MIAMI -- Google is one company that lives and dies in the web, so for many reasons, they need to care -- a lot -- about browser security. That was the focus of engineering lead for Chrome Security at Google, Justin Schuh's keynote speech at this year's Infiltrate 2017 conference.
There are three main reasons why Google needs to care. First, pretty much all of its revenue is funneled through the browser, "People need to feel that it's reasonably safe," Schuh said.
Securing the web browser wasn't always a paramount concern, though, even for Google. What served as a huge wake up call for them was Operation Aurora in 2009. State-sponsored hackers broke into Google, which actually caused a significant change.
Few know better than those in the security industry that change doesn't always come easily. One reason that change is slow going stems from what Schuh called, "Open source hippies. People approach things wildly differently. We believe in the web as an ecosystem, and that we can move the whole thing forward and make it a lot better."
With all that wisdom and good intention, why is browser security so tough?
"There are a lot of different things at play," said Schuh. "There are a lot of diverse platforms on Chrome, and that makes security a particularly tricky thing, so you're trying to support the same browser on a lot of different platforms. Then there's the third party code issues."
Not to mention the diverse constituencies that need to be catered to, from the developers and users being served to the employer goals and agendas. Security then has to figure out how that all fits together, said Schuh.
The added layer of competition on web ads, said Schuh, adds a lot of complexity. "That's a big revenue funnel, and a lot of people are competing for that funnel. The browser is just a commodity, and the cost of switching is really low, especially when most users don't understand security enough for it to influence their browser using decision."
With all of these obstacles in mind, Chrome has defined three main strategies to approaching security, which include isolation, mitigations, and anti-abuse (the phishing and downloading stuff, Schuh said).
"Sandboxing is the big thing we focus on. It's our strongest line of defense. It's the number one thing that we do, so we keep building on and refining it. Isolation is the main thing we are investing most in, which differs from other browsers," said Schuh.
In terms of mitigation, they discriminate a little more. "They have some use. If they don't add significant code complexity and performance overhead, we use them. There's been a lot of investment in Clan CFI, but with the goal of trying to build some sort of memory safe-ish inner sandbox thing."
Sign up for Computerworld eNewsletters.