Thoughts on Chrome(ium) Privacy Attainment

It is no secret to GSD blog fans that I’m a heavy supporter/user of Firefox browser. It remains my primary workhorse for web surfing. Updates come pretty steadily and performance and stability issues haven’t been an issue for me. Plus the specialized add-ons I use make it super-handy.

That said, the Google Chrome -- specifically Chromium Dev build -- is the browser I launch when I want to do mindless web surfing, or leave a full-screen web-page up while I am monitoring something specific.

When I help a friend/family-member set up a new system, I always install and give a walkthrough of Chrome. More times than not they quickly come to prefer it over Internet Explorer.

In fact, one of the only reasons I don’t use Chrome(ium) more is the continued (and probably “forever”) lack of a bookmark-sidebar option that Firefox has.  With my personal bookmarking/blogging habits, that feature is a “must-have.” Lacking that, hard-core regular usage of Chrome remains an exercise in frustration.  More on my attempts to overcome this in a follow-up post.

On my system I have kept two (portable) build versions of Chrome; Chromium (Dev) and SRWare Iron.

I use and prefer Chromium builds because they are updated quite frequently. I have been a long user of SRWare Iron because the developer has offered out a list of specific privacy feature enhancements under the hood that you don’t get with Chrome versions.

Additionally, there is Comodo Dragon Web Browser also based on Chrome and providing some additional security/privacy features. However I don’t use this version.

Chrome Flavors - Full Install versions

These versions will install a “full” version directly onto your Windows system

• Chrome Browser - Download current Chrome browser release version
• Chromium - The Chromium Projects (overview)
• Download Chromium - Download current Chromium browser release version
• SRWare Iron - Download a “privacy-enhanced” version build of Chromium
• Dragon Internet Browser - Download a “privacy-enhanced” version build of Chromium; includes “Domain Validation” feature from Comodo, cookie/web-tracking & browser download tracking for privacy.

Chrome Flavors - Portable versions

These “no-install” versions allow you to take your Chrome-browser with you on a USB stick…or if you just want to run it locally without installing onto your Windows system.

• Google Chrome Portable - PortableApps.com.  The main version level is right there at the top. This is the “mainstream” Chrome version. Scroll down a bit on the page and you will find  additional download links for portable versions of Chromium (Dev) and Beta release versions. This is the source of the Portable Chromium (Dev) package I use/update.
• Chromium Portable - This is another portable Chromium (Dev) package another group maintains.
• Iron Portable - Download the PortableApps.com version of SRWare Iron
• SRWare Iron - Look carefully and there is portable version (zip) offered on the developer’s download page.
• Comodo Dragon Portable - Basically this forum tip says to just download the regular version and pay attention to choose the “portable” version install option while doing so.
• Sandcat Browser - Syhunt. This is a specialized portable penetration-testing oriented web-browser based on the Chromium browser. Supports live HTTP Headers, request editor, fuzzer, JavaScript Executor, Lua executor, PageInfo extension, HTTP brute-force, CGI scanner scripts, and much more

Updating Challenges

I also have a bit of an OCD app updating problem. If there is a newer version out -- particularly important with browsers and browser-plugins for security reasons -- I download and apply.

This is a challenge for both my portable Chromium and portable SRWare Iron builds as they don’t have/support in-app updating. So I have to watch the webs/feeds for signals a new version is released then manually update them.

As of this post date, Chromium Dev is at 25.0.1364.29. SRWare Iron is at 23.0.1300.0.

So to remedy the issue I keep an eye open of the Chrome Release blog (via my RSS feed reader). Then I pop over and check the direct download page for the source of the particular portable version I use and snag it when it appears..usually just a few days later.

• Chrome Releases - Chrome release notice blog
• Google Chrome PortableApps / Additional Versions - SourceForge.net file repository downloads
• Chromium Portable - SourceForge.net file repository downloads
• SRWare.net • View forum - SRWare Iron Support (English) - New version releases noted at the top.

Rolling your own Privacy Build of Chrome - Overview

So, what I want to have is all the privacy enhancements of SRWare Iron but in the “current” level of Chromium (Dev) and on a regular basis. Could I manually tweak-out a Chromium installation to achieve the same (or similar) privacy gains? 

One of the nice things of SRWare Iron is that the developer does all this work for you under the hood. But if like me you are comfortable making lots of browser configuration changes manually, and don’t mind doing some research, maybe you can get to the point of having an up-to-date Chrome-based browser with most/all of the features the SRWare Iron version has.

Aside: This isn’t really meant to be a discussion on creating an “ultra-secure/private” web-browsing experience in Chrome. I’m not seeking a completely “stealth” web-browsing experience. I’m not interested in setting up proxy/TOR sessions to try to bypass network/ISP tracking, nor is it to discuss the merits of “in private” mode browsing and all that. Who really knows what/how-much deep-packet inspection and logging at ISP’s may be going on. Rather, this attempt is to reasonably minimize the number of tracking features normally encountered in standard web browsing sessions. Yes, those “features” can be used by ISP/web-sites/content-providers to “enhance” your browsing experience in serving customized web-content, advertisements, and search-results specific to your browsing habits. That may be a good thing or not depending on you perspective. I personally to prefer to pour my coffee black and then add cream/sugar/etc depending on my mood. Same with my browser.

I started looking at the list of primary feature comparisons provided by SRWare; Chrome vs Iron.

Once I was familiar with these items, I started hitting Google to see how I could make each change manually. I soon found what I was looking for.

My plan was to post a link to explain how to achieve each setting.

But then as I dug just a bit deeper, I started finding some interesting discussions about recommended security and policy settings for Chrome builds; as well as some updated comments on the relevancy of the items targeted in SRWare Iron.

So instead, I’m posting links to those as I think this approach will allow someone to better (and more easily) create a customized privacy/browsing configuration for their own Chrome usage needs.

• Google Chrome Privacy Whitepaper - Provided by Chrome, this excellent web-page outlines just about all the most critical features in Chrome/Dev that interface with Google and/or third-party services and sites including,
  • “Ominibox” predictions - how to enable/disable
  • “Chrome Instant” - search results and in-line prediction serving/logging
  • Google search locale
  • Phishing/malware protections - how to enable/disable
  • Navigation error tips - enable/disable
  • Google Update - (and those component ID tags)
  • Installation tokens, Promotional tags/tokens
  • Usage stats and crash reports - enable/disable
    
• SRWare Iron Browser - A Private Alternative To Chrome? - InsanityBit - I found this post to be very helpful in understanding the benefits that I was seeking to have in SRWare Iron. It is pretty clear the writer takes a position against SRWare Iron’s advertised benefits over stock Chrome/Chromium builds. After reading you can do additional research and come to your own conclusions. I found it very helpful and it led me to personally drop using SRWare Iron and just stick with my own tweaked-out version of Chromium.
  
• Chrome vs Iron (Privacy Comparison) with Poll for Chrome users - MalwareTips forum - This discussion thread contains discussion (and content) based on the previous link. It also touches on the Dragon build version, and has some screen shots of privacy features options in Dragon.
  
• Google Chrome Security Settings and Configuration Guide for Enterprise - Root777 - Ajit Gaddam has a really super post that outlines recommendations for a more secure enterprise deployment of Chrome. Even if you aren’t deploying it in an organization, I found the discussion and points super-helpful. Lots of background information. Some changes are made in Group Policy Editor, but there are tips that can be followed for manual configurations.
  
• Policy List - The Chromium Projects - List of policies that Chrome refers to and uses. Note that Chrome and Chromium policy settings will have different locations in the Registry depending on build.

Rolling your own Privacy Build of Chrome - Assistive Tools and Tips

If you don’t like the idea of making a lot of manual setting and configuration changes, then there are a number of excellent utilities and Chrome extensions that can assist you with the process.

In fact, these may be the only tools and tips most average privacy tweakers of Chrome need.

• How to remove Google Chrome installation ID for anonymous surfing? - TechTrickz - These are two older tools that remove the unique “client_id” for your chrome browser. I can’t find a direct link to Abelssoft’s UnChrome tool any longer but some download sites still have it. Chrome Privacy Protector from Aquila is still around Chrome Privacy Protector. I don’t know if these will work with “portable” versions of Chrome or not.  In fact, according to this post Chrome to ditch unique ID, sort of via The Download Blog back in 2010, this feature should now be ditched.
  
• Privacy manager - Chrome Web Store - I really like this Chrome add on. It provides awesome granular control over primary privacy settings, cookie handling, and some network behavior. I can’t believe I haven’t been using this tool from the very beginning! For a deeper review, see this AddictiveTips blog post: Privacy Manager: Chrome Security Settings & Junk Data Cleaning.
  
• Privacyfix by Privacychoice - Chrome Web Store - this Chrome add-on allows you to make specialized privacy setting tweaks to your Chrome browser. It is really easy to follow and does a great job explaining the options and makes it easy to change/restore the settings depending on what you need to accomplish.
  
• Adblock Plus - Chrome Web Store - Block most ads in Chrome and the tacking stuff that comes with them.
  
• FlashBlock - Chrome Web Store - Block Flash media from auto-launching without your permission.
  
• Google Analytics Opt-out Add-on (by Google) - Chrome Web Store - Use to instruct Google Analytics JavaScript to not sent any info about the website you are on to Google Analytics. More tips and background on this particular privacy subject here: Keep Google From Tracking Your Every Move Online - How-To Geek
  
• How to Optimize Google Chrome for Maximum Privacy - How-To Geek - Additional tips and info on tweaking Chrome for privacy.
  
• How to Set your Google Chrome for Maximum Privacy|Set google for privacy - Hack How - Additional tips and info on tweaking Chrome for privacy.

Cheers

--Claus V.