Google Chrome has been consistently rated as the safest consumer Web browser available today, but, to paraphrase a famous military scholar, no security survives contact with the user. Poor end-user habits and settings can compromise even the most secure browser. Below are some basic steps to ensure that Chrome isn’t the weak link in your Google Apps security plan.
The first phase of improving Chrome’s security profile is tweaking its native settings to avoid storing sensitive data, and to ensure you never surf to the more unsavory corners of the World Wide Web.
1. Make Sure ‘Safe Browsing’ Is Enabled
Chrome has a number of automatic ‘Safe Browsing’ defenses against phishing and malware, most of which simply warn users against visiting pages with spoofed URLs or woefully out of date security certificates. ‘Safe Browsing’ is enabled by default, but security begins by making sure it stays that way.
2. Block All Browser Cookies By Default
While this will make the browser mildly less convenient by forcing the user to log in every time he or she reaches a site — including Google Apps — it will prevent any session from persisting after a browser tab is closed. This blocks both unwanted monitoring by third-party cookies and limits the possibility of tailgating attacks.
3. Block Saved Passwords
Saved passwords are a risky convenience, as anyone with access to your browser — which is only a stolen laptop away — can subsequently access all your online accounts, Google Apps included. Moreover, hackers target the stored password file as a treasure trove of identity theft or intrusion ammunition. Disabling the saved password function is perhaps the single most important step to take in protecting not just your Google Apps domain, but every one of your online accounts.
4. Disable Autofill
Autofill data represents saved form data — addresses, phone numbers and email addresses — designed to make online sign-ups easier. While far less dangerous than saved passwords, autofill information is nonetheless a tempting target for hackers and laptop thieves alike, as it contains vital clues to the login information for your Google Apps domain (to say nothing of your online banking accounts). Disabling autofill keeps this information out of the browser.
5. Lock SafeSearch to Strict
Chrome makes it trivially easy to employ Google Search, so those searches need to be as safe and secure as possible. Locking Chrome’s native search functionality into SafeSearch mode ensures that no less-than-trustworthy sites are returned from any query, keeping the application that accesses your Google Apps domain that much further from any dangerous malware.
Chrome’s native security measures are laudable, but you can double down on your defenses with carefully selected browser extensions.
6. Secbrowsing Plugin Version Checker
The first step to safely using Chrome Extensions is to make sure those extensions are up to date, which is to say that all known security flaws have been patched. The Secbrowsing plugin ensures that any extension you’re running is the latest, and thus likely the safest, version.
7. KB SSL Enforcer
Secure Sockets Layer (HTTPS) browsing is fundamentally safer than standard web surfing, and most websites offer an SSL access option — provided you can find it. The KB SSL Enforcer defaults to the HTTPS address for every website that offers it, including every core and non-core Google Apps service. Never transmit a password without SSL protection again.
8. View Thru URL Shortening Decoder
Popular URL shortening services like bit.ly and j.mp are often used to enable phishing attacks and malware installations by disguising unsafe web addresses. The View Thru extension allows you to verify the real, unshortened URL before you visit it, sidestepping these camouflage attempts.
9. PasswordFail Cleartext Password Alarm
While virtually every web application requires you to create an account to use the service, a shocking number of these apps send and receive password information in dangerously insecure cleartext formats. While no Google Apps service makes this mistake, another web app’s carelessness could compromise your browser and thus your Google Apps domain. The PasswordFail extension warns you off any web application that employs cleartext passwords, ensuring you never put your browser security in the hands of sloppy code.
Implement these nine steps and Google Chrome’s already stalwart security profile will be significantly stronger — and so will your Google Apps domain.