browser of choice for security professionals means something, at least.
It’s always a good idea to have at least two web browsers on your primary device, in case you aren’t able to use your browser of choice for any reason.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.