Monday, April 21, 2014


by Dietrich Schmitz

You read that right.  I deem Google's proprietary Chrome (Freeware License) browser UNSAFE FOR GENERAL USE .

I can't make it any clearer than that.

Why is Google's Chrome browser unsafe?

It's pretty simple.  Google chose to not allow Chrome's code base to be shareable to the general public.

For your purposes, that means it doesn't operate under Open Source Gnu General Public License v2 (GPLv2) license terms which would allow the entire code base to be independently vetted by external audit for hidden vulnerabilities and exploits that may be resident much like HeartBleed in openSSL and NIST's Eliptical Curve Cryptography (ECC) which was discovered to have been weakened by the NSA.  The aforementioned rogue bugs lay hidden for quite some time, exploitable to those who knew of their presence.

The only ray of sunshine is that their source code is open source, which allowed discovery and corrective action to be taken.

Sadly, one has to draw the line in today's world.  We know the score with the NSA.  The Fox is in the hen house and now it's time to take action.

Severe action is needed.  

Accordingly, I am putting Google on notice and charging them with knowledge that their code base is 'closed' to the general public and must be 'opened' for independent external audit to assure no vulnerabilities exist of any kind (excluding discovered defects in Chrome's upstream dependencies).

It's no more Google Chrome for me.  And I hope you will follow suit.

Take action.  Switch to a 100% open source browser, like Mozilla's Firefox or Midori or Gnome's Web or KDE's Konqueror today.

I would remind the readers that despite assurances from Google to consumers that their privacy remains intact, it turns out last year that the NSA were able to drill through Google's SSL firewall and pitch camp on the inside for an unspecified period of time, unbeknownst to Google, as they sampled the clear text unencrypted Gmail and Drive meta data belonging to you.  Of course, publicly Google expressed outrage for what the NSA had done.

But actions speak louder than words.  You see, Google has had ample time to formally announce and roll out strong encryption for Gmail and Drive for their consumer-facing services.  To date, they have done nothing.  

Yet, on their commercial service side, they quickly reacted to the Fox in the Hen House last year and put in place FIPS governmental standard strong encryption.  

Corporate America is 'big business'.  Consumers play second fiddle, and because Google state in a revised language TOS agreement that they parse your clear text meta data to generate advertising revenue, the message to the consumer is that 'profit' takes precedence over their privacy.  

That is simply unacceptable and quite worrisome despite the 'lip service' they have given on tightening up their SSL standard.

No, consumer data, yours, is still sitting in clear text drive storage medium in the Gmail / Drive cloud where it can be read at will if/as/when it suits Google and/or any other governmental agency.

And, with Chrome being closed source, there is no way to know for sure what is or isn't happening during your Internet browser sessions is there?

Dear Reader, switching to open source is the only way that Security through Transparency can be achieved.  Do it today.


-- Dietrich

Enhanced by Zemanta


Post a Comment