Chris Evans: Google Chrome's Captain Security
By Edwin Yapp October 3, 2012
- Google Chrome’s security head honcho driven by the responsibility of looking after the security of hundreds of millions of users
- Believes that next generation browsers are already here; and that more investment needed in to improve browser security
FOR all intents and purposes, Google’s Chrome web browser has been one of the fastest adopted browser in the history of the browser wars. Although there is some debate going on about how these metrics are exactly measured, it’s safe to say that indicatively, Google’s share of browser use has escalated in the past three years since it came into being.
According to StatCounter, Google Chrome’s share of desktop browsers for Aug 2012 stood at 33.59%, followed closely by 32.85% by Microsoft’s Internet Explorer (IE). Wikimedia clocks Chrome as having 27.25% over the 23.65% for IE. Even a quick check on the kind of browsers employed to access Digital News Asia (DNA) reveals that Chrome is the top browser used.
Bearing in mind that Microsoft’s IE has been around for eons longer than Chrome, while the latter only came into being in 2008, this is indeed an achievement. So what makes Google’s Chrome so popular?
A straw poll of users by Digital News Asia noted that Chrome is popular because of three reasons: A minimalistic approach to its user interface; its light-weight demand on computing resources; and its performance in terms of speed of access.
But being the most popular browser could likely also be a double-edged sword. Today, more than ever before, cyber-criminals – who have long abandoned their obsession for notoriety and fame in favor of making money – are exploiting the vulnerabilities of web browsers and compromising passwords and bank account numbers of the millions of web users.
So who stands between these cyber-criminals and Google’s Chrome, you may ask?
Meet Chris Evans -- while not a “super soldier” in the brawny sense like the character Captain America, played by his namesake in Marvel’s The Avengers the movie, Evans is every bit the soldier in that he is indeed the last man standing between Chrome and cyber-criminals as far as its security is concerned.
Evans, who leads Google’s Chrome security team, will be down for Malaysia’s premier cyber-security event, HITBSecConf, which takes place from Oct 8-11 at the Intercontinental Kuala Lumpur hotel. The conference will see over 42 of its most popular speakers over the years return to the stage in celebration of its 10th anniversary.
As busy as he is, super “cyber-soldier” Evans took time off to speak to Digital News Asia via e-mail about his job, his vision for the future of browsers and what drives him personally.
Below are excerpts of the interview.
DNA: As Google's information security engineer and tech lead, what are your job scope and duties? Also, just do tell us a little about yourself, how long you've been in tech, in Google, and what you were doing before Google.
Evans (pic): I'm responsible for the security of Google Chrome. Fortunately I have a great team on the task. We tackle pre-emptive security work such as fuzzing at massive scale, hardening measures and security features. We also handle incoming security reports and other interrupt-based work.
I've been in tech since forever and now over seven years at Google. Before Google, I was still heavily into security, both vulnerability research and defense. On the defensive side, I wrote “vsftpd,” a popular FTP server for Linux. On the research side, I've published various vulnerabilities and research on my blog.
DNA: A little bird told us that not a single line of Chrome-related code leaves the factory floor without having first undergone your scrutiny. Given such a huge task, how do you cope and what are the methods you use to troubleshoot and/or ensure that Chrome comes out as perfect as can be?
I'm not sure where you got that idea from! But fortunately, it's not just me working on Chrome security but an awesome team. Together, we strive to make each release of Chrome stronger and stronger.
One significant method we use is fuzzing, and at Google scale! Fuzzing improves both security and also stability. We write about our efforts on the Chromium Blog.
Another significant area is community outreach and participation. By working with the wider community, we achieve far more than we could alone. Our Vulnerability Rewards Program is well known for rewarding security researchers.
[Ed’s note: In fact, Google is offering US$2 million in a bug hunt competition to be held at HITB next week.]
DNA: In just a few short years, Chrome has overtaken Internet Explorer and even Mozilla Firefox and Safari as the most popular browser around. How was this feat achieved? What were your contributions to this feat? And how do you intend to keep ahead of the competition?
Chromium is popular because of its core principles. Users clearly respond well to Chrome's speed, its stability and also its simple uncluttered interface.
I'm responsible for the security core principle. It's less clear that users are choosing browsers based on security, because that's a factor that's not immediately visible. But we still put in very significant resources and effort here because it's the right thing to do. We do take care to make sure Chrome's security measures don't get in the user's way. A good recent example of this, which also shows how we're always pushing forward -- is our new way of unobtrusively blocking mixed scripting.
DNA: What in your opinion does the future of browsers look like? What will define the next generation browser, and what can users expect? What about the security factor behind these next-generation browsers?
Browsers seem to be evolving new capabilities gradually rather than making generational leaps. Personally, I think we've already got next-generation browsers. I'm blown away by some of the latest WebGL-based demos for example.
As browsers become more complicated, it's important to retain investment in security technologies such as sandboxing and large-scale automated testing. In Chrome, we recently upgraded our sandbox for the Flash plug-in to be as strong as the main Chromium sandbox.
DNA: Personally, what drives you and what are your own goals for the next wave of projects you'll be working on? What do you look forward most to in Google?
I'm personally very driven by the responsibility of looking after the security of hundreds of millions of users. I feel like the job I do makes a difference for some of these people. Unfortunately we're living in a world where some well-funded groups are attacking people. I'm doing my best to provide users with a browser that is resilient to attack. Google has been fantastic about giving me resources for this endeavor (headcount, farms of hardware), so I look forward to more years at Google.
For more related stories on HITB, surf here.