Wednesday, August 07, 2013

if google gives you security advice, get a second opinion

originally posted on secmeme
remember back when google's chrome browser was shiny and new and their vaunted sandboxing technology didn't actually place plug-ins in a sandbox even though the plug-ins, with their existing body of vulnerabilities and research, would have been the most likely vector of attack for a brand new browser? seems like kind of a glaring oversight, right?

and who could forget google's chris dibona ranting about android not needing anti-malware and sellers of such products being scammers and charlatans? of course now google themselves are hard at work trying to stem the tide of android malware with things like bouncer, but that's far from perfect.

heck, even google's infamous tavis ormandy had to take a second stab at executing his sophail vendetta* because his first attempt was so laughably bad.
[* i refer to it as a vendetta because a) it followed then sophos representative graham cluley publicly chewing tavis ormandy out for what has since become official google policy (disclosing vulnerabilities after a ridiculously short period of time), and b) the entire sophail effort from start to finish spanned years.]

now comes news that google's chrome browser doesn't require the user to enter a master password before displaying saved passwords? and not only that but it also comes with a condescending head of chrome security, justin schuh, defending the design by claiming that master passwords breed a false sense of security by making people think it's safe to share their computer with others or leave them unlocked and unsupervised. he repeatedly falls back on the trope of "once the bad guy got access to your account the game was lost". nevermind the fact that most people will assume it's protected regardless of what chrome does because that's how most browsers have behaved for years (so not protecting the passwords is even worse than protecting them partially), nor the fact that attackers are also capable of bypassing the user account protection chrome is abdicating password security responsibility to. no protection is perfect, but that doesn't mean we throw out the imperfect ones or we'll eventually be left with none at all.

it's almost enough to make you think google never gets anything in security right the first time. but wait - it's not like password storage is an innovative new concept. there's been an established pattern around for years that they could have simply followed. it's not even like they could claim to not be aware of it when other browsers follow that pattern. frankly, if the folks at google really think they know password storage security better than everyone that came before them, from a UK software developer to mozilla engineers to bruce freaking schneier, then i respectfully suggest that they pull their heads out of their asses and get with the program. if they were really concerned about a false sense of security then maybe they shouldn't be storing passwords in the first place, after all it's not unheard of for a browser to be tricked into revealing the contents of it's password store to a remote attacker when visiting a specially crafted malicious webpage.