This page aims to answer frequently-asked questions about Chrome/Chromium security.
Our goal is to open security bugs to the public once the bug is fixed and the fix has been shipped to a majority of users. However, many vulnerabilities affect products besides Chromium, and we don’t want to put users of those products unnecessarily at risk by opening the bug before fixes for the other affected products have shipped. We must balance a commitment to openness with a commitment to avoiding unnecessary risk for users of widely-used open source libraries.
Therefore, we intend to disclose each quarter all security bugs that have been closed for more than nine months. We believe that nine months is a more-than-reasonable interval for vendors of affected products to apply and ship bug fixes.
Vendors of products based on Chromium, distributors of Operating Systems that bundle Chromium, and individuals and organizations that significantly contribute to fixing security bugs can be added to a list for earlier access to these bugs. You can email us at email@example.com to request to join the list if you meet the above criteria. In particular, vendors of anti-malware, IDS/IPS, vulnerability risk assessment, and similar products or services do not meet this bar.
Please note that the safest version of Chrome/Chromium is always the latest stable version — there is no good reason to wait to upgrade, so enterprise deployments should always track the latest stable release. When you do this, there is no need to further assess the risk of Chromium vulnerabilities: we strive to fix vulnerabilities quickly and release often.
Many developers of other projects use V8, Chromium, and sub-components of Chromium in their own projects. This is great! We are glad that Chromium and V8 suit your needs.
We want to open up fixed security bugs (as described in the previous answer), and will generally give downstream developers access sooner. However, please be aware that backporting security patches from recent versions to old versions cannot always work. (There are several reasons for this: The patch won't apply to old versions; the solution was to add or remove a feature or change an API; the issue may seem minor until it's too late; and so on.) We believe the latest stable versions of Chromium and V8 are the most stable and secure. We also believe that tracking the latest stable upstream is usually less work for greater benefit in the long run than backporting. We strongly recommend that you track the latest stable branches, and we support only the latest stable branch.
In particular, please note that Incognito is not a “do not track” mode, and it does not hide aspects of your identity from web sites. Chrome does offer a Do Not Track option, distinct from Incognito mode: chrome://settings/search#privacy.
When in Incognito mode, Chrome on desktop platforms (Windows, Linux, and Mac OS X), Chrome on Android, and Chrome OS do not store any new history, cookies, or other state in non-volatile storage. However, Incognito windows will be able to access some previously-stored state, such as browsing history.
It is not possible for Chrome to offer the full Incognito guarantee for iOS. Some data is sometimes stored on non-volatile storage, and while Chrome for iOS makes a best-effort attempt to delete as much history as it can when in Incognito mode, the guarantee is not as strong as it is on other platforms. On Chrome for iOS, we therefore call it “Incognito*” mode.
A key guarantee of HTTPS is that Chrome can be relatively certain that it is connecting to the true web server and not an impostor. Some sites request an even higher degree of protection for their users (i.e. you): they assert to Chrome (via Strict Transport Security — HSTS — or by other means) that any server authentication error should be fatal, and that Chrome must close the connection. If you encounter such a fatal error, it is likely that your network is under attack, or that there is a network misconfiguration that is indistinguishable from an attack.
The best thing you can do in this situation is to raise the issue to your network provider (or corporate IT department).
Chrome shows non-recoverable HTTPS errors only in cases where the true server has previously asked for this treatment, and when it can be relatively certain that the current server is not the true server.
People sometimes report that they can compromise Chrome by installing a malicious DLL on a computer in a place where Chrome will find it and load it, or by hooking APIs (see https://code.google.com/p/chromium/issues/detail?id=130284 for an example). People also sometimes report password disclosure using the Inspect Element feature (see https://code.google.com/p/chromium/issues/detail?id=126398 for an example).
We consider these attacks outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your computer as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your computer, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome — all applications must trust the physically-local user.
There are a few things you can do to mitigate risks from people who have physical control over your computer, in certain circumstances.
There is almost nothing you can do to mitigate risks when using a public computer.
As discussed in Chromium bug #49075, we do not attempt to defeat "passive fingerprinting" or "evercookies" or ETag cookies, because defeating such fingerprinting is not practical. The canonical example of the ease by which web sites can perform passive tracking is EFF's Panopticlick demo. There are many more distinguishing bits of information available to a passive tracker, and they only need 33 to have a high probability of uniquely identifying individual user agents. (33 because 2^33 = more than 8 billion, which is more than the population of the planet. See Arvind Narayanan's site and Peter Eckersley's discussion of the information theory behind Panopticlick.)
Since we don't believe it's feasible to provide some mode of Chrome that can truly prevent passive fingerprinting, we will mark all related bugs and feature requests as WontFix.
To enable certificate chain validation, Chrome has access to two stores of trust anchors: certificates that are empowered as issuers. One trust anchor store is the system or public trust anchor store, and the other other is the local or private trust anchor store. The public store is provided as part of the operating system, and intended to authenticate public internet servers. The private store contains certificates installed by the user or the administrator of the client machine. Private intranet servers should authenticate themselves with certificates issued by a private trust anchor.
Chrome’s key pinning feature is a strong form of web site authentication that requires a web server’s certificate chain not only to be valid and to chain to a known-good trust anchor, but also that at least one of the public keys in the certificate chain is known to be valid for the particular site the user is visiting. This is a good defense against the risk that any trust anchor can authenticate any web site, even if not intended by the site owner: if an otherwise-valid chain does not include a known pinned key (“pin”), Chrome will reject it because it was not issued in accordance with the site operator’s expectations.
Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor. A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites. “Data loss prevention” appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.
We deem this acceptable because the proxy or MITM can only be effective if the client machine has already been configured to trust the proxy’s issuing certificate — that is, the client is already under the control of the person who controls the proxy (e.g. the enterprise’s IT administrator). If the client does not trust the private trust anchor, the proxy’s attempt to mediate the connection will fail as it should.