back to article Google crashes supposedly secure Aviator browser

A spat between Google and Whitehat Security has erupted after engineers at the search giant revealed dangerous vulnerabilities found in the latter's anti-Google privacy-centric Chrome spin-off browser. The holes in the Aviator browser reported by Google security bods Justin Schuh and Tavis Ormandy described include a remote …

  1. Roadcrew

    Own goal by Google...

    Until today, Aviator was a movie to me....

    (OK, I'm out of touch)

    Now it's a browser that sounds kinda interesting.

    Thank you Google!

    1. Anonymous Coward
      Anonymous Coward

      Re: Own goal by Google...

      You must be a fairly atypical Reg reader if you can't work out how to replicate the kind of blocking this product provides (what with the ready availability of extensions like Ghostery and Disconnect), and don't mind using a browser with likely known and unpatched vulnerabilities as a result of lagging behind the parent product.

      1. Anonymous Coward

        Re: Own goal by Google...

        Yes, so use SRWare IRON in the meantime.

        1. Blacklight

          Re: Own goal by Google...

          It is indeed. Run with SandboxIE and Ghostery/Adblock (as mentioned) it is quite the speedy thing....

      2. h4rm0ny

        Re: Own goal by Google...

        >>"You must be a fairly atypical Reg reader if you can't work out how to replicate the kind of blocking this product provides (what with the ready availability of extensions like Ghostery and Disconnect), "

        There's a whole world of people out there who aren't El Reg. readers but who still care about browsers. And to be honest, I think there are plenty of El Reg. readers who don't readily know how to replicate what Aviator does. And that's not because they're stupid. Aviator, for example, blocks HTTP referral values across different sites. According to their website you can't do that with Disconnect. And indeed, I had never heard of Disconnect before today.

        Besides, one of the good things about Open Source is multiple ways to do things.

      3. Anonymous Coward
        Anonymous Coward

        Re: Own goal by Google...

        "You must be a fairly atypical Reg reader if ..."

        and what are YOU if after reading the article you still think Ghostery and Disconnect can do everything Aviator does?

        I use Ghostery on Firefox, and unfortunately Disconnect doesn't work as well (Disconnect freezes the entire browser on certain sites).

        If you actually cared about privacy and security. Ghostery and Disconnect aren't going to help. They're really only little more than ad-blockers. You need plugins to also automatically clear and manage cookies and perhaps even the use of javscript managers and a way to manage HTTP referrers forwarding and disable WebRTC (on Firefox).

        Though I have to add, even if you have cookie managers, Google's sites for some reason... found a way to bypass such plugins. HMMmm.

    2. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Own goal by Google...

      it's a browser that sounds kinda interesting


  2. nematoad


    " ... stating that Google employs a 30-strong Chrome security team... "

    This misses the point. Oh they may try and keep the baddies out of your internet session but in the meantime are busily conducting a man in the middle attack of their own.

    As Credas says, if you want to block stuff, look to the likes of Adblock plus and so on. It's hard to block Google from snooping on your Chrome sessions.

    I haven't heard much about Iron, is it still going?

  3. DrXym

    Doesn't exonerate Google though

    A fork could be a exploit ridden heap of crap and perhaps this fork is precisely that.

    But from the moment you start Chrome up it's nagging the user "sign on". Features like url auto correct (via Google), and predictive search (via Google) are also enabled. All this so they know pretty much everything you do to better serve you with ads and otherwise monetize you. These days it even has a "You" button embedded into the title bar but an All Seeing, Lidless Eye would be more appropriate.

    Chrome does have privacy controls but they're buried and quite fiddly. e.g. there is no equivalent to Firefox's clear history on exit. So yeah perhaps this fork is crap, but it wouldn't need to exist if Google could curb its insatiable hunger for data and provide convenient privacy controls for those who'd rather not give it up.

    1. Nuno

      Re: Doesn't exonerate Google though

      If the privacy controls exist, then maybe the right way of making it more private for everyone would be with an extension that could set better defaults and display every one of those controls inside a very easy to get to interface. Problem solved.

      instead of forking and staying some versions behind, and inserting vulnerabilities durinng the process...

    2. Camberley4PQ

      Re: Doesn't exonerate Google though

      >"...from the moment you start Chrome [you can] "sign on". Features like url auto correct (via Google), and predictive search (via Google) are also enabled."

      These are useful functions for me, the user. I'm computer-literate (e.g. MSc, work in IT), and I'm completely happy with the trade-off between convenience and privacy. I respect the fact that other people have different views, and good luck to them, but Google quite rightly tailor their product to the majority of people, most of whom apparently have broadly similar views to me:

      I'd respectfully suggest that much of the criticism of Google is unfair: they're a business, providing superb products for no up-front cost. I'm happy with that, as are many/most people.

  4. Anonymous Coward
    Anonymous Coward

    Google are becoming as evil as Microsoft in their heyday.

    1. Ian Michael Gumby


      Google is a bit more evil in that they are busy trying to convince people that they are not. ;-)

      The truth is that you are Google's product and they are spying on you more than any Government could.

      Do you think I care about which toothpaste ad they show me?

      If I use Crest, do I want to see Crest ads or would I be more inclined to click on an ad for Colgate?

      And yes, Google knows what toothpaste you use, what shampoo, and what newspapers you read. They can predict what you will do next because of all of the data they have captured.

      Is this evil?

      I know that if the CIA or NSA or CGHQ did this... everyone here would be screaming bloody murder.

      1. Greg J Preece

        Re: @AC,

        I know that if the CIA or NSA or CGHQ did this... everyone here would be screaming bloody murder.

        Too much effort. They'll just let Google do it and then demand a back-door. You know, to PREVENT THE TERRORISTS!

      2. David 164

        Re: @AC,

        Actually Google doesn't know which Toothpaste I use or which shampoo I have use be I have never bought neither online or ever search for either online.

        An for both I just buy which ever one cheapest. That goes for countless other things. Sainsbury probably know more about my shopping habits than Google does.

  5. Anonymous Coward
    Anonymous Coward

    Sounds like Linus Torvalds

    I don't mind you using my open source code, but if it's shit I'm going public about it

    1. Destroy All Monsters Silver badge
      Thumb Up

      Re: Sounds like Linus Torvalds

      Works for me. More like this.

  6. silent_count

    Bootnote: Users concerned enough with privacy [...]

    wouldn't be using a browser made by an advertising company.

  7. Anonymous Coward
    Anonymous Coward

    Hmm, Google Chrome...

    This is the browser that when running on linux REQUIRES a suid root process to be running even when the user is non priviledged , right? Oh, but thats the sandbox blah blah blah security blah blah. Puh-lease. So this process is 100% guaranteed exploit free is it? Yeah. Right. Its a feckin *browser* running as root when it doesn't need to. Hence until Google stop this foolishness Chrome is going nowhere near my systems and moreover they're standing in a greenhouse throwing large boulders when they accuse others of messing up chrome "security".

    1. Haro

      Re: Hmm, Google Chrome...

      Hey, I looked all over and couldn't find a single negative thing said about the 'suid sandbox'. Do you have a reference, and is Google hiding it? :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmm, Google Chrome...

        I suspect most people don't know about it. Its certainly wasn't mentioned in the installation notes. However having to install the browser as root made me suspicious so I had a look at what it was up to - and voila!

  8. h4rm0ny

    I remember when Open Source was a community of people helping each other and it was about sharing all your innovations and helping others improve their code as well. Well, I suppose aggressively grilling your rivals in public might help them improve in a Darwinian dog-eat-dog sort of way. But it's not what I had in mind.

    1. Destroy All Monsters Silver badge

      I think you will find the "rivals" are Mozilla.

      1. h4rm0ny

        Perhaps. But someone creating an Open Source version of Chrome is a unique threat in a way that Firefox aren't. Whitehat aren't just trying to do this as a solo project. They're trying to re-ignite a community effort on this and get it going as a successful Open Source project. It is never preferable to fight a war on two fronts rather than just one, so Firefox are undoubtedly their big rival, but don't downplay motivations against Aviator, either.

  9. Anonymous Coward
    Anonymous Coward

    Wow. Just wow.

    The only thing I agree with Schuh is the hyperbole from Avaitor "the Web’s most secure and private browser" is a mistake.

    But why is it that he nitpicked on branding changes as the "cause" for the in-ability for Avaitor to stay up to date with Chrome's release? Could it not be the other way around? That Google Chrome's source code is so intrincially tied with their branding that it is causing forks (who legitimately should change the branding) issues?

    I'm sorry, but anybody who asks a fork to be up-to-date with the original constantly is being unrealistic and obviously never dedicated time on working with OSS fork projects that are still dependent on the original.

    "Giving OSS a bad name?" wow. Let's compare the two project's ultimate goals shall we?

    Sorry, but while he tries to wrap his blog post up as sounding like "he's trying to be constructive". Overall, his tone of voice just seems like a typical stuck-up, arrogant engineer who is too full of himself and where he works.

    At the very least if Aviator keeps at it. They'll eventually get it right. Google on the other hand...

    1. el rekrab

      Re: Wow. Just wow.

      And chrome is a fork of WebKit and WebKit is a fork of Konqueror...

      Arrogance is that quality that makes us forget the millions of others on whose shoulders we stand.

  10. Alan Denman

    All are a 'real estate grab' minefield

    Just look at DuckDuckGo on Apple devices,

    Your queries also head over to Apple. It uses Bing so that makes for a triple whammy iDuckBing.

    I don't know much of Aviator but I really see DuckDuckGo as Bings 'stealth' browser.

    1. Eddy Ito

      Re: All are a 'real estate grab' minefield

      DuckDuckGo is a browser??

      1. Mike Flugennock

        Re: All are a 'real estate grab' minefield

        Actually -- in case you're not being sarcastic -- DuckDuckGo is billed as a privacy-respecting "alternative" search engine. Still, it serves sponsored links at the top of every results page, and is a throwback to the bad old days when you had to learn some kind of weird secret language in order to get more precise search results.

        I'm trying to give them a fair shot by using them as my default search in SeaMonkey, but I honestly can't see why all the hardcore geeks I know are drooling over it so much.

        Google may be evil for sure, but, still... exact phrase search.

        That is all.

        1. solo

          Re: DuckDuckGo .. it serves sponsored links

          "sponsored links" don't imply snooping. It's Google which made this combination obvious.

          Do you have any reference to show that DuckDuckGo tracks you beyond the search result page for its sponsored links?

    2. ThomH

      Re: All are a 'real estate grab' minefield

      Apple's service provides things like direct Wikipedia suggestions, links to film trailers, etc. It's for Safari's "smart" autocompleting address bar. These things are on by default even if you select DuckDuckGo. The direct UI allows them to be switched off but it's hardly straightforward in explaining itself. Which doesn't appear to be all that accidental.

      So there's clearly a vested interest on Apple's side in serving those autocompletes. I'll bet they're monetising them in exactly the same way Google monetises its entire search engine. But they are, technically, optional.


  11. Yugguy

    SO what to us on Android then?

    I've got an XPeria Z3 Compact. I've disabled all the Sony and Google bloatware, and disabled Chrome cos it's sh1te.

    What's the best android browser to use then?

    1. Anonymous Coward

      Re: SO what to us on Android then?

      Why worry, if using android, it's all going to Google anyway.

      With smart phones, it's pretty much a choice of which US company you want to send all your information to.

      1. Stretch

        Re: SO what to us on Android then?

        You could send all your information to a Chinese company instead. Both groups will ensure its easily accessible to "security services" who have only your best wishes at heart.

        1. Yugguy

          Re: SO what to us on Android then?

          I just meant which is the nicest to use?

    2. Ilgaz

      Re: SO what to us on Android then?

      Firefox. If you require better privacy and ready to give up a lot of stuff Orbot & Orweb in default setting.

  12. Stretch

    "Users concerned enough with privacy would probably be..."

    ...well advised to turn off their computers, put on their tin foil hats and hope that time reverses itself.

    1. ThomH

      Re: "Users concerned enough with privacy would probably be..."

      I heard that it did that once but the government covered it up.

  13. JeffyPoooh

    Google to the Nth Chrome = crash prone

    Google Nexus tablet

    Google Android (all up to date)

    Google Chrome browser (both full release and the beta)

    Google websites such as YouTube

    My only role is to provide the fiber optic link to the 'net.

    Chrome is crash prone. Crashes several times per evening. Everything reset six ways from Sunday. Crash, crash, crash, crash. P.o.S. Tried Firefox, it's ugly.

    The beta even has the silly bug that clicking on the 2nd or 3rd tab (to attempt to open them) will act as if I clicked on that spot of the first tab (hidden link under the 2nd tab's actual tab). Crazy silly bug.

    Google's Coder Drones are 2nd rate in my view. Yep, I'm talking about YOU.

    1. Mike Flugennock

      Re: Google to the Nth Chrome = crash prone

      "...Chrome is crash prone. Crashes several times per evening. Everything reset six ways from Sunday. Crash, crash, crash, crash. P.o.S. Tried Firefox, it's ugly."

      I've been using SeaMonkey ever since the big Sponsored Frames In New Firefox Installs from about a year or two ago and haven't gone back. Runs really solid, and there are SeaMonkey-compatible versions of pretty much all the add-ons I use with Firefox.

  14. Anonymous Coward
    Anonymous Coward

    Revenue protection

    It looks as though Google's aim in this "disclosure" exercise is to protect revenue by hanging excrement over all rivals.

    If they were so honest, why haven't they disclosed any Google bugs???

  15. Daggerchild Silver badge

    All your data belongs to Google

    It's getting there by means you cannot see so cannot hope to understand.

    Our best defence against the unknown is to attack it.

    I hate who you hate. Trust me.

    Dance for me to prove your self-determination, and you shall be rewarded with blood.

    You know, hate and fear is a growth industry.

  16. Ilgaz

    There are better alternatives

    You can get Firefox ESR, secure it with known extensions and settings, in fact better run it inside a conservatively setup Debian stable in a virtual machine.

    On mobile there is a very interesting couple to check: Orbot&Orweb.

    By going this way you get mainstream support, help open source and show finger to Google.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like