Secure Google Chrome Browsing

Google Chrome is one of the most popular web browser for Windows, Mac, and Linux. This makes it a large target for malware and cybercrime. We will focus on securing Google Chrome, and will significantly increase the browser’s security through add-ins and special hardening settings. We also recommend running under Windows Vista or Windows 7, so if you are running under an older version of Windows, we recommend you to upgrade or buy a new computer. Older versions of Windows like Windows XP were not built with security in mind.

Why Chrome?

Chrome is a much newer browser than Firefox or Internet Explorer.  It is not saddled with all the baggage of IE, where a change needs to be regression tested with many parts of Windows.  Firefox has been around for a while and is also slowed down with lots of historical code.

A recent security test from Accuvant Labs found Chrome more secure, primarily due to its Sandbox technology.

Secure your computer, web browser, Internet connection

Follow our guides to secure your Windows PC or secure your Macintosh by installing the right software, firewall, antivirus software, etc. Secure your mobile devices: iPhone, Android smartphone or tablet, iPad. Configure the settings and add plug-ins to you web browser so that it is more secure. Consult our tutorials for: Internet Explorer 9, Google Chrome, and Mozilla Firefox. Secure your Internet Connection: Wireless Network, Public Wi-Fi.

We recommend booting from a Linux CD or USB key when performing mission critical applications such as online banking, online trading, or online shopping.

Google Chrome includes the following security oriented features:

• Safe Browsing
• Sandboxing
• Auto-updates
• Built in PDF viewer
• Built in Adobe Flash

The Golden rules of the Internet:

• Do not trust anyone
• If it is too good to be true, it probably is
• Don’t install software from anonymous sources
• Don’t automatically hit “yes” to any pop-up
• If it looks suspicious, run

Before you make any changes to your system, always back it up.

Google Chrome Add-ons

Software that enhances Google Chrome can become targets of malware, adding new entry points into your computer. It is mandatory that you keep any third-party add-ons up to date, so allow Google Chrome to update plugins when necessary. Consider removing an add-on if it is rarely used, as you will also be increasing the security of Google Chrome through its removal.

• Adobe Flash is built in to Chrome. A pdf viewer is also built in.
• Java - This language allows many cross platform programs to run in the browser, but is another huge target of malware. We recommend removing it unless you really need it for a particular application. This page checks if Java is installed.
• Quicktime - Is installed when iTunes is added to your system. It is difficult to just remove it unless you stop using iTunes. The best bet is to update it whenever it tells you about a new version.

Hardening Google Chrome’s Settings

Google Chrome can be secured even more with several key changes to the browser’s settings. We have selected all the Critical settings for Google Chrome.

1. Prevent Google Chrome from saving passwords

Google Chrome can save passwords for different websites. We recommend that you do not use this feature because it is not as secure or flexible as using a password management program.

1. Launch Google Chrome
2. Click on the Wrench Icon on the far right
3. Select Options
4. Select Personal Stuff on the left hand column
5. Make sure Never save password is checked
6. Click Manage Saved Passwords
7. Click and remove all saved passwords

2. Mark Valuable Data Inaccessible to Google Chrome

Download chml.exe and run it to change the permissions on your valuable files and folders on your system as unreadable to Google Chrome. (Better yet, use Truecrypt and keep the volume unmounted!)
For example if your sensitive data is stored in the folder C:\Sensitive_Data – You would do:

1. Press Start menu
   
2. Go to All Programs
3. Go to Accessories
4. Right-Click on Command Prompt
5. Select Run as Administrator
6. Type “chml C:\Sensitive_Data -i:m -nr -nx -nw“
7. Press Enter to Execute the Command
8. Type Exit to end the Command Prompt

3. Allow Google Chrome to update itself

Google Chrome automatically tries to update itself, which is a good thing, but if it asks whether it is ok to restart the browser to use the new version, be sure to say yes.

4. Google Chrome secure website warnings

Google Chrome displays warning icons when you visit a website that has possibly dangerous information on it. Look for the following icons right next to the https:// in the browser.

The site uses SSL, but Google Chrome has detected insecure content on the page. Be careful if you’re entering sensitive information on this page. Insecure content can provide a loophole for someone to change the look of the page.

The site uses SSL, but Google Chrome has detected either high-risk insecure content on the page or problems with the site’s certificate. Don’t enter sensitive information on this page. Invalid certificate or other serious https issues could indicate that someone is attempting to tamper with your connection to the site.

5. Sandbox Google Chrome plugins

Google Chrome has an option to for plugins to be run in a safe sandbox. Make the following change to enable this feature. Note: Files and folders marked with the everyone permission, will only be accessible.

1. Press Start menu
   
2. Right click on Google Chrome
3. Select Properties
4. Add the following text to the Target field, right after “chrome.exe ” –safe-plugins. Make sure there is a space after .exe.
   
5. Click OK

6. Prevent Chrome from using a GPU

There have been several bugs related to using a Graphics processor or GPU. They are supported in the latest Chrome. This hardware level access can spell trouble. Disable GPU support to prevent this possible problem by adding the following when launching Chrome:

--disable-accelerated-compositing

Helpful Google Chrome Add-ins

Docs PDF/PowerPoint Viewer – Automatically previews pdfs, powerpoint presentations, and other documents in Google Docs Viewer. No need to download pdf files to your computer and potentially have a bug in Acrobat cause a security problem.

WOT – Know Which Websites to Trust – Shows you which websites are trustworthy based on millions of users’ experiences.

ScriptNo – A ‘NoScript-like’ extension for a safer and faster Chrome. Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. By default, new websites that you visit will be loaded without scripting, maximizing safety. You can easily allow safe websites to allow scripting.

PasswordFail – Warns the user if the website being used stores their passwords in plain text form.

KB SSL Enforcer – Automatic security, browse encrypted using HTTPS secure connections whenever possible, automatically.

Flashblock – Blocks Flash so it won’t get in your way

Adblock Plus – Block those pesky banner ads.

View Thru – Display the full URL behind shortened URLs.

Qualys BrowserCheck – Performs a security scan on your browser and its plug-ins (Windows)

Helpful Internet Security Add-ins

Phising Toolbars – Google Chrome can warn you if it detects that the site you’re trying to visit is suspected of phishing or containing malware. If you would like to install a supplemental toolbar add-in, see our Free Internet Security Software article. BitDefender TrafficLight works with Google Chrome to secure your browsing.

Internet Security Software – Supplemental internet security software including Anti-Virus and Anti-Spyware software is a necessity when surfing on the Internet. See our Free Internet Security Software article for links to various free software utilities.

Password Managers – It is critical that you generate, store, and use secure passwords on the Internet. See our How to Create, Store, and Use Secure Passwords article for details on several password management programs.

Sandboxie - Creates a sandbox or safe environment in which programs execute. This sandbox is a isolated space which prevents programs like Google Chrome from making permanent changes to other programs and data in your computer. Free for 30-days, then 29 euros.

Other Google Chrome Security Enhancements

Google Public DNS – A high performance domain name server (DNS) replacement for your ISP’s DNS. Protects against Spoofing attacks and DoS and amplification attacks. Be sure to write down your existing DNS settings before changing them.

Norton ConnectSafe for Home – Similar to Google DNS, but includes options to filter porn or be family friendly.

Dyn Internet Guide – Free Web content filtering.

Microsoft Virtual Machine – Designed for web developers to test compatibility with different versions of Internet Explorer, these Virtual Machines for Microsoft’s Virtual PC allow you to run a Virtual computer on your desktop with Internet Explorer and Firefox pre-installed. You can manually install Google Chrome. If you mess up the Virtual computer, you can just delete it and start fresh from a new image. Keep in mind some malware is capable of detecting virtual machines and acting innocent until you move into your main system.
If you use VMware Player, you can add the following line to your .vmx file so that it writes all changes to a temporary file, which will be deleted when you power off the virtual machine.:ide0:0.mode = “independent-nonpersistent”

Dell KACE – has a free secure browser based on a virtualized and contained Firefox Browser with Adobe Reader and Flash plug-ins. You can manually install Google Chrome.

Secure Web Browsing with HTTPS

Normal website access using HTTP:// causes information to be sent and received in plain text. This type of connection is not secure; a hacker could capture all the information being transferred and steal your data. While this is not important when you are casually surfing, you do not want your email or online trading information to be captured by others.

Force websites to use secure connections – It is important to utilize secure connections or HTTPS whenever possible. Several large websites have configuration options to force these secure connections. Here is more information on configuring HTTPS with: Gmail, Facebook, Twitter, Google. Google.com defaults to HTTPS if you are signed into your Google Account, if you are not, just manually add the s after http to force a secure connection ie -  https://www.google.com

HTTPS causes a secure connection to be made using SSL security. Certificates are digital documents that verify a site’s identity. They are sold by certificate authorities. If a certificate is not signed correctly, your browser will pop up a warning. Recently, a Dutch certificate authority got breached, causing forged certificates to be created. To workaround issues like this, Internet browsers are updated to remove the forged SSL certificates. It is crucial that you keep your browser up-to-date.

If you have applications other than your web browser accessing the Internet (FTP client, desktop mail client, etc.), make sure you enable SSL secure connections within each application.

Use a password manager to create, use, and store passwords for websites. See our password manager guide for details.

By applying special Google Chrome settings and adding add-ons, we can significantly increase the security of our Windows notebook and desktop PCs.

This concludes our How to Secure a Windows based personal computer article. Other articles on Safegadget.com help you secure the other aspects of your personal computer, including How to Set up a Secure wireless Internet Router, and How to Secure Internet Explorer article, or How to Secure Firefox Article. Please see our other articles on security tips for your e-mail, iPad, online banking, online shopping, smart phones, and more.