According to Richard Chapin, Google's Chrome scored lowest in a test of password management security, but other browsers didn't fair much better. The security expert found security flaws in the Firefox 2 password management two years ago. He tested Google Chrome during its beta period and Chapin's company, Chapin Information Services (CIS) had reported three bugs in Chrome that were not fixed by release time. Chapin said that, along with seventeen other issues in Chrome's password manager, they created "a toxic soup of potential vulnerabilities that can coalesce into broad insecurity".
Safari 3.2 for Windows was also added to the CIS testing, and "essentially tied for the worst password manager" with Chrome. CIS's tests are made up of 21 specific checks to ensure the browsers are not easily fooled into giving up the password information that they have remembered for the browser user. Phishers could exploit these flaws to trick a browser into disclosing a username and password for a third parties site.
Interestingly, Google Chrome was the only major browser that passed one test; not filling in a form when auto-complete is set to off, but this only brought its score up to 2, the same score as Safari. No browser scores well on Chapin's tests. The "winner" was Opera 9.62, which only passed 7 of the 21 tests. CIS have a test suite which allows users to evaluate their own browser against the CIS tests.
-----------------------------------------
It was interesting to hear that Chrome's Password Manager is the only one that properly respects the "Autocomplete=off" request for form field filling.
No comments:
Post a Comment