I think Google Chrome goes into the top-10 list of "software/systems/services which have improved real world Internet security the most" -- wide reach, moderate impact. Probably in the top 3.
(I still think ssh tops the list -- pretty narrowly focused, but SO MUCH BETTER than telnet, rlogin, etc., even kerberized telnet which didn't encrypt contents, only auth. And, like Chrome, it's not just most secure, it's better than the alternatives in every other way, so it got wide adoption for non-security reasons too.)
I guess https falls in there too, but probably the move to "SSL all traffic by default, at least if the user opts-in" is the reason, not the "https just the final form for credit card processing."
SSL also IMO deserves a 9 or 10 place for START-TLS in mail protocols like SMTP and IMAP.
Doesn't firefox provides the same protection? I am not dismissing chrome I am just curious if the malware/phishing protection is the same. I thought they both used the same API.
Not sure about their malware/phishing blocking. (IIRC it wasn't on by default in firefox in the last version I used.)
Firefox has many security issues Chrome doesn't have (tab isolation by process is #1, but "devotes a lot more effort/resources to security" is generally true, too -- Chrome just has vastly more resources than Firefox, and spends them on a smaller number of platforms).
Chrome = HSTS. Cert pinning. Dealing with bad SSL cert failures correctly (i.e. not letting users simply click to accept...)
Also, Chrome led the way on auto-update of browsers, which is one of the biggest improvements in the real world. Chrome also got good security wins through their own PDF handler and Flash, vs. the Adobe stuff. I think Chrome also did "click to run" by default on more other plugins (Java) earlier, although I haven't payed as much attention to that (client-side java is basically an abomination now, generally.)
Most of those are not actually software security features, but rather policy differences between Mozilla and Google. Those that aren't policy decision, are either not security features, or is features not implemented first in chrome (through chrome was first using it in default installation). Chrome get a half point regarding tab isolation.
Tab isolation by process is something between a security feature and a vulnerability mitigation feature, through I would likely call it a vulnerability mitigation feature. It doesn't do anything to prevent exploits, but it does prevent further exploits once a vulnerability has been exploited. Still its a nice thing to have (like insurance after the house has burned down) and is something Firefox should implement.
HSTS is nice, and now included by default in most browsers (chrome, firefox, opera). Personally, using noscript, security aware firefox people have had HSTS before firefox 2 was release. That is 2 years before chrome existed. It also exist in https-everywhere.
Regarding Cert pinning, I can't say I am a fan. Its a whitelist approach to security, where Google decide who is important enough to be privileged for improved security. Chrome was aware about the scaling issue from the begining, and has improved the situation by the Cert pinning extension RFC draft. Once/if it get finalized and more security professionals go through it, it will be interesting to see how it scales, what corner cases there is, and if the caching effect will come back and haunt people.
As for the rest... Chrome led the way of auto-update without first informing the user, while Firefox poped up a request for update. In real world security, this is an improvement because the user can't be trusted with deciding if the program shall update. Google has acknowledge that this only a useful feature on windows/Apple, and has this disabled on linux, assuming because a linux user can be trusted with the decision about updating. This is not a software difference between firefox and chrome, but rather a policy difference between Google and Mozilla.
And to comment the last features, PDF and Flash. Google has not written their own Flash handler. They have however bundled it with chrome and thus made sure its updated. This is something Firefox simply can't do thanks to license costs, which mean its mostly a difference between Google and Mozilla as organizations rather than a software improvement of Chrome. I am not sure if the same is true regarding PDF.
Yes, Firefox uses Google's Safe Browsing blacklist of malware and phishing sites. So the "credit" probably goes as much to the safe browsing team at Google as those working on Chrome (or Firefox).
Slightly ironic that SSH has features like reverse port forwarding and the built-in SOCKS proxy that allow easy circumvention of other network security schemes.
And doing the x509 fake-CA MITM type bullshit is harder with SSH than with SSL. (I've never actually seen an ssh proxy deployed in the wild; I've seen "you must log in via a bastion host on which we log/analyze/filter everything" used instead.)
That's the thing, I highly doubt the majority of users are even aware of how much information Google has on its users. Even I as a knowledgeable programmer would probably be surprised at the depth of profiling they have done. And this isn't even considering any sort of machine learning analysis of the data that to extrapolate information not explicitly given. So no, "willingly allow them" is not an accurate description of the relationship.
There's chrome plugins to opt out of ad-tracking and you can delete your search history.
Everything is optional. You don't have to be signed in or using cookies to search using Google.
That's how I like my information privacy. My only issue is the lack of encryption in gmail (and email in general).
Personal privacy is the users responsibility. There's a technology knowledge gap regardless if the user is using google or any other site. That isn't one websites responsibility.
I'm not really agreeing with their practice nor do I disagree with what you're saying.
It's kind of a classic trojan horse. We will provide you with this awesome service, and get nothing in return. Nothing in life is truly free, it always come with a different motive. People can't turn down anything that's free. Especially people in the US Of course people should have a right to know what depths your analyzing them, but particularly in the US people don't seem to care as long as they don't have to pay for it.
You create a route, in a router you control, that sends packets to that address into the bit bucket. Ideally its an edge router that everyone in an organization shares, or at an ISP which will protect anyone using that ISP.
Various companies will sell you a list of currently known malware domains (like spammer lists) which you can feed into a router to create blocks for them. Is that what you are asking?
Well, sometimes the black hole route leaks out. A (the???) Pakistani telco was blocking YouTube inside the country, but accidentally advertised itself as the shortest route to YouTube for a good chunk of the world. This was back sometime around 2008-2010.
I see now why I'm being downvoted. See, now there is substance to the article. 10 hours ago, it was 2 paragraphs on citadel malware and cnc servers and 3 more on their anti-malware app, with gratuitous screenshots of such. It /was/ an ad.
(I still think ssh tops the list -- pretty narrowly focused, but SO MUCH BETTER than telnet, rlogin, etc., even kerberized telnet which didn't encrypt contents, only auth. And, like Chrome, it's not just most secure, it's better than the alternatives in every other way, so it got wide adoption for non-security reasons too.)
I guess https falls in there too, but probably the move to "SSL all traffic by default, at least if the user opts-in" is the reason, not the "https just the final form for credit card processing."
SSL also IMO deserves a 9 or 10 place for START-TLS in mail protocols like SMTP and IMAP.