Monday, September 01, 2008

First reaction to Google's browser announcement 

Google accidentally pre-announced a Google-brand web browser. It's not available to try out yet.

It's going to do some encouraging things about security. Google plans to "sandbox" the web applications running in their new browser, so that even if/when you browse to a malicious page it won't be able to do widespread damage to your computer. If I'm reading their claims correctly, they say they can stop keystroke loggers from working (not sure how that's possible).

Popups will be tied to the tab they came from and can't cover up other tabs.

There will be a few problems to watch out for, and things they can't possibly prevent and still be useful. The big issue is that they want their browser to be a place where sophisticated web apps can run. That means the browser has to be able to do all the sophisticated things the web app is supposed to do. Google tries to make sure the browser can't overwrite things on your hard disk, but by definition it has to be able to overwrite your Google Docs.

"Sandboxes" have been used before. What usually happens is that when they're new, clever people find a few ways that bad code can escape from them and do bad things that the sandbox was supposed to prevent. Then after a little while the holes in the sandbox get fixed and it works as designed.

Plugins are the area most likely to cause security problems for Google's browser. Plugins like Flash are designed to do a wide range of things, wider than the browser's normal security policy would permit. Plugins like Flash have had security problems time and again.


This page is powered by Blogger. Isn't yours?