For those of you that don’t already know, Google has thrown its hat into the ring of the browser wars. By “browser wars” I mean “the fight for being the only way that you can access the Internet.”

So far, Google has drawn criticism–mostly on it’s user interface though. It’s blue. I’ll discuss that in a moment.

I’ve been playing with Google Chrome for about two days now. And it’s worth using. Here’s why.

Security

Online scams and phishing (a type of online scam where you are fooled into surrendering precious information by an impostor website) have become increasingly popular topics in the last couple years.  The Internet has provided identity thieves an efficient, productive way to steal credit card information, passwords and much more.

Google has seen and has been active in thwarting this problem.  They’ve cross-referenced their massive catalog with the Internet with feedback from users and have made a blacklist available to anyone who wants to check for malicious websites in their programs.

As a tremendous benefit of having this information available, they have built in state-of-the-art security features.

First, any malicious website that has been cataloged by Google will not load.  Instead a prohibitive screen will warn you and give you an opportunity to leave before things get ugly.  This type of feature has been in Internet Explorer (boo!), Mozilla Firefox, and Safari for years now.

But most notably included is address highlighting that easily exposes what website you’re browsing, but also what mode (secure or non-secure) you are browsing in.

Take a look at this screenshot…

You can easily see that the site I’m visiting is bradkovach.com.  Since the “http://” isn’t in green, I know that I’m not communicating over a secure connection.

But take a look at this screenshot…

You can tell that I’m connecting to Facebook, but I’m connecting to the wrong site. (I should have used https://www.facebook.com instead of https://facebook.com).  It uses the color red (which has been programmed into society to signify a problem).  And it also puts a slash through the connecting protocol to let you know that something isn’t right.  Not pictured is the contents of the actual page, which are prohibitively red with two options: “Proceed anyway,” and “Back to safety.”  On this page, clicking “Proceed anyway” lets you continue to the Facebook server you specified, but Facebook does the right thing and forwards you automatically to the secured version of their 100-million-strong web app.  This demonstrates the use of

Among passive security systems that will allow users to make their own calls on safety, this is a serious, but simple step toward Grandmother-friendly site identity validation.

Speed

There have been a number of benchmarks done by independent 3rd parties that conclusively prove that Google has made the fastest browser… ever.  It can evaluate Javascript MUCH faster than any other browser  It also uses a super-fast rendering engine (WebKit) to draw the pages on your screen.  For websites that use Javascript heavily (Facebook, Gmail) this results in a significant speed boost when performing day-to-day tasks.

Chrome has also made the tab much more usable.  When Javascript grinds down one tab, the others remain usable since they are isolated by a cool computing concept called “sandboxing.”  This means that one tab could crash completely, and the others would remain independently stable.  Very cool.

Also, since Chrome is sandboxed, memory management issues have been eliminated.  Traditionally–and users of Firefox know this–browsers have been very sloppy at “garbage collection.”  This means that every time you close a tab, load a new page, etc, a fragment of the old tab/page/etc is left behind and cannot be removed from memory.  After a day of surfing, browsers can occupy upwards of 200 megabytes of memory–a hideously large amount for a web browser.

Aesthetics and Usability

First there was IE, and now there’s Google Chrome trying to reshape the browser interface paradigm.  Google has taken a new browsing tab, a fairly new browsing tool, and moved it!  Instead of appearing as a row below the address bar, they compose the title bar.  Not only does this save space, but it’s kinda handy.  When a Chrome window is maximized, a flick of the mouse toward the top of your screen will always land you at the row of tabs that you have opened.

And the most major criticism of Google Chrome so far?  It’s kinda ugly–on Windows XP.  Vista versions of Chrome look great (better than Firefox).  For the new features that GChrome brings to the table, the look of the application is a minor inconvenience.  A more translucent and space-efficient design would also help things tremendously.  But for now, it’s in beta.  Give Google some time.

In today’s modern web browser eco-system, page zooming is standard.  By page zooming, I mean that the ENTIRE page gets blown up, not just the text sizes.  Curiously absent from Google Chrome is a page zoom feature.  GChrome only supports text zooming, which is rather useless on many websites.

Plugability

One of the reasons that I enjoy Firefox more than other browsers is its dynamite extension system.  So far, Google hasn’t made a clear path to an extension API–so your useful plugins like AdBlock Plus will not exist.  Surprising, consider Google owns the two largest advertising networks on the Internet.  At some point, however, Google will hear the cries for easier extendability.

Conclusion

Google has made a browser: Google Chrome.  It’s fast, safe, and stable.  It has some minor inconveniences, but it’s a few days old.  Give it time and Google Chrome will be a serious contender in the browser arena. (Apparently, it already has a 3% market share.  WTF!?)

Try Google Chrome: http://www.google.com/chrome/

In the new, digital economy, security is becoming more and more important. Online accounts are available everywhere. Your data needs to be safe. Security engineers have been paying a lot of attention to online security lately. Here are some trends in online security that are making the Internet a safer place.

1. Security Keys

Multi-factor authentication, or a way of using MORE than a username and password to prove your identity, is making serious advances.

Security keys are one popular multi-factor method of securing online accounts. Basically, you’re issued a device that contains a unique code generation algorithm. On the keychain-sized device, a 6-digit code changes every 30 seconds. The algorithm is shared between your device and the server that you’ll be authenticating with, so the server can generate the number, too. When the time comes to login, both ends of the transaction are able to generate THE SAME NUMBER and authenticate.

Currently, eBay/PayPal is mass-marketing these security devices. You can secure (not that it already isn’t) your account for a one-time fee of $5.00 USD. After your account is secured, it needs a username a password AND 6 digits that change every 30 seconds.  Unfortunately, this is ONLY available in the United States, Germany, and Australia.

PayPal.com

2. Key-Based Authentication

Another advance in the identity-proving arena is key-based authentication. Rather than a username and password, a user has a login key that contains a unique set of information–unique only to the visitor.

The authenticating server is equipped with a public-safe variant of that private key giving the user the digital equivalent of a padlock/key system. When a connection is initiated with a server, your computer encrypts your key in a securely-encrypted tunnel, sends it to the server where it is then decrypted (if you added a password) and matched against the key file (padlock). If successful, you are securely authenticated to the service. Essentially, rather than a short password that you have to type in, you have a long (1024 bits isn’t out-of-the-ordinary) password file that takes the password’s place.

Public implementations of this are still in the works; however, SSH has been using it for a long time now.

Learn more: http://www.laubenheimer.net/ssh-keys.shtml
Secure Shell on Wikipedia

3. OpenID

Attempts at central online identity management have been attempted in the past, but many experts say that OpenID is the best, most efficient and most flexible unified sign on system to bless the internet so far.

Logging in with OpenID couldn’t be easier. Rather than a username/password prompt, you’re asked to provide your OpenID identity URL. This URL can be anywhere. AOL, WordPress, and many other websites host your login identities as OpenID identities. In emails I have exchanged with Facebook, I know that they, too, are working to become an OpenID provider.

After entering your OpenID identity URL, you’ll be sent to your OpenID provider (eg: AOL) to verify your identity. It is up to the particular provider to determine the challenges that grant you access to your account. Verisign Labs, who licensed the PayPal Security Key, is providing OpenID solutions WITH your PayPal security key.  Most challenge with a simple username and password.

More information here: http://openid.net/
VeriSign PIP: http://pip.verisignlabs.com

4. Ambiguous Password Failure

When programming an authentication system, care must be taken to not reveal the underpinnings of the system and its structure.

Many websites will reveal the existence of an account to a potentially malicious user by saying “incorrect password.” The problem exists that with that type of verification, a malicious user knows that an account exists under the requested name and can proceed to breaking in with a brute-force or dictionary attack.

Now, many websites are just saying that the username/password is incorrect. Not only does this foil malicious cracker logins, but it causes the user to reassess his or her login credentials.

Conclusion

If you’ve seen good online security practices in the wild, let the world know in the comments area.