Why Everyone Is Pissed Off About Google Chrome's Sound Security

There's much gnashing of teeth today over the discovery that Google Chrome lets you -- or anyone using your computer -- see the plaintext web passwords stored by your browser.

This isn't a security bug. It's Chrome's documented behavior, and has been all along. But an outraged blog post highlighting the issue yesterday by U.K. software developer Elliot Kember was picked up by Hacker News, thrusting Google's security choices into the limelight.

In a response on Hacker News, Google Chrome's security chief Justin Schuh explained the company's reasoning.

The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater.

Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.

We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

Google is thinking like a security architect, and from that perspective, the company is completely right. Security folks think of your computer as a nuclear power plant, with radiation-proof compartments surrounding the core. Your browser window and your stored passwords live in the same compartment. They have to, so that Chrome can see the passwords and fill them in for you.

By making it easy for you to see those passwords with your own eyes, Google is declining to pretend that the passwords are partitioned off in another compartment.

The bottom line is, once a password is accessible to your browser, it's going to be accessible to anyone who can sit in front of your browser and rest their sticky fingers on your keyboard. Short of authenticating every single password auto-fill, there's no way around this. Here's a simple trick that will do the job, and here's an even more convenient bookmarklet called Reveal Password.

So the suggestion that Google Chrome make you enter a "master password" to see your stored passwords is at best pointless, and at worst misleading, from a real security point of view.

But there's an argument to be made on the other side. Google could throw up some drywall in the nuclear plant, and in the end, it would probably do more good than harm.

Google's all-or-nothing security perspective is natural for a company that routinely confronts serious, state-sponsored attackers. But in day-to-day life, most Chrome users have to worry about what security geeks call the "unskilled attacker." That's the jealous boyfriend who might, if it's easy enough, cage your Facebook password to check up on you later. It's your teenaged son looking for your porn passwords. Its the dude at the coffee shop who's left alone with your laptop for a moment while you pick up your mocha.

Even the flimsiest obstacle would be effective against these threats, while serving as a moral signpost declaring the Password Manager off-limits to the kind of casual snoops who are already paging through your browser history. As long as people equate ease of access with permission, there's value it making some things a little harder.

So as a practical matter, Google should probably capitulate to the outrage and erect a barrier in front of the Chrome Password Manager. What's terribly unfair about this, of course, is that in two years there will be another outraged blogger discovering that this barrier provides no real security, and Google will go through the wringer all over again.