Saturday, December 13, 2008

Google Chrome's password security score.

After updating to Google Chromes latest version 1.0.154.36 I took the test!

Out of the 21 tests performed Google Chromes up-to-date version fails 14!

This gives it the same score as Firefox 3.04 and Opera 9.62.

You can read about the test (they performed their tests in July) and take it with your own browser at:
http://www.info-svc.com/news/2008/12-12/

The most interesting thing to note about this test is that every browser they tested failed the "Action Scheme Raises Warnings" Test.

They describe it below:

To pass this test, the PM must warn the user if the action scheme is potentially unsafe or does not match the page scheme. For example, if a login form uses an e-mail application that will display the password on screen, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test.

When you go through this particular test every single browser tested (i.e. Opera, Safari, Firefox, IE, and Chrome) takes your password and displays it on your screen somehow. I did the test a few times and once it displayed the password in an email that popped up in outlook and with another browser it put the password into a search query on google, still another time the password went to a gmail login page (I had to look through the URL carefully but there it was about half way through a long complex looking URL).

Here are my browser test results:

Chrome results are immediately below also below this you can see Chrome's Incognito score and Firefox 3.03's score.

Action Authority Checked on Retrieval PASSED
Action Authority Checked on Save FAILED
Action Authority Raises Warnings FAILED
Action Path Checked on Retrieval FAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval PASSED
Action Scheme Checked on Save PASSED
Action Scheme Raises Warnings FAILED
Action Scheme Prevented if Unsafe FAILED
Autocomplete=Off Prevents Form Fills PASSED
Invisiblility Prevents Form Fills FAILED
Method Checked on Retrieval PASSED
Method Raises Warnings FAILED
Multiple Paths Per User Per Authority FAILED
Multiple Ports Per User Per Host PASSED
Multi. Schemes Per User Per Authority PASSED
Page Path Checked on Retrieval FAILED
Random Name Attr. Prevents Form Fills FAILED
User Required for PW Retrieval FAILED
User Required for PW Save FAILED
Valid URIs Don't Break Anything FAILED

Chrome Incognito mode

Incognito mode did much better but still wasn't very secure.

Probably not very valid as you cannot use the password manager in this mode but I was curious if the tests for sending your password in plain text to email would be the same or not . . . They were!

Report

Test Performed Result
Action Authority Checked on Retrieval PASSED
Action Authority Checked on Save PASSED
Action Authority Raises Warnings FAILED
Action Path Checked on Retrieval PASSED
Action Path Checked on Save PASSED
Action Scheme Checked on Retrieval PASSED
Action Scheme Checked on Save PASSED
Action Scheme Raises Warnings FAILED
Action Scheme Prevented if Unsafe FAILED
Autocomplete=Off Prevents Form Fills PASSED
Invisiblility Prevents Form Fills PASSED
Method Checked on Retrieval PASSED
Method Raises Warnings FAILED
Multiple Paths Per User Per Authority FAILED
Multiple Ports Per User Per Host FAILED
Multi. Schemes Per User Per Authority FAILED
Page Path Checked on Retrieval PASSED
Random Name Attr. Prevents Form Fills PASSED
User Required for PW Retrieval PASSED
User Required for PW Save PASSED
Valid URIs Don't Break Anything FAILED

Firefox 3.03

Report
Test Performed Result
Action Authority Checked on Retrieval PASSED
Action Authority Checked on Save PASSED
Action Authority Raises Warnings FAILED
Action Path Checked on Retrieval FAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval PASSED
Action Scheme Checked on Save PASSED
Action Scheme Raises Warnings FAILED
Action Scheme Prevented if Unsafe FAILED
Autocomplete=Off Prevents Form Fills PASSED
Invisiblility Prevents Form Fills FAILED
Method Checked on Retrieval FAILED
Method Raises Warnings FAILED
Multiple Paths Per User Per Authority FAILED
Multiple Ports Per User Per Host PASSED
Multi. Schemes Per User Per Authority FAILED
Page Path Checked on Retrieval FAILED
Random Name Attr. Prevents Form Fills FAILED
User Required for PW Retrieval FAILED
User Required for PW Save FAILED
Valid URIs Don't Break Anything PASSED

No comments:

Post a Comment

banner in centre