Tag Archives: Safety & Security

Say “yes” to HTTPS: Chrome secures the web, one site at a time

Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week. See our earlier posts on new security protections tailored for you, our new Advanced Protection Program, and our progress fighting phishing.

Security has always been one of Chrome’s core principles—we constantly work to build the most secure web browser to protect our users. Two recent studies concluded that Chrome was the most secure web browser in multiple aspects of security, with high rates of catching dangerous and deceptive sites, lightning-fast patching of vulnerabilities, and multiple layers of defenses.

About a year ago, we announced that we would begin marking all sites that are not encrypted with HTTPS as “not secure” in Chrome. We wanted to help people understand when the site they're on is not secure, and at the same time, provide motivation to that site's owner to improve the security of their site. We knew this would take some time, and so we started by only marking pages without encryption that collect passwords and credit cards. In the next phase, we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.

http search

It’s only been a year, but HTTPS usage has already made some incredible progress. You can see all of this in our public Transparency Report:


  • 64 percent of Chrome traffic on Android is now protected, up from 42 percent a year ago.

  • Over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago

  • 71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago

percentage of page loads over HTTPS in Chrome by platform
Percent of page loads over HTTPS in Chrome by platform

We’re also excited to see HTTPS usage increasing around the world. For example, we’ve seen HTTPS usage surge recently in Japan; large sites like Rakuten, Cookpad, Ameblo, and Yahoo Japan all made major headway towards HTTPS in 2017. Because of this, we’ve seen HTTPS in Japan surge from 31 percent to 55 percent in the last year, measured via Chrome on Windows. We see similar upward trends in other regions—HTTPS is up from 50 percent to 66 percent in Brazil, and 59 percent to 73 percent in the U.S.!


Ongoing efforts to bring encryption to everyone


To help site owners migrate (or originally create!) their sites on HTTPS, we want to make sure the process is as simple and cheap as possible. Let’s Encrypt is a free and automated certificate authority that makes securing your website cheap and easy. Google Chrome remains a Platinum sponsor of Let’s Encrypt in 2017, and has committed to continue that support next year.


Google also recently announced managed SSL for Google App Engine, and has started securing entire top-level Google domains like .foo and .dev by default with HSTS. These advances help make HTTPS automatic and painless, to make sure we’re moving towards a web that’s secure by default.


HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. There’s never been a better time to migrate! Developers, check out our set-up guides to get started.

Source: Google Chrome


Say “yes” to HTTPS: Chrome secures the web, one site at a time

Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week. See our earlier posts on new security protections tailored for you, our new Advanced Protection Program, and our progress fighting phishing.

Security has always been one of Chrome’s core principles—we constantly work to build the most secure web browser to protect our users. Two recent studies concluded that Chrome was the most secure web browser in multiple aspects of security, with high rates of catching dangerous and deceptive sites, lightning-fast patching of vulnerabilities, and multiple layers of defenses.

About a year ago, we announced that we would begin marking all sites that are not encrypted with HTTPS as “not secure” in Chrome. We wanted to help people understand when the site they're on is not secure, and at the same time, provide motivation to that site's owner to improve the security of their site. We knew this would take some time, and so we started by only marking pages without encryption that collect passwords and credit cards. In the next phase, we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.

http search

It’s only been a year, but HTTPS usage has already made some incredible progress. You can see all of this in our public Transparency Report:


  • 64 percent of Chrome traffic on Android is now protected, up from 42 percent a year ago.

  • Over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago

  • 71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago

percentage of page loads over HTTPS in Chrome by platform
Percent of page loads over HTTPS in Chrome by platform

We’re also excited to see HTTPS usage increasing around the world. For example, we’ve seen HTTPS usage surge recently in Japan; large sites like Rakuten, Cookpad, Ameblo, and Yahoo Japan all made major headway towards HTTPS in 2017. Because of this, we’ve seen HTTPS in Japan surge from 31 percent to 55 percent in the last year, measured via Chrome on Windows. We see similar upward trends in other regions—HTTPS is up from 50 percent to 66 percent in Brazil, and 59 percent to 73 percent in the U.S.!


Ongoing efforts to bring encryption to everyone


To help site owners migrate (or originally create!) their sites on HTTPS, we want to make sure the process is as simple and cheap as possible. Let’s Encrypt is a free and automated certificate authority that makes securing your website cheap and easy. Google Chrome remains a Platinum sponsor of Let’s Encrypt in 2017, and has committed to continue that support next year.


Google also recently announced managed SSL for Google App Engine, and has started securing entire top-level Google domains like .foo and .dev by default with HSTS. These advances help make HTTPS automatic and painless, to make sure we’re moving towards a web that’s secure by default.


HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. There’s never been a better time to migrate! Developers, check out our set-up guides to get started.

Fighting phishing with smarter protections

Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week. This is the third post; read the first and second ones.

Online security is top of mind for everyone these days, and we’re more focused than ever on protecting you and your data on Google, in the cloud, on your devices, and across the web.


One of our biggest focuses is phishing, attacks that trick people into revealing personal information like their usernames and passwords. You may remember phishing scams as spammy emails from “princes” asking for money via wire-transfer. But things have changed a lot since then. Today’s attacks are often very targeted—this is called “spear-phishing”—more sophisticated, and may even seem to be from someone you know.


Even for savvy users, today’s phishing attacks can be hard to spot. That’s why we’ve invested in automated security systems that can analyze an internet’s-worth of phishing attacks, detect subtle clues to uncover them, and help us protect our users in Gmail, as well as in other Google products, and across the web.


Our investments have enables us to significantly decrease the volume of phishing emails that users and customers ever see. With our automated protections, account security (like security keys) and warnings, Gmail is the most secure email service today.


Here is a look at some of the systems that have helped us secure users over time, and enabled us to add brand new protections in the last year.

More data helps protect your data


The best protections against large-scale phishing operations are even larger-scale defenses. Safe Browsing and Gmail spam filters are effective because they have such broad visibility across the web. By automatically scanning billions of emails, webpages, and apps for threats, they enable us to see the clearest, most up-to-date picture of the phishing landscape.


We’ve trained our security systems to block known issues for years. But, new, sophisticated phishing emails may come from people’s actual contacts (yes, attackers are able to do this), or include familiar company logos or sign-in pages. Here’s one example:

Screenshot 2017-10-11 at 2.45.09 PM.png

Attacks like this can be really difficult for people to spot. But new insights from our automated defenses have enabled us to immediately detect, thwart and protect Gmail users from subtler threats like these as well.

Smarter protections for Gmail users, and beyond

Since the beginning of the year, we’ve added brand new protections that have reduced the volume of spam in people’s inboxes even further.

  • We now show a warning within Gmail’s Android and iOS apps if a user clicks a link to a phishing site that’s been flagged by Safe Browsing. These supplement the warnings we’ve shown on the web since last year.

safelinks.png

  • We’ve built new systems that detect suspicious email attachments and submit them for further inspection by Safe Browsing. This protects all Gmail users, including G Suite customers, from malware that may be hidden in attachments.
  • We’ve also updated our machine learning models to specifically identify pages that look like common log-in pages and messages that contain spear-phishing signals.

Safe Browsing helps protect more than 3 billion devices from phishing, across Google and beyond. It hunts and flags malicious extensions in the Chrome Web Store, helps block malicious ads, helps power Google Play Protect, and more. And of course, Safe Browsing continues to show millions of red warnings about websites it considers dangerous or insecure in multiple browsers—Chrome, Firefox, Safari—and across many different platforms, including iOS and Android.

pastedImage0 (5).png

Layers of phishing protection


Phishing is a complex problem, and there isn’t a single, silver-bullet solution. That’s why we’ve provided additional protections for users for many years.

pasted image 0 (5).png
  • Since 2012, we’ve warned our users if their accounts are being targeted by government-backed attackers. We send thousands of these warnings each year, and we’ve continued to improve them so they are helpful to people. The warnings look like this.
  • This summer, we began to warn people before they linked their Google account to an unverified third-party app.
  • We first offered two-step verification in 2011, and later strengthened it in 2014 with Security Key, the most secure version of this type of protection. These features add extra protection to your account because attackers need more than just your username and password to sign in.

We’ll never stop working to keep your account secure with industry-leading protections. More are coming soon, so stay tuned.

Google’s strongest security, for those who need it most

Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week.


When operating at the scale of Google, we usually strive to build products that serve the needs of billions of people. Today we’re introducing a different kind of product—one that we specifically tailored to protect the online security of a much smaller set of users.


We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks. For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety. Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question.


To address this need, we’re introducing the Advanced Protection Program. Advanced Protection provides Google’s strongest security, designed for those who are at an elevated risk of attack and are willing to trade off a bit of convenience for more protection of their personal Google Accounts.


Once you enroll in Advanced Protection, we’ll continually update the security of your account to meet emerging threats—meaning Advanced Protection will always use the strongest defenses that Google has to offer.


At the start, the program focuses on three core defenses.


The strongest defense against phishing: Advanced Protection requires the use of Security Keys to sign into your account. Security Keys are small USB or wireless devices and have long been considered the most secure version of 2-Step Verification, and the best protection against phishing. They use public-key cryptography and digital signatures to prove to Google that it’s really you. An attacker who doesn’t have your Security Key is automatically blocked, even if they have your password.


Protecting your most sensitive data from accidental sharing: Sometimes people inadvertently grant malicious applications access to their Google data. Advanced Protection prevents this by automatically limiting full access to your Gmail and Drive to specific apps. For now, these will only be Google apps, but we expect to expand these in the future.

Blocking fraudulent account access: Another common way hackers try to access your account is by impersonating you and pretending they have been locked out. For Advanced Protection users, extra steps will be put in place to prevent this during the the account recovery process—including additional reviews and requests for more details about why you've lost access to your account.
advanced protection

We've been testing Advanced Protection for the last several weeks and learning from people like Andrew Ford Lyons, a Technologist at Internews, an international nonprofit organization that has supported the development of thousands of media outlets worldwide. “Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," says Andrew. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.” The testers’ feedback was hugely helpful; we’re very appreciative of the time they spent with the product.


Anyone with a personal Google Account can enroll in Advanced Protection.Today, you’ll need Chrome to sign up for Advanced Protection because it supports the U2F standard for Security Keys. We expect other browsers to incorporate this soon.


For now, Advanced Protection is only available for consumer Google Accounts. To provide comparable protections on G Suite Accounts, G Suite admins can look into Security Key Enforcement and OAuth apps whitelisting.


Sign up for Advanced Protection at g.co/advancedprotection.

New security protections, tailored to you

Editor’s Note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week.

Security is top of mind for everyone these days, and with one troubling headline after another, you may be concerned about the security of your information online.

Rest assured: your Google data is secured by the best protections on the planet, and we’ll never stop improving them to ensure your information remains safe.

Today, we're announcing two new protections to help you stay safer online—an upgrade to our Security Checkup and new phishing protections in Chrome.

Personalized advice from your new Security Checkup


We’re rolling out a revamped Security Checkup, which now provides personalized guidance to help you improve the security of your account. Instead of the same, passive checklist for everyone, the Security Checkup is now a tailored guide to securing your data.

security checkup update - en

The Security Checkup provides a clear security status and personalized recommendations to strengthen your account security

When you visit the checkup, you’ll automatically see your security status—a green check mark icon means you’re good to go, and a yellow or red exclamation point icon means there’s at least one issue for you to take care of. The checkup is now your personal security advisor—a useful sidekick that makes it really easy to keep your account secure.

The new Security Checkup will keep evolving as new threats arise—you can count on it to provide you with relevant, up-to-date security advice that you can use to keep your account safe. Take the new Security Checkup at g.co/securitycheckup.


Predictive phishing protection in Chrome

Google Safe Browsing has helped protect Chrome users from phishing attacks for over 10 years, and now helps protect more than 3 billion devices every day by showing warnings to people before they visit dangerous sites or download dangerous files.

Safe Browsing has always scanned the web for these dangerous sites. But, if a phishing site is created and used for attack moments later, even the quickest scanners can't warn people fast enough. From our years of experience detecting phishing sites, Safe Browsing’s insights can now enable us to make predictions about risks in real time.

We’re using this knowledge to test new predictive phishing protections in Chrome. Soon, when you type your Google account password into a suspected phishing site, we'll add additional protections to ensure your account isn't compromised. Those protections will apply even if you use a different browser afterwards.

chrome phishing image
Example of what a user might see if they enter their Google credentials into a suspected phishing page

We plan to expand predictive phishing protection to all other passwords you’ve saved in Chrome’s password manager, and enable other apps and browsers that use Safe Browsing technology, like Safari, Firefox and Snapchat, to use it as well.

A cleaner, safer web with Chrome Cleanup

Unwanted software impacts the browsing experience of millions of web users every day. Effects of this harmful software are often quite subtle—search results are modified to redirect users to other pages or additional ads are injected in the pages that users visit. But in some cases, the changes are so severe that they can make the web unusable—people are redirected to unwanted sites full of ads, and it can be next to impossible to navigate away from these pages.


Chrome already has tools to help people avoid unwanted software. For example, Safe Browsing prevents many infections from taking place by warning millions of users. But sometimes harmful software slips through.


Recently, we rolled out three changes to help Chrome for Windows users recover from unwanted software infections.


Hijacked settings detection

Extensions can help make Chrome more useful—like by customizing tab management. But some extensions may change your settings without you even realizing it. Now, when Chrome detects that user settings have been changed without your consent, it will offer to restore the modified settings. In the past month, this feature has helped millions of people recover from unwanted settings.
reset-prompt-screenshot.png

You can also reset your profile settings at any time by visiting chrome://settings/resetProfileSettings.


A simpler Chrome Cleanup

Sometimes when you download software or other content, it might bundle unwanted software as part of the installation process without you knowing. That’s why on Chrome for Windows, the Chrome Cleanup feature alerts people when it detects unwanted software and offers a quick way to remove the software and return Chrome to its default settings. We’ve recently completed a full redesign of Chrome Cleanup. The new interface is simpler and makes it easier to see what software will be removed.
Prompt dialog.PNG

A more powerful Cleanup engine

Under the hood, we upgraded the technology we use in Chrome Cleanup to detect and remove unwanted software. We worked with IT security company ESET to combine their detection engine with Chrome’s sandbox technology. We can now detect and remove more unwanted software than ever before, meaning more people can benefit from Chrome Cleanup. Note this new sandboxed engine is not a general-purpose antivirus—it only removes software that doesn’t comply with our unwanted software policy.


We’ve begun to roll this out to Chrome for Windows users now. Over the next few days, it will help tens of millions of Chrome users get back to a cleaner, safer web.

Source: Google Chrome


A cleaner, safer web with Chrome Cleanup

Unwanted software impacts the browsing experience of millions of web users every day. Effects of this harmful software are often quite subtle—search results are modified to redirect users to other pages or additional ads are injected in the pages that users visit. But in some cases, the changes are so severe that they can make the web unusable—people are redirected to unwanted sites full of ads, and it can be next to impossible to navigate away from these pages.


Chrome already has tools to help people avoid unwanted software. For example, Safe Browsing prevents many infections from taking place by warning millions of users. But sometimes harmful software slips through.


Recently, we rolled out three changes to help Chrome for Windows users recover from unwanted software infections.


Hijacked settings detection

Extensions can help make Chrome more useful—like by customizing tab management. But some extensions may change your settings without you even realizing it. Now, when Chrome detects that user settings have been changed without your consent, it will offer to restore the modified settings. In the past month, this feature has helped millions of people recover from unwanted settings.
reset-prompt-screenshot.png

You can also reset your profile settings at any time by visiting chrome://settings/resetProfileSettings.


A simpler Chrome Cleanup

Sometimes when you download software or other content, it might bundle unwanted software as part of the installation process without you knowing. That’s why on Chrome for Windows, the Chrome Cleanup feature alerts people when it detects unwanted software and offers a quick way to remove the software and return Chrome to its default settings. We’ve recently completed a full redesign of Chrome Cleanup. The new interface is simpler and makes it easier to see what software will be removed.
Prompt dialog.PNG

A more powerful Cleanup engine

Under the hood, we upgraded the technology we use in Chrome Cleanup to detect and remove unwanted software. We worked with IT security company ESET to combine their detection engine with Chrome’s sandbox technology. We can now detect and remove more unwanted software than ever before, meaning more people can benefit from Chrome Cleanup. Note this new sandboxed engine is not a general-purpose antivirus—it only removes software that doesn’t comply with our unwanted software policy.


We’ve begun to roll this out to Chrome for Windows users now. Over the next few days, it will help tens of millions of Chrome users get back to a cleaner, safer web.

8 swift steps G Suite admins can take to secure business data

Security doesn’t have to be complicated. With G Suite, admins can manage and help protect their users with minimal effort because we've designed our tools to be intuitive—like Vault, which helps with eDiscovery and audit needs, and data loss prevention, which helps ensure that your “‘aha”’ moments stay yours. Here are some key security controls that you can deploy with just a few clicks to get more fine-grained control of your organization's security.

1. Enable Hangouts out-of-domain warnings

If your business allows employees to chat with external users on Hangouts, turn on a setting that will show warnings to your users if anyone outside of your domain tries to join a Hangout, and split existing group chats so external users can’t see previous internal conversations. This substantially reduces the risk of data leaks or falling prey to social engineering attacks (From the Admin console dashboard, go to Apps > G Suite > Google Hangouts > Chat settings > Sharing options).

Tip 1

2. Disable email forwarding

Exercising this option will disable the automatic email forwarding feature for users, which in turn helps reduce the risk of data exfiltration in the event a user’s credentials are compromised.

Tip 2

3. Enable early phishing detection

Enabling this option adds further checks on potentially suspicious emails prior to delivery. Early phishing detection utilizes a dedicated machine learning model that selectively delays messages to perform rigorous phishing analysis. Less than 0.05 percent of messages on average get delayed by a few minutes, so your users will still get their information fast.
Tip 3

4. Examine OAuth-based access to third-party apps

OAuth apps whitelisting helps keep company data safe by letting you specifically select which third-party apps are allowed to access users’ G Suite data. Once an app is part of a whitelist, users can choose to grant authorized access to their G Suite apps data. This helps to prevent malicious apps from tricking people into accidentally granting access to corporate data.

OAuth GIF

5. Check that unintended external reply warning for Gmail is turned on.

Gmail can display unintended external reply warnings to users to help prevent data loss. You can enable this option to ensure that if your users try to respond to someone outside of your company domain, they’ll receive a quick warning to make sure they intended to send that email. Because Gmail has contextual intelligence, it knows if the recipient is an existing contact or someone your users interact with regularly, so it only displays relevant warnings. This option is on by default.

Tip 5

6. Restrict external calendar

To reduce the incidence of data leaks, make sure that Google Calendar details aren’t shared outside your domain. Limiting sharing to “free” or “busy” information protects you from social engineering attacks that depend on gleaning information from meeting titles and attendees.
Tip 6

7. Limit access to Google Groups

By setting default Google group access to private, you can limit external access to information channels that may contain confidential business information, like upcoming projects.
Tip 7

8. Google+ access restrictions

Make the default sharing setting for Google+ restricted and disable discoverability of Google+ profiles outside your domain. Both of these actions can help you control access to critical business information.

Tip 8
Tip 8

Every company has their own unique set of business requirements that need to work in rhythm with their security requirements. By evaluating and implementing some of these suggested security controls, you can make a marked difference in your company’s security posture—with just a few clicks. See this post for other security tips.

Source: Google Cloud


8 swift steps G Suite admins can take to secure business data

Security doesn’t have to be complicated. With G Suite, admins can manage and help protect their users with minimal effort because we've designed our tools to be intuitive—like Vault, which helps with eDiscovery and audit needs, and data loss prevention, which helps ensure that your “‘aha”’ moments stay yours. Here are some key security controls that you can deploy with just a few clicks to get more fine-grained control of your organization's security.

1. Enable Hangouts out-of-domain warnings

If your business allows employees to chat with external users on Hangouts, turn on a setting that will show warnings to your users if anyone outside of your domain tries to join a Hangout, and split existing group chats so external users can’t see previous internal conversations. This substantially reduces the risk of data leaks or falling prey to social engineering attacks (From the Admin console dashboard, go to Apps > G Suite > Google Hangouts > Chat settings > Sharing options).

Tip 1

2. Disable email forwarding

Exercising this option will disable the automatic email forwarding feature for users, which in turn helps reduce the risk of data exfiltration in the event a user’s credentials are compromised.

Tip 2

3. Enable early phishing detection

Enabling this option adds further checks on potentially suspicious emails prior to delivery. Early phishing detection utilizes a dedicated machine learning model that selectively delays messages to perform rigorous phishing analysis. Less than 0.05 percent of messages on average get delayed by a few minutes, so your users will still get their information fast.
Tip 3

4. Examine OAuth-based access to third-party apps

OAuth apps whitelisting helps keep company data safe by letting you specifically select which third-party apps are allowed to access users’ G Suite data. Once an app is part of a whitelist, users can choose to grant authorized access to their G Suite apps data. This helps to prevent malicious apps from tricking people into accidentally granting access to corporate data.
Tip 4

5. Check that unintended external reply warning for Gmail is turned on.

Gmail can display unintended external reply warnings to users to help prevent data loss. You can enable this option to ensure that if your users try to respond to someone outside of your company domain, they’ll receive a quick warning to make sure they intended to send that email. Because Gmail has contextual intelligence, it knows if the recipient is an existing contact or someone your users interact with regularly, so it only displays relevant warnings. This option is on by default.

Tip 5

6. Restrict external calendar

To reduce the incidence of data leaks, make sure that Google Calendar details aren’t shared outside your domain. Limiting sharing to “free” or “busy” information protects you from social engineering attacks that depend on gleaning information from meeting titles and attendees.
Tip 6

7. Limit access to Google Groups

By setting default Google group access to private, you can limit external access to information channels that may contain confidential business information, like upcoming projects.
Tip 7

8. Google+ access restrictions

Make the default sharing setting for Google+ restricted and disable discoverability of Google+ profiles outside your domain. Both of these actions can help you control access to critical business information.

Tip 8
Tip 8

Every company has their own unique set of business requirements that need to work in rhythm with their security requirements. By evaluating and implementing some of these suggested security controls, you can make a marked difference in your company’s security posture—with just a few clicks. See this post for other security tips.

2 new white papers examine enterprise web browser security

Online security has never been more critical to businesses, and the tools used to access the web are a major factor to evaluate. Choosing an enterprise-grade web browser that offers the right security features and  keeps businesses’ data protected while enabling employees to take advantage of the open web. But knowing which browser to choose often requires a deep  understanding of security design and implementation tradeoffs that enterprise IT decision makers don’t have the time or resources to fully identify and investigate. Furthermore, well-researched, independently-verifiable data on enterprise browser security is in short supply. And in its absence, many IT administrators resort to guesswork and experimentation in their decision-making.

This complex landscape of enterprise browser security is the topic of two white papers recently published from security engineering firms X41 D-Sec GmbH and Cure53. Both firms have extensive industry experience and expertise in information security, application security, web application security and vulnerability discovery. These two papers leverage that expertise to examine the relative security strengths of the three most popular enterprise browsers: Google Chrome, Microsoft Edge, and Microsoft Internet Explorer (IE).


We sponsored this research, which was conducted independently by the research firms, to help enterprise IT administrators evaluate which browser best fits their security and functionality needs. To be most useful for enterprises and the public, Cure53 and X41 performed their research and testing using only publicly available information, and clearly documented their comparison methodologies. This enables anyone to recreate their tests, validate their methodologies, and verify their conclusions.

Although Cure53 and X41 produced these white papers in isolation from each other, both came to similar conclusions when it came to enterprise browser security. Here are their findings in a few key areas:


Phishing and malware protection is critical to staying safe on the web.

The prevalence of phishing to steal credentials and deliver malicious payloads makes protection more critical than ever. X41 found that Safe Browsing on Chrome and SmartScreen on Edge and IE offered similar protection, with Safe Browsing performing more accurately than SmartScreen in some test results.


Isolating application components through sandboxing reduces risk.

Sandboxing isolated application components from one another, and from the rest of the system, limits the potential impact of vulnerabilities. Cure53 and X41 both found that Chrome renderers have significantly less access to the operating system than Edge or IE, including revoking access to win32k system calls in Chrome renderers and plug-in processes. Cure53 and X41 also found that Chrome has more types of sandboxed processes, for finer-grained privilege separation. Edge uses out-of-process JavaScript compilation, enabling Edge content processes to drop the privilege to create executable memory.


Modern browsers that eliminate legacy functionality are more secure.

Browser Helper Objects (BHOs) and plug-ins like ActiveX have been a go-to choice for client-side attacks. Cure53 and X41 found that Chrome and Edge do not support these vulnerable technologies. IE supports both, making it more susceptible to attack than either Edge or Chrome. Additionally, Cure53 and X41 found that IE is still vulnerable to attacks via signed Java Applets, and more susceptible to malicious Flash content. While Chrome and Edge can both be configured to fall back to IE to support legacy compatibility, administrators can exert more control over Chrome’s fallback mechanism.

Web security is one of Google’s primary concerns, and has been a guiding principle for Chrome since day one. We’re pleased that these papers independently confirm significant improvements in the enterprise browser security landscape overall. We think strong security safeguards, regardless of which browser you choose, make the web better, and safer, for everyone. We hope these white papers can help you find the right solution for your business.

Take a read through the white papers linked above to learn more about their findings. If you’d like to take a deeper look at the security controls available in Chrome or download the Chrome enterprise bundle, visit the Chrome enterprise website.