Originally Posted by yuusharo
Trying to dissect your points here.
- Not sure I understand what you're suggesting. I only have to reboot my Chromebook if it gets an update or I want to start over with a fresh session.
- I'm no crypto wizard, but I believe the Kernel only runs signed code from Google. The Chromebook uses a verified boot which makes sure every link in the chain is genuine and hasn't been tampered with. Unless we get to your next point...
- Developer mode essentially means turning off the verified boot protections. You're now on part with most, if not all, Windows 7 and earlier PCs. Microsoft did not support verified boot until Windows 8, and like Chromebooks, gives the user the ability to turn it off in order to install alternative operating systems. If you turn off the security, the ownness is on YOU to keep your machine safe.
- Dunno the specifics of verified boot, but feel free to read all about it on the Chromium OS site: http://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot
- Certificates are renewed every few years largely in policy, not because they technically or physically stop working. An expired SSL certificate, for example, is as strong as it was the day it was issued, and still provides security and authentication. So, presumably, this is a non-issue. Chromebooks will continue to be supported for as long as Google wants supports them.
- All users data *IS* encrypted. By default, each user has their local data encrypted with the help of a TPM module installed in every device. Any data being sent to a web service, like Facebook or Twitter, is on the responsibility of those services, which is true for any service on any platform. Feel free to read up on Chromium OS's security overview here: http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview
- Chrome OS ships with a sandboxed version of Flash, which is automatically updated to the latest version as it's made available. This is a more favorable scenario than most PCs or Macs with Flash installed, where the plugin may not be sandboxed or always up to date. Google has worked closely with Adobe over the last few years to make sandboxing of flash within Chrome possible. Java is not available for Chrome OS. Besides, most web applications are moving away from Flash and Java towards HTML5 apps.
- Chrome OS works offline, but is best when you are always online. That's true of nearly every PC and Mac out there. How useful is a computer without an internet connection to most people? Probably not very. Again, there are PCs out there with persistent internet connections that have malware running on them unbeknownst to the user, while Chrome OS has all the security checks in place to help ensure the system is clean. Worst case, the Chromebook will simply refuse to boot until you download a new image directly from Google and reinstall from scratch.
You're concern at the end is largely FUD. Again, read up on the security that Chrome OS has built into place. Regarding user data, most of your data is going to live on a cloud service anyway. Google integrates Google Drive into the OS, which works like a remote network drive for your Chromebook. Thus, if your Chromebook was damaged or stolen, no data stored on Drive would be affected. You can also use other cloud storage systems, like Dropbox, Bitcasa, and Box to store and access your data through their web apps as well. The only data at risk would be local downloads that haven't been transferred or backed up somewhere else, but isn't that true of every other computer out there?
I already knew the answers. Since some posters do not seem to understand the inherent flaws of Google Chrome OS I will explicitly state them, not in my words but in the words of Google employees and several MIT computer science students.
"Chrome has an Auto-login option that allows the user to stay logged on constantly, even over multiple boots." (2)
"If the Chromebook gets misplaced or stolen, all of that users data on the cloud will be accessible to whoever holds the Chromebook" (2)
"Chrome OS claims that it does not need any anti-malware software; however, this claim is not necessarily
"It may also be possible to modify the user data." (2)
"... an attacker might be able to secretly install a malicious plug-in without the users knowledge." (2)
"... change the users setting to go to “attacker.com as its homepage" (2)
"the default is only to encrypt the password and not necessarily the synced user data." (2)
"It's important to note that at no point is the system restricted to code from the Chromium project..." (1)
"... because the web is more open and connected, one may argue that is is less secure than physical computers." (2)
"... stealing passwords through phishing attacks, etc. is currently easier than stealing physical hard drives or breaking the cryptography" (2)
"If an attacker manages to obtain a users password, the attacker can easily access all the data without even needing to have the physical computer." (2)
"By design, verified boot only runs on boot. However, it is possible to always avoid rebooting the computer." (2)
"... It's important to note that at no point is the system restricted to code from the Chromium project." (2)
"... Chrome OS does not try to address phishing or other online attacks, which means that it does not provide any stronger guarantees about the data online." (2)
" ... driver sandboxing" not currently implemented (1)
"All plugins..." don't currently "... run as independent processes.... ... with OS-level sandboxing ... or Mandatory Access Control (MAC) policies" (1)
"access to local storage services..." is not isolated "... at a process level" (1)
"Full-screen mode in some plugins could allow an attacker to mock out the entire user experience of a Chromium OS device." (1)
"adversary could attempt to subvert the update process" (1)
1. Anonymous. Security Overview
2. Katherine Fang, Deborah Hanus, Yuzhi Zheng. Security of Google Chromebook
As any reasonable person can see there are several aspects of Google Chrome OS to admire, in particular verified boot and automatic updates. Unfortunately, Google Chrome OS has their own share of vulnerabilities even vulnerabilities related to verified boot and automatic updates.Edited by MacBook Pro - 3/25/13 at 8:13pm