Jeff Duntemann's Contrapositive Diary Rotating Header Image

April 18th, 2009:

The Iron Sandbox

I’ve been pretty focused the last three or four months, so I mostly missed the whole discussion about Google Chrome and its pros and cons. Parts of Chrome are very impressive, particularly the “sandbox” security model–and parts are about what you’d expect from a monster company that makes its money on Web ads. I caught snatches of the debate here and there, but it wasn’t until I found myself at 3 PM today with 5,100 words’ worth of progress made since 7:30 AM that I decided, enough of this. (I’m now 133,000 words in and pretty much on schedule again, having lost some ground in March.) So I kicked back and started reading up on Chrome. In doing so, I found something I hadn’t expected, or heard about at all: SRWare Iron.

What Iron looks like to me is Chrome with Google’s business model stripped out. Chrome itself was based on a number of different technologies, most of them open-source, including Google Code’s Chromium browser framework and the WebKit rendering engine. Google built a number of tracking mechanisms into Chrome, including a unique user ID and a few other mechanisms for sending search statistics back to Google. These seemed relatively benign to me (perhaps I’ve seen too much of the really bad stuff, heh) but a lot of people got very upset over the Chrome privacy model.

Enter SRWare, a German software security firm. They took the open-source codebase for Chrome and stripped out whatever they considered dicey from a privacy standpoint. They updated the WebKit rendering engine, did a few other miscellaneous security tweaks, and re-released the product as Iron. This sounds presumptuous to some people, but that’s how open source works. (There’s nothing preventing Google from re-absorbing SRWare’s changes, but as the changes are mostly features removed, that wouldn’t be especially useful.) Basically, we have a Chrome variant that doesn’t track your searches and phone home.

That’s good, and as browsers both Chrome and Iron have reviewed well. Chrome (and therefore Iron) do well on Web standards, passing Acid1 completely and Acid2 with only minor glitches. But what I find best about Chrome/Iron is the security model. Each tab is a separate process, and each tab process has its system rights severely restricted. Even if the browser itself is running in an admin account, the tabs run as restricted users, with a few further restrictions. Malware may well run in a tab, but there is very little that the malware can do except run in the tab. It can’t install software, sniff other processes, write files, or survive the closing of the tab. It’s not a per-tab virtual machine (which is where I think malware will eventually force Web browsers to go) but it’s a giant step in the right direction. (InfoWorld has a nice discussion of the Chrome security model.) I’m still having a little trouble getting a technical grip on the merits and flaws of Chrome’s V8 javascript virtual machine, but I’ll keep sniffing around and will eventually figure it out.

The security model prevents many plug-ins from working correctly, and this may bother some people more than others. Not me: Plug-ins are the 900-square-foot hole in browser security generally, and for basic Web research, I can do without, well, all of them.

I’ve only had a couple of hours to fool with Iron, and I’ll tell you right now that I like it a lot. I installed the portable version, which confines all of its files to a single directory and does not touch the Windows Registry. The rendering is very snappy, snappier than Firefox 3. (I haven’t touched IE in so long I didn’t even bother making a comparison.) It imported all my bookmarks without a burp, though it did not automatically place my Firefox toolbar bookmarks in its own toolbar. (I did that from Iron’s bookmark manager with one drag and drop.) I read somewhere that Iron had a built-in ad blocker, but I don’t see any controls for it, and I’m still seeing lots of ads.

Still, what attracted me to Iron is its approach to Web security…and over and above everything in the code, what may make Iron safest of all browsers is that it’s rare. Security exploits are often (if not always) app-specific or at least library-specific. Malware depends heavily on the density of the installed base to succeed, which is why so many exploits target IE, and more recently Firefox. As long as the software works well for me, I don’t care how few copies are out there–in truth, the fewer the better. SRWare has kept up with patches on both the Chrome code base and the WebKit code base (which Chrome itself hasn’t kept up with) and assuming they continue to do so, we may have us a breakthrough in the malware wars. It’s still early, but I’m already very impressed. (I’ll come back with “highly recommended” if I still think so in a few weeks. Stay tuned.)