Saturday, January 12, 2013

Thoughts on Chrome(ium) Privacy Attainment

It is no secret to GSD blog fans that I’m a heavy supporter/user of Firefox browser. It remains my primary workhorse for web surfing. Updates come pretty steadily and performance and stability issues haven’t been an issue for me. Plus the specialized add-ons I use make it super-handy.

That said, the Google Chrome -- specifically Chromium Dev build -- is the browser I launch when I want to do mindless web surfing, or leave a full-screen web-page up while I am monitoring something specific.

When I help a friend/family-member set up a new system, I always install and give a walkthrough of Chrome. More times than not they quickly come to prefer it over Internet Explorer.

In fact, one of the only reasons I don’t use Chrome(ium) more is the continued (and probably “forever”) lack of a bookmark-sidebar option that Firefox has.  With my personal bookmarking/blogging habits, that feature is a “must-have.” Lacking that, hard-core regular usage of Chrome remains an exercise in frustration.  More on my attempts to overcome this in a follow-up post.

On my system I have kept two (portable) build versions of Chrome; Chromium (Dev) and SRWare Iron.

I use and prefer Chromium builds because they are updated quite frequently. I have been a long user of SRWare Iron because the developer has offered out a list of specific privacy feature enhancements under the hood that you don’t get with Chrome versions.

Additionally, there is Comodo Dragon Web Browser also based on Chrome and providing some additional security/privacy features. However I don’t use this version.

Chrome Flavors - Full Install versions

These versions will install a “full” version directly onto your Windows system

  • Chrome Browser - Download current Chrome browser release version
  • Chromium - The Chromium Projects (overview)
  • Download Chromium - Download current Chromium browser release version
  • SRWare Iron - Download a “privacy-enhanced” version build of Chromium
  • Dragon Internet Browser - Download a “privacy-enhanced” version build of Chromium; includes “Domain Validation” feature from Comodo, cookie/web-tracking & browser download tracking for privacy.

Chrome Flavors - Portable versions

These “no-install” versions allow you to take your Chrome-browser with you on a USB stick…or if you just want to run it locally without installing onto your Windows system.

  • Google Chrome Portable - PortableApps.com.  The main version level is right there at the top. This is the “mainstream” Chrome version. Scroll down a bit on the page and you will find  additional download links for portable versions of Chromium (Dev) and Beta release versions. This is the source of the Portable Chromium (Dev) package I use/update.
  • Chromium Portable - This is another portable Chromium (Dev) package another group maintains.
  • Iron Portable - Download the PortableApps.com version of SRWare Iron
  • SRWare Iron - Look carefully and there is portable version (zip) offered on the developer’s download page.
  • Comodo Dragon Portable - Basically this forum tip says to just download the regular version and pay attention to choose the “portable” version install option while doing so.
  • Sandcat Browser - Syhunt. This is a specialized portable penetration-testing oriented web-browser based on the Chromium browser. Supports live HTTP Headers, request editor, fuzzer, JavaScript Executor, Lua executor, PageInfo extension, HTTP brute-force, CGI scanner scripts, and much more

Updating Challenges

I also have a bit of an OCD app updating problem. If there is a newer version out -- particularly important with browsers and browser-plugins for security reasons -- I download and apply.

This is a challenge for both my portable Chromium and portable SRWare Iron builds as they don’t have/support in-app updating. So I have to watch the webs/feeds for signals a new version is released then manually update them.

As of this post date, Chromium Dev is at 25.0.1364.29. SRWare Iron is at 23.0.1300.0.

So to remedy the issue I keep an eye open of the Chrome Release blog (via my RSS feed reader). Then I pop over and check the direct download page for the source of the particular portable version I use and snag it when it appears..usually just a few days later.

Rolling your own Privacy Build of Chrome - Overview

So, what I want to have is all the privacy enhancements of SRWare Iron but in the “current” level of Chromium (Dev) and on a regular basis. Could I manually tweak-out a Chromium installation to achieve the same (or similar) privacy gains? 

One of the nice things of SRWare Iron is that the developer does all this work for you under the hood. But if like me you are comfortable making lots of browser configuration changes manually, and don’t mind doing some research, maybe you can get to the point of having an up-to-date Chrome-based browser with most/all of the features the SRWare Iron version has.

Aside: This isn’t really meant to be a discussion on creating an “ultra-secure/private” web-browsing experience in Chrome. I’m not seeking a completely “stealth” web-browsing experience. I’m not interested in setting up proxy/TOR sessions to try to bypass network/ISP tracking, nor is it to discuss the merits of “in private” mode browsing and all that. Who really knows what/how-much deep-packet inspection and logging at ISP’s may be going on. Rather, this attempt is to reasonably minimize the number of tracking features normally encountered in standard web browsing sessions. Yes, those “features” can be used by ISP/web-sites/content-providers to “enhance” your browsing experience in serving customized web-content, advertisements, and search-results specific to your browsing habits. That may be a good thing or not depending on you perspective. I personally to prefer to pour my coffee black and then add cream/sugar/etc depending on my mood. Same with my browser.

I started looking at the list of primary feature comparisons provided by SRWare; Chrome vs Iron.

Once I was familiar with these items, I started hitting Google to see how I could make each change manually. I soon found what I was looking for.

My plan was to post a link to explain how to achieve each setting.

But then as I dug just a bit deeper, I started finding some interesting discussions about recommended security and policy settings for Chrome builds; as well as some updated comments on the relevancy of the items targeted in SRWare Iron.

So instead, I’m posting links to those as I think this approach will allow someone to better (and more easily) create a customized privacy/browsing configuration for their own Chrome usage needs.

  • Google Chrome Privacy Whitepaper - Provided by Chrome, this excellent web-page outlines just about all the most critical features in Chrome/Dev that interface with Google and/or third-party services and sites including,
    • “Ominibox” predictions - how to enable/disable
    • “Chrome Instant” - search results and in-line prediction serving/logging
    • Google search locale
    • Phishing/malware protections - how to enable/disable
    • Navigation error tips - enable/disable
    • Google Update - (and those component ID tags)
    • Installation tokens, Promotional tags/tokens
    • Usage stats and crash reports - enable/disable
  • SRWare Iron Browser - A Private Alternative To Chrome? - InsanityBit - I found this post to be very helpful in understanding the benefits that I was seeking to have in SRWare Iron. It is pretty clear the writer takes a position against SRWare Iron’s advertised benefits over stock Chrome/Chromium builds. After reading you can do additional research and come to your own conclusions. I found it very helpful and it led me to personally drop using SRWare Iron and just stick with my own tweaked-out version of Chromium.
  • Chrome vs Iron (Privacy Comparison) with Poll for Chrome users - MalwareTips forum - This discussion thread contains discussion (and content) based on the previous link. It also touches on the Dragon build version, and has some screen shots of privacy features options in Dragon.
  • Google Chrome Security Settings and Configuration Guide for Enterprise - Root777 - Ajit Gaddam has a really super post that outlines recommendations for a more secure enterprise deployment of Chrome. Even if you aren’t deploying it in an organization, I found the discussion and points super-helpful. Lots of background information. Some changes are made in Group Policy Editor, but there are tips that can be followed for manual configurations.
  • Policy List - The Chromium Projects - List of policies that Chrome refers to and uses. Note that Chrome and Chromium policy settings will have different locations in the Registry depending on build.

Rolling your own Privacy Build of Chrome - Assistive Tools and Tips

If you don’t like the idea of making a lot of manual setting and configuration changes, then there are a number of excellent utilities and Chrome extensions that can assist you with the process.

In fact, these may be the only tools and tips most average privacy tweakers of Chrome need.

Cheers

--Claus V.

2 comments:

Bret said...

Thank you for your analysis of the Chromium browsers and all the links to available tweaks. It did not surprise me that you used SRWare Iron as that's another thing we have in common - WinPE being the other. Anyway, I have been wishing for a more frequently updated version of Iron and re-read your post but there are so many possible customizations. Would you be willing to share the boiled-down tweaks you do to Chromium? Have you automated them or do you do them manually?

Thanks again,
Bret

Claus said...

@ Bret - You are welcome! Thanks for the comment.

Lately SRWare Iron seems to be updating just a bit more frequently now, but it still doesn't seem to be keeping pace with Chromium Dev build releases (that I prefer to use).

Your suggestion is excellent and I would enjoy doing a post on what I do to get a working (and currently maintained build) of Chromium Dev but using as close to SRWare Iron like configuration as I can.

It might have to wait a week or two before showing up here, but I'll try to take on that task!

Cheers mate!

--Claus V.