[xg15]

Then again, with Chrome, there is at least the technical possibility of Google tracking every single website you visit just as well (including http, https and now even sites that just sit on your LAN and don't hit the ISP at all)

I don't say they do, but my trust in Google not to do this isn't that much higher than ISP s not doing this.

(Though, to be fair, code doing this would probably be found rather quickly in the Chromium code. So they'd have to add it to the Chrome binary directly.)

[mrkstu]

Well they do, in point of fact. I was debugging our corporate proxy and tailing the logs for a particular site- when using chrome I matched the site string despite it being directed to bypass proxy- but not going to the site, but to google, despite putting a full url in.

Anyone wanting to truly understand what chrome is doing should run an ssl decrypting proxy on their web traffic for awhile- it is eye opening.

[jrockway]

Perhaps more interesting is that Chrome is happy to send data to google.com without checking the certificate. I'd file a bug.

[mrkstu]

Yep, their not pinning that cert, but I think this is purposeful to continue to function in corporate environments like ours where we deploy our own Cert chain infrastructure. So the OS and transitively the browser is seeing a 'valid' certificate if you're browsing from a company computer.

Firefox on the other hand, you have to import the whole CA chain into the app itself for it to work transparently, since it won't reference the OS cert store.