Google clamps down on password security in Chrome 'Canary'
Reaction to August brouhaha over Chrome's practice of letting anyone see passwords in plain text
Computerworld - Google has begun work on shutting a hole in its Chrome browser that lets casual thieves steal website and Web service passwords.
According to François Beaufort, who frequently uncovers new features and changes in early builds of Google's browser, the "Canary" version of Chrome for OS X now includes a setting that locks down saved passwords.
Canary is the name for the very-earliest version of the browser, one still in the Chromium channel, the open-source project that feeds code to Chrome.
By setting a special flag in Canary on the Mac, anyone who tries to view browser-saved passwords will instead be asked to enter the OS X user account password.
Computerworld confirmed that, once the flag is set, Canary will not show saved passwords in plain text without the additional OS X user account password, the same one needed to make major changes in the operating system's settings or approve the installation of software.
To set the flag, users must enter "chrome://flags" (minus the quotation marks) in the browser's address bar, then change the setting "Password Manager Reauthentication Mac" by clicking on the "Enable" link. The change takes effect after the browser is relaunched.
The additional security is a reaction to an August kerfuffle after software developer Elliott Kember noticed that Chrome let anyone with physical access to a computer easily spy and snoop on saved passwords.
Chrome had always handled passwords in that way -- letting anyone with access view passwords saved by the browser -- but the explosion of commentary on the topic signaled that few knew as much.
For its part, Google defended the practice, with Jason Shuh, the browser's security tech lead, saying, "We don't want to provide users with a false sense of security, and encourage risky behavior" when asked why Chrome did not require a second level of authentication. "We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get," Shuh said then.
Other security experts disagreed, and urged Google to do something.
Features added to Canary usually, although not always, make it into the Dev channel -- the roughest-edged of Chrome's three distributions -- and from there into the Beta and Stable channels.
Google did not immediately reply to questions, including whether the OS X change would be adopted by Chrome on its other platforms, Windows and Linux, and when users could expect the additional authentication option to reach the production-grade build, Chrome Stable.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Application Security in Computerworld's Application Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Riverbed Stingray Application Firewall: Securing Cloud Applications with a Distributed Web Application Firewall Responsibility over IT security is moving away from the network and IT infrastructure and to the application and software architecture itself. IT organizations...
- Web Application Firewalls--Laying the Myths to Rest This paper addresses some of the myths about WAFs and outlines how businesses are optimizing their investment in protecting their ever-evolving web apps.
- PCI DSS Compliance in Cloud Environments This technology analysis addresses the challenges of the evolving cloud security landscape and how organizations can achieve PCI DSS compliance in cloud environments...
- Web Attack Survival Guide This guide will help you protect your organization from external threats targeting your high-value applications and data assets.
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Application Security White Papers |