Securing Google Chrome

Tip: keyboard shortcut Ctrl+F searches in the page contents

Securing Google Chrome

Author: Margus Saluste. Last modified: 2013-04-09 18:21:25 EEST

In this tutorial: How to configure Google Chrome stable for safer internet browsing in Windows XP, Vista, 7 and 8

Open Google Chrome options by clicking Customize and control Google Chrome button (three horizontal bars, previously wrench icon) in the upper right corner and clicking Settings.
Google Chrome, Tools menu. To configure Chrome safety, click Settings.

A new browser tab opens with Settings tab activated on the left.

If you synchronize your Chrome data and settings between different computers, click the Advanced sync settings... button.
Google Chrome, Settings, Sign in. Click 'Advanced sync settings' to control what you sync.

In the Advanced sync settings window, select the Choose what to sync option from the top combo box and make sure you do not sync Passwords - a web browser should not be used to store these because any malware can easily steal the stored user names and passwords!
In the Encrypted data types section, select to Encrypt all synced data if you sync sensitive information. This option should be accompanied with enabling the Choose my own passphrase option in the Encryption passphrase section - if your Google Account is hijacked, your Chrome data will still be safe.
Click OK.
Google Chrome, Settings, Sign in, Advanced sync settings. Select 'Choose what to sync' and clear the Passwords option.

Those people very concerned with their online privacy can clear the Enable Instant for faster searching (aka Omnibox) check box in Search section. This will prevent sending information about your searches and visited pages to Google.
Google Chrome, Settings, Search. To prevent sending data about your browsing habits to Google, clear the 'Enable Instant for faster searching' box.

Next, click the Show advanced settings... link to reveal hidden (but very important) options.
Google Chrome, Settings. To display hidden options, click 'Show advanced settings'.

In the Privacy section, click the Content settings... button.
Google Chrome, Settings, Privacy. Click the 'Content settings' button.

Google Chrome Content Settings window opens.
Those extremely privacy-concerned, can activate the Keep local data only until I quit my browser and Block third-party cookies and site data options.
But remember, some sites may not work properly if using these options - never enable the settings above in case you are using two-factor authentication schemes, such as those on Gmail, Yahoo and Facebook! If you are, enable only the Allow local data to be set (recommended) option here!
Google Chrome, Settings, Content Settings, Cookies. Select the 'Keep local data only until I quit my browser' option.

The Click-To-Play feature prevents all active plug-ins, such as Adobe Flash Player or Java from running content automatically. The main purpose of this feature is to prevent drive-by-attacks that use hidden frames to infect computers. If this feature is enabled, you'll see a Click to run plug-in button instead of such content.
If you want to use this protective measure, select the Click to play option from Plug-ins section. Otherwise, the default Run automatically (recommended) option is mostly fine, too.
Google Chrome, Settings, Content Settings, Plug-ins. Select the 'Click to play' option if you do not want plug-ins to run automatically. Google Chrome, 'Click to play' turned on. Use the 'Click to run plug-in' button to see contents.

As common in any browser, disable pop-up windows (read: stupid disturbing ads ) by choosing the Do not allow any site to show pop-ups (recommended) option in the Pop-ups section. To exclude some sites from pop-up blocking, use the Manage exceptions... button.
To disable location tracking (geolocation), enable the Do not allow any site to track my physical location option in the Location section. You do not need to show sites or people where you currently are - you might accidentally reveal too much personal data this way. In case you do want to give a specific site access to your location data, click Manage exceptions... button and add the site address to the list.
Desktop Notifications feature enables web sites and extensions pop up windows with messages even when Google Chrome window is not active. The most innocent example of the notifications is the GMail new mail alert - you'll see a message whenever a new mail arrives in your GMail mailbox (if you have one). But this might go much further with intrusive messages filling your Windows desktop while visiting a malicious web page. To disable Desktop Notifications completely, select the Do not allow any site to show desktop notifications option. If you sometimes need the feature, select the Ask me when a site wants to show desktop notifications (recommended) instead.
Google Chrome, Settings, Content Settings. In Location section, select 'Do not allow any site to track my physical location'. In Notifications section, select 'Ask me when a site wants to show desktop notifications'.

In the Mouse cursor section, select the Ask me when a site tries to disable the mouse cursor (recommended) option. Most sites should not be allowed to hide the pointer.
In the Media section, use the Ask me when a site requires access to my camera and microphone (recommended) option if you play interactive games or do video/audio communication. Those very cautious can select the Do not allow sites to access my camera and microphone option to disable the feature completely.
Please note that since Chrome 26, Adobe Flash Player settings for Chrome are handled at this Macromedia web page. For all other browsers, follow instructions in the Securing Adobe Flash Player article.
Google Chrome, Settings, Content Settings. In Mouse cursor section, select 'Ask me when a site tries to disable the mouse cursor'.

Since Chrome 24, you can also block unsandboxed plug-ins from automatically accessing files on your computer. The recommended setting, Ask me when a site wants to use a plug-in to access my computer is fine, but those who need enhanced security can select the Do not allow any sites to use a plug-in to access my computer option.
Finally, click OK to close the Content settings window.
Google Chrome, Settings, Content Settings. In Unsandboxed plug-in access section, select 'Ask me when a site wants to use a plug-in to access my computer'. Click OK.

Back in Privacy section of Settings tab, make sure that Enable phishing and malware protection and Send a 'Do Not Track' request with your browsing traffic are checked. The first one will keep you away from malicious sites and downloads, the second one will prevent some usage tracking by advertisers.
Those very concerned about their privacy can clear the Use a web service to help resolve navigation errors, Use a prediction service to help complete searches and URLs typed in the address bar, Predict network actions to improve page load performance and Automatically send usage statistics and crash reports to Google boxes to disable any possible usage tracking.
Please note that the "Predict network actions to improve page load performance" feature can make Google Chrome very slow and even unresponsive while loading some pages. You might want to disable it.
Google Chrome, Settings, Privacy. Make sure that the 'Enable phishing and malware protection' box is checked.

In the Passwords and forms section, clear the Offer to save passwords I enter on the web check box. This is very important because malware can easily steal all user names and passwords for sites you have visited (including your bank!). Use free Password Safe for remembering user names and passwords instead.
Google Chrome, Settings, Passwords and forms. Disable the 'Offer to save passwords I enter on the web' option.

Scroll down to the HTTPS/SSL section and put a check mark in the Check for server certificate revocation box. This setting will ensure that any web server's security certificate will be checked for validity before accepting it.
Google Chrome, Settings, HTTPS/SSL section. Enable the 'Check for server certificate revocation' option.

And finally, you can clear the Continue running background apps when Google Chrome is closed check box in the Background Apps section. This will close all apps with Chrome and, for example, prevent Desktop Notifications from GMail appearing while Chrome is not running.
The option is mainly meant for those who are very concerned about their online privacy.
Google Chrome, Settings, Background Apps section. To prevent Desktop Notifications from appearing after you close Chrome, clear the 'Continue running background apps when Google Chrome is closed' box.

That's it - close the Settings tab in Google Chrome.

To run your browser even more securely and protect it from zero-day attacks, use the free Microsoft EMET.

Additional reading:

WOT Safe Surfing Tool
Trusteer Rapport
Quick online virus scan

Comments

2013-02-27

22:16

TZ: +0200

Crownroyal wrote:

CHROME CAMERA & MIC

Thank you so much!!! I was on the phone with Acer and their techs for over one hour. They said there was no way to disable the camera or mic. I read an article where it stated GOOGLE has a plan to sell every chrome book with a camera and mic. This is why the laptop is $199.00. Avid users of the computer age we look and say hey this is a great deal! I realized when I got it home the camera was on! I got a piece of tape and placed it over the lens. Websites can listen and watch the consumer. I cringe at stuff like this. The manual that comes with the computer has nothing in it about the camera or the mic. I am so glad I found your webpage THANKS AGAIN!