As corporate slogans go, Google's 'Don't Be Evil!' has to be one of
the best. For most Internet users in tune with the online Zeitgeist,
it was a perfect slogan for a company that allowed its employees to work
on their own projects on their time and came to represent the free,
innovative side of the Internet.

Google's reputation of being the ethical Internet giant has taken a
bashing recently, though. First there was its collaboration with the
Chinese Government to, effectively, suppress free speech; then it
attempted to take the trademark 'Gmail' from a German entrepreneur by
hook or by crook. Hardly anyone searches the Internet these
days—most of us simply 'Google'—but the realisation that
the company has become a pale grey rather than whiter-than-white came
as a shock to many.

So the response to Google's new browser, Google Chrome, last week was
very interesting. Since Google Mail, there has been little in the way
of headline-grabbing innovation from the company; a few new apps, the
distinctly dull photo program Picasa, and a few abortive rumours of a
merger with Yahoo!. The release of Chrome demonstrated that Google is
no longer a plucky underdog in the World Wide Web, and that much of
the affection users had for the company has been lost.

EULA

The first problem users had with Chrome was, weirdly, the license
agreement. Most of us install software without checking the small
print, but we install it anyway. Effectively we're not buying the
software at all, but permission to use it. You buy it and install it
on your PC, but if you install it on another you're breaking the
license agreement, and could be sued. How many people are aware of
that when they install the latest game? Even if you do know, you
probably don't read the details; you just click 'I agree with the
terms' and carry on. So it was a surprise when bloggers started to
record something a little suspicious in Google's End User License
Agreement:

11.1 You retain copyright and any other rights you
already hold in Content which you submit, post or display on or
through, the Services. By submitting, posting or displaying the
content you give Google a perpetual, irrevocable, worldwide,
royalty-free, and non-exclusive license to reproduce, adapt, modify,
translate, publish, publicly perform, publicly display and distribute
any Content which you submit, post or display on or through, the
Services. This license is for the sole purpose of enabling Google to
display, distribute and promote the Services and may be revoked for
certain Services as defined in the Additional Terms of those
Services.

'Don't Be Evil', eh?

Google changed the EULA in response to
a mini-outcry from bloggers and users and admitted they had made an
error. In their defence, a browser is nothing more than a
distribution device for copyrighted material. In essence, it makes a
copy of the work you have produced and shows it to anyone who looks.
There is a presumption that you have made your work available
for viewing, but that isn't enshrined in law anywhere. Could you sue
Google for breach of copyright because one of your pictures appeared
on an image search? Perhaps. After all, you haven't given them the
right to show it. It's an interesting thought.

In any event, Google's licensing agreement isn't unique. Users of the
music and networking site MySpace have a similar agreement, as do
contributors to the BBC and h2g2. However, Google's
application of similar terms to a browser were surprising, and the
language used overbearing and clearly wrong.

Then there was the minor kerfuffle about Chrome's security. Reports
began to circulate about a flaw in the way Chrome handles certain
types of downloads, and within a few hours rumours began to circulate
that Chrome would quite happily download and run files on a user's PC
without the user's permission.

The problem with alerts such as this one is that they are almost
always dressed up in language that people don't completely understand.
If I was to post that Wikipedia said that bananas were made of
cheese, you could quite easily go to the relevant Wikipedia page,
check what it says, and come back and tell me I'm a complete buffoon
for suggesting such a thing¹. If the Wikipedia page was written in
Portuguese, however, you might believe me until someone who could
understand Portuguese read it and came back to call me a complete
parvo. It's the same with technical language, and plenty of
authoritative news sites and bloggers were guilty of reporting the
security flaw without fully understanding it.

Let's go back to the source of the security alert and see what the
paranoia is all about.

On 3 September, Aviv Raff posted an interesting blog
explaining that he had found a way that Chrome's security could be
compromised. In it, he describes how an attacker could exploit two
flaws; one in Chrome's design, and another in the way Windows handles
downloaded files.

Most browsers deal with downloads in two clicks: first, you click to
download, then you click to open the file. Chrome doesn't. The
download and open buttons are one and the same, and for those of us
who generally execute files as soon as we've downloaded them, it's a
handy little time-saver. The problem, as Raff shows in his proof of
concept, is that to the untrained eye the download button can be made
to look like part of the webpage. A novice user could download and
run a file, thinking they are just clicking a button on the site.

On its own, this isn't a problem. If you don't believe me, try it.
Open your usual browser of choice and go to a a website you trust,
then
download an executable file. Windows will warn you that the file you
are about to open has come from the Internet; if you've downloaded a
file by mistake or been sent one maliciously, you can stop it dead in
its tracks. Now do the same with Chrome. Windows will give you
exactly the same warning. No problem.

The exception to this is the JAR file. Windows doesn't check where
the file has come from when you run it, so you don't get the same
warning. Go to Raff's proof of concept, linked to from his blog, and
you'll see that Windows doesn't interfere in any browser. The
sole difference is that if you're using Chrome, you'll run the file in
one click; in any other browser it will take two. Try your own
browser and Chrome to see this for yourself. In fact, you can make
Chrome download and run as a two-step process by simply going to
'Options', then 'Minor Tweaks' and selecting the 'Ask where to save
each file before downloading' box.

So we have a small security issue, in that a malicious attacker could,
in theory, run a Java program on your computer if you were tricked
into clicking the wrong button. What are the odds of this
happening?

Slim to none.

For a start, a malicious attacker would have to design a clever
webpage to spread the virus, knowing that only Chrome users could be
targetted by it. The virus would have to be a Java virus, and there
aren't too many of those around. They'd then have to convince enough
users to visit the site to make it worth their while before the site
got shut down. I don't see it happening; not when spreading viruses
by email is so much easier, or when IE is the browser of choice. Why
hit such a small percentage of users in such a roundabout way?

And that's ignoring the fact that anyone who has moved on from IE
isn't going to fit the 'novice user' profile that is most at risk.

So no, dear readers, Chrome won't download and run files without your
permission.

I've been so interested in reading about Chrome and investigating the
issues that I haven't actually got round to using it very much yet.
My initial feelings are mixed. I'm not sure that I like the
minimalist interface—I find all the menus and options in other
browsers somehow reassuring, and feel rather lost without
them—although it does seem to handle javascript more
quickly² and it seems to be quite an energetic little
browser.

Feel free to leave your own thoughts about Chrome below, and I may
collect the best into an article for a future issue.

Science-related Articles Archive

Skankyrich

09.08.10 Front Page

11.09.08 Front Page

Back Issue Page