DevEX - reference for building teams, processes, and platforms
9 Steps to Optimize Google Chrome for Google Apps Security
1. NINE STEPS TO OPTIMIZE GOOGLE CHROME
FOR GOOGLE APPS SECURITY
BACKUPIFY – MARCH 2012
2. NINE STEPS TO OPTIMIZE GOOGLE CHROME FOR GOOGLE APPS SECURITY
Backupify, Inc. 2
INTRODUCTION
Google Chrome has been consistently rated as the safest consumer Web browser
available today, but, to paraphrase a famous military scholar, no security survives
contact with the user. Poor end-user habits and settings can compromise even the
most secure browser. Below are some basic steps to ensure that Chrome isn't the
weak link in your Google Apps security plan.
BROWSER SETTINGS
The first phase of improving Chrome's security profile is tweaking its native
settings to avoid storing sensitive data, and to ensure you never surf to the more
unsavory corners of the World Wide Web.
1. Make Sure Safe Browsing Is Enabled
Chrome has a number of automatic Safe Browsing defenses against phishing and
malware, most of which simply warn users against visiting pages with spoofed
URLs or woefully out of date security certificates. Safe Browsing is enabled by
default, but security begins by making sure it stays that way.
2. Block All Browser Cookies by Default
While this will make the browser mildly less convenient by forcing the user to log
in every time he or she reaches a site — including Google Apps — it will prevent
any session from persisting after a browser tab is closed. This blocks both
unwanted monitoring by third-party cookies and limits the possibility of tailgating
attacks.
3. Block Saved Passwords
Saved passwords are a risky convenience, as anyone with access to your browser
— which is only a stolen laptop away — can subsequently access all your online
accounts, Google Apps included. Moreover, hackers target the stored password file
as a treasure trove of identity theft or intrusion ammunition. Disabling the saved
3. NINE STEPS TO OPTIMIZE GOOGLE CHROME FOR GOOGLE APPS SECURITY
Backupify, Inc. 3
password function is perhaps the single most important step to take in protecting
not just your Google Apps domain, but every one of your online accounts.
4. Disable Autofill
Autofill data represents saved form data — addresses, phone numbers and email
addresses — designed to make online sign-ups easier. While far less dangerous
than saved passwords, autofill information is nonetheless a tempting target for
hackers and laptop thieves alike, as it contains vital clues to the login information
for your Google Apps domain (to say nothing of your online banking accounts).
Disabling autofill keeps this information out of the browser.
5. Lock SafeSearch to Strict
Chrome makes it trivially easy to employ Google Search, so those searches need
to be as safe and secure as possible. Locking Chrome's native search functionality
into SafeSearch mode ensures that no less-than-trustworthy sites are returned
from any query, keeping the application that accesses your Google Apps domain
that much further from any dangerous malware.
SECURITY EXTENSIONS
Chrome's native security measures are laudable, but you can double down on your
defenses with carefully selected browser extensions.
6. Secbrowsing Plugin Version Checker
The first step to safely using Chrome Extensions is to make sure those extensions
are up to date, which is to say that all known security flaws have been patched.
The Secbrowsing plugin ensures that any extension you're running is the latest,
and thus likely the safest, version.
7. KB SSL Enforcer
Secure Sockets Layer (HTTPS) browsing is fundamentally safer than standard web
surfing, and most websites offer an SSL access option — provided you can find it.
The KB SSL Enforcer defaults to the HTTPS address for every website that offers it,
4. NINE STEPS TO OPTIMIZE GOOGLE CHROME FOR GOOGLE APPS SECURITY
Backupify, Inc. 4
including every core and non-core Google Apps service. Never transmit a
password without SSL protection again.
8. View Thru URL Shortening Decoder
Popular URL shortening services like bit.ly and j.mp are often used to enable
phishing attacks and malware installations by disguising unsafe web addresses. The
View Thru extension allows you to verify the real, unshortened URL before you visit
it, sidestepping these camouflage attempts.
9. PasswordFail Cleartext Password Alarm
While virtually every web application requires you to create an account to use the
service, a shocking number of these apps send and receive password information
in dangerously insecure cleartext formats. While no Google Apps service makes
this mistake, another web app's carelessness could compromise your browser and
thus your Google Apps domain. The PasswordFail extension warns you off any web
application that employs cleartext passwords, ensuring you never put your browser
security in the hands of sloppy code.
Implement these nine steps and Google Chrome's already stalwart security profile
will be significantly stronger — and so will your Google Apps domain.
ABOUT BACKUPIFY
Backupify is the leading provider of backup and restore solutions for SaaS
applications including Google Apps, Salesforce, Facebook, Twitter, and more.
Backupify was founded in 2008 and is based in Cambridge, MA. Backupify has over
200,000 users trusting us with more than 500 million documents, two billion email
messages and 350 terabytes of data.
WHY BACKUP CLOUD DATA?
Your data is one of the most critical assets of your business. Like any important
asset, it should be insured. While most SaaS providers, including Google and
Salesforce, offer state-of-the-art disaster recovery capabilities that protect you
from some forms of data loss, you are still at risk for data loss due to user error,