7

as a follow-up to this question Can you get virus just by visiting a website in Chrome?, I've read these pages:

And I want to know that if I'm using the latest version of Chrome (i.e. 11.0.696.68) and I've got flash disabled (about:plugins >> disable) can i safely say that i can right-click any link to an infected webpage >> "open in new incognito window" and be 100% sure that:

  • the website cannot use my email and send spam mails to my contacts
  • there is no virus / damage to my system

You can assume that:

  • My system is not already infected with virus / trojan
  • This question is targeting windows 7 / windows XP / windows Vista

I am aware that the url may inform the hacker that my email is an active email but I want to be sure that with that info, the worst he can do is:

  • Send me more spams
  • Publicize my email
  • sell my email address to bad people (whom btw is also limited to these 3 activities)
Community
  • 1
Pacerier
  • 3,253
  • 6
  • 34
  • 61

4 Answers4

9

First of all, except flash you have to disable all other browser plugins, the most obvious one is Java. Java has been a target in browser exploitation as much as flash has been.

  • the website cannot use my email and send spam mails to my contacts

If you open it in incognito mode a malicious website can't steal your cookies or other data because those data are not available to it so you should be fine, but noone can say you are 100% sure. In the case of a new browser exploit, even if it doesn't escape the sandbox but only exploits the browser, in theory it could steal data - but I've never seen something like that. If you are still worried, you could also disable html5 rendering, as there have been browser exploits lately based on this vector, and also disable javascript (or run noscript).

  • there is no virus / damage to my system

If you disable plugins and run the latest chrome you are as safe as you can be when running a normal browser against those things. If you want better solutions, you go into the realm of malware researchers and running locked down browsers in virtual machines.

Of course all the security a browser can offer does not compensate if the problem is between the keyboard and the chair. If a user is tricked into downloading and running an executable, all bets are off.

john
  • 10,968
  • 1
  • 36
  • 43
  • Good point @John . Java is another good plugin to disable. Also enabling click to play in chrome://flags . – Rakkhi May 17 '11 at 12:07
  • how do we disable html5 rendering? – Pacerier May 19 '11 at 07:17
  • Disabling HTML5 might have been an exaggeration. What is suggested is to disable WebGL which is part of the html5 rendering engine. TO do that in chrome you can start the browser with the -disable-webgl parameter. For firefox and opera there is a config setting in their advanced options about WebGL. For firefox there is also an extension to disable html5 (HTL5toggle). – john May 19 '11 at 11:34
5

Chrome has not yet been formally verified (nor has any program or OS that I'm aware of), so there are no guarantees.

That being said, unless you make yourself a target by someone equipped with a very powerful, underground, unbeknownst-to-all, weaponized, 0-day exploit -- you can probably give yourself a virtual high-five for being the most secure Win7 Internet user within at least 500 miles of where you sit right now.

Unless they are running EMET (configured properly) and OpenHIPS. Or similar technologies.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 2
    Agree with @atdre there are no guarantees, but the measures you have taken have reduced the risk of malware and driveby's. You can further reduce risk by installing Notscripts (like No script for Firefox) https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn .You can then allow Javascript on whitelisted sites. Also could run either your normal browsing and sensitive Internet use (e.g. online banking, shopping) on different machines / VM's. Of course technology will only do so much, you still need common sense Interent use i.e. no free iPad. – Rakkhi May 17 '11 at 09:13
  • 1
    Even where something has been formally verified e.g. Common Criteria it is only applicable to that specific configuration and systems, doesn't help the ordinary user. E.g. refer the UK chip and pin readers with basic lack of encryption in transit after EAL 4: http://www.cl.cam.ac.uk/research/security/banking/nopin/press-release.html – Rakkhi May 17 '11 at 09:17
  • 1
    Well, even if it was formally verified, there are no guarantees. EAL4 systems are compromised all the time. Formal compliance is good, but by no means a guarantee against competent attackers. – john May 17 '11 at 09:53
  • Doing any kind of mathematical proof of correctness on something as large as a browser would be a nightmare. – rook May 17 '11 at 15:52
  • Uh... I meant TCSEC "Beyond A1" formal verification of everything: design, code, whole system -- the whole thing. I don't even know what Common Criteria is, nor do I care. I'm talking about formal methods, not a marketing sticker. – atdre May 17 '11 at 23:47
3

You cannnot be 100% sure. But if you do open it in Incognito mode, there's much less chance for you to be harmed. Still, you cannot be 100% sure.

Nam Nguyen
  • 1,450
  • 12
  • 14
2

I would say, in todays world, none of the browser is secure. We are falling back on the vulnerabilities being exploited and made public, what about the ones which are never disclosed and remain underground for years. Disabling one plugin means you are reducing one attack vector. If you are paranoid about security then i would recommend you using a type of sandbox like sandboxie and open chrome inside it. This will isolate the process and if you get hit, still you are protected.

Auditor
  • 87
  • 4