Hacker News new | ask | show | jobs
by jmillikin 4719 days ago
There's enough security researchers (of any hat color) crawling over the Chrome binaries that I'm fairly confident there are no backdoors being introduced. To verify, you could disassemble the Chrome binary and compare it against a disassembled Chromium binary that you built. You could also use a packet sniffer and/or MITM proxy to verify that no unexpected data transmissions are occurring.
2 comments
kryten 4719 days ago
That assumption relies on two uncertainties:

1. The probability of discovering something in all that binary code, especially with the intricate and non-orthogonal nature of x86/x64 assembly and odd compiler optimisations. This isn't some 80's game.

A comparison:

    28500000 = Chrome binary size [1]
   750000000 = Human Genome size (converted to bytes - 1BP = 2bits so 4BP per byte) [2]
So we're only 26x more complicated than Chrome and we have absolutely no fucking idea what is going on with us most of the time.

2. The probability of a vulnerability being published to Google versus selling it on the private market.

[1] http://neugierig.org/software/chromium/bloat/

[2] http://www.biostars.org/p/5514/

link
jmillikin 4719 days ago
The actual comparison would be between the Chrome binary size and the Chromium binary size, which is quite small if you exclude embedded graphical resources.
link
kryten 4719 days ago
Actually that's a really bad comparison.

The binary size may be similar but that doesn't mean the content is. Consider the two cases below to back up my assertion:

   000000WE_COME_IN_PEACE000000000000000000
   000000WE_COME_IN_PEACE_SHOOT_TO_KILL0000
link
jmillikin 4719 days ago
I don't understand your point. If there were such a difference between Chromium and Chrome, then it would surely show up in a diff of the binaries' disassemblies. The size of the binaries doesn't matter, because (assuming you trust the Chromium source and your local system) only the difference between the two is relevant.
link
kryten 4719 days ago
My point is that it will show up in a diff of the binaries.
link
jmillikin 4718 days ago
Isn't that what I said?

I said that the binaries could be diffed, then you responded that finding a difference is unlikely because the binary is very large. I don't understand what the absolute size of the binaries has to do with being able to compare them.

link
claudius 4719 days ago
That probably depends on your definition of ‘backdoors’. Some of the data Chrome sends to Google could easily be considered a breach of privacy (and the corresponding functionality hence supposedly doesn’t exist in Chromium).
link
jmillikin 4719 days ago
I've never heard a claim that Chrome sends more data than Chromium. Do you have a link?
link
claudius 4718 days ago
The Wikipedia page on Chromium[0] gives some differences, though my remark was admittedly mostly based on the description of the chromium package in Debian[1], which at least claims ‘usage tracking’ (and the generally useless and backdoor-like auto-updater).

[0] https://en.wikipedia.org/wiki/Chromium_(web_browser)#Differe...

[1] http://packages.debian.org/wheezy/chromium

link