Late last week WhiteHat Security open sourced Aviator, its Chromium-based browser that has been marketed as “the most secure browser online.”
The browser offers anonymity and security by default: no hidden tracking by advertizers, blocks advertisements by default (thus preventing malvertising attacks), default private browsing mode, and so on.
But Justin Schuh, a Google programmer on Chrome’s security team, and Tavis Ormandy, an information security engineer at Google’s Project Zero team and (in)famous bug hunter, beg to differ with the claim.
Once Aviator’s source code was made public, they took a peek under its hood, and found plenty to worry about.
“You probably shouldn’t be using the WhiteHat Aviator browser if you’re concerned about security and privacy,” Schuh wrote in a blog post published on Friday.
After commending WhiteHat on their decision to open up the source code, he pointed out that their analysis resulted in the discovery of a number of problematic changes.
“First, we found that the overwhelming majority of changes were superficial and branding related, but done so in a way that seriously complicates the process of tracking upstream security fixes. That’s why Aviator is perennially at least two major releases behind Chrome, and ships with dozens of publicly disclosed vulnerabilities that are already fixed in the stable Chrome release. Had these branding changes been made more carefully, this simply wouldn’t be a problem and Aviator would be able to pull upstream changes and benefit from the security work being done by the Chromium Project,” he noted.
“The added code doesn’t seem to have been written with a sufficient understanding of how Chrome works, or with adequate regard for security,” he added, offering an example.
“After looking at the newly introduced features, it’s also very hard to understand why any of these changes were made so invasively, and at the cost of hindering compatibility with upstream,” he finally said, and pointed out that users can achieve most of the same things that Aviator offers by default by simply adding the popular Disconnect extension to Chrome and “changing a handful of well-documented default settings.”
Robert Hansen, VP of WhiteHat Labs, responded with a post of his own. He said that they knew it would be impossible for them to be as fast with patching as Google, given that they had a much smaller team of developers. He admitted that there were bugs – as in any software – and that this was one of the reasons why they decided to open source the project, so the community can help find them.
But, he pointed out, Schuh’s claim that using Chrome with Disconnect and changing some privacy settings is not the same as using Aviator.
“We have made changes in Aviator that are beyond configuration, such as the browser’s ability to stop referring URLs from being sent cross domain as well as always being in private mode by default. But far more importantly, when we talk to average users it becomes clear that consumers can’t actually do what the post is suggesting,” he explained.
“Most people do not know the first thing about Disconnect and therefore, they don’t know what they need to do to add it. Our argument all along has been that consumers need better options by default. They don’t even know what to search for to start learning how to protect themselves.”
“Sadly, that response doesn’t address the big concerns that the added code is simply of extremely low quality and littered with fairly trivial security vulnerabilities,” Schuh shot back. “And that the pervasive modifications of so much of the code serve no value to the user while making it unreasonably difficult for WhiteHat to ever maintain it. So, even if they fixed all the vulnerabilities they added, I don’t see how they could ever keep this up to date against disclosed vulnerabilities already fixed in the stable version of Chrome.”
But the main thing he was worried about is the fact that WhiteHat Security doesn’t take responsibility for “sweeping and inaccurate claims.” Also, that they seem to believe that making the software’s code open source will absolve them of any responsibility regarding those claims.
“We won’t be making any additional changes to the browser; Aviator is now entirely community-driven,” Hansen shared last week when they made Aviator open source. “We’ll still sign the releases, QA them and push them to production, but the code itself will be community-driven. If the community likes Aviator, it will thrive, and now that we have a critical mass of technical users and people who love it, it should be possible for it to survive on its own without much input from WhiteHat.”