The Private Life of Chromium Browsers
Updated October 12, 2014.
There is little argument that Chromium based web browsers are currently the most secure available but when it comes to Google and user privacy, the company has a controversial history, to say the least. If you're part of the minority who does everything possible to block traffic to/from Google servers, then a Chromium based browser isn't for you (and you'd know that already).
If you are less strict about where you send your packets or just wondering what Chrome actually does send back home to Mother Ship, then get comfortable because much will soon be revealed. Let us first establish that it's entirely possible to use a Chromium based browser with all the security benefits and no more of a privacy-breaching downside than 95% of the other software and services you use. Let’s meet the three main contenders.
Chrome
Google’s proprietary internet browser is the most well known of the three. The privilege isolation of Chrome is currently unmatched by any other browser and statistics agree that Chrome has finally dethroned Internet Explorer as the world's most widely used browser. Unfortunately Chrome is also the browser which frequently made headlines shortly after debuting in 2008 with its unique ID tags and tracking features.
Yet Chrome is quite different now than from its early years. Of the reported privacy concerns, all but two have been remedied by becoming either opt-in or opt-out. The remaining two things are the installation token and Google Update. Google has also put good effort into explaining Chrome's main privacy settings and maintains a Whitepaper describing when Chrome communicates with Google or other servers.
If stable channels just aren't your thing, there are three additional Chrome repositories for various stages of development between Chromium's snapshots and Chrome Stable. They won't spare you the installation token or Google Update if you want to be without them, but they will give you more cutting-edge features in exchange for potential stability.
Chromium
Chromium is also a Google creation but fully open source, released under various public licenses like Apache, BSD, and GPL (see chrome://credits) and is the foundation on which Chrome and all other Chromium based browsers are built. Chromium is more intended to be an ultra rapid release developer platform than a daily driver but it still reliably satisfies many non-technical users.
Chromium's nature is basically Chrome minus the Google branding. Chromium is not capable of usage metrics, it does not include an installation token nor Google Update; Chromium on OS X and Windows must be updated manually or with a separate updater. Chromium also comes without the Cloud Print module found in Chrome, the PDF viewer and Pepper Flash but both the PDF and Flash libraries can be used in Chromium. A quick web search will show how to do this.
It otherwise looks and feels exactly as Chrome, and Chromium's snapshot builds can even give you some experimental features before Chrome's experimental releases (see chrome://flags). Chromium gives you the same opt-out choices as Chrome for privacy related things like search predictions and DNS pre-resolution. Here is the link to the Chromium Project's download options because it's not intuitive to find from chromium.org but chromium.woolyss is an easier alternative and all-around great Chromium browser resource.
If you're on Linux, Chromium is infinitely easier to manage from your distro's repositories; with the snapshots, you need to know what you're doing. The repos will lag behind the trunk snapshots by a few versions but you'll get a perfectly stable browser with full sandboxing and even Chrome's PDF reader.
Iron
Iron is an "open source" browser (more on that later) based on Chromium but is otherwise entirely independent from Google. Iron bills itself as a Chrome/Chromium alternative which protects both security and privacy while even giving a performance boost. It comes from the individual behind SRWare, a private software company in Germany. SRWare says that development on the browser is funded by donations and ads on their website.
Like Chromium, Iron does not have an installation token nor Google Update, Iron must also be manually updated, even on Linux. Iron for Windows keeps pace with Chrome’s major releases but the Linux and OS X variants do not. In addition to the differences between Chrome and Chromium, Iron further removes Native Client, the option to use Google's navigation error pages and address bar search predictions, in addition to locale fetching for Google Search, DNS pre-resolution and the Google logo, accout and apps links on the new tab page.
Iron adds advertisement blocking and a user agent string changer via configuration files without the need for extensions. Yet Iron's most interesting addition is the privacy.ini file which blocks all outbound background services from the browser. And when I say all I do mean ALL—including blacklist checks and updates for extensions, GPUs and TLS certificates, Safe Browsing traffic, even the Client/Server authentication handshakes.
Like with Chromium, Iron can use Chrome's Flash libraries. Iron includes Chrome's PDF viewer but if you want Native Client back, you'll have to pillage its files from another Chrome or Chromium installation. Iron does not use Chrome's web store for extensions though it can use most Chrome extensions and themes perfectly fine. Iron's web store instead points to its own add-on site and also of great interest is that on Linux, Iron is not compiled with SUID sandboxing.
Here are the privacy related differences in a table. If you want to know what each of these things means, read about them individually in Chrome's Privacy Whitepaper.
| Chromium | Iron | Chrome | |
|---|---|---|---|
| Install token | No | No | Yes |
| Client token | No | No | Yes, but only if metrics is enabled. |
| Search predictions | Can be disabled | No | Can be disabled |
| Alternative navigation error page | Can be disabled | No | Can be disabled |
| Metrics & crash reporting | No | No | Can be disabled |
| Safe Browsing | Can be disabled | Can be disabled | Can be disabled |
| RLZ token | No | No | Not if downloaded from google.com/chrome |
| Google Update | No | No | Yes |
| Search locale | Only if default search engine is Google | No | Only if default search engine is Google |
The Source Code
The best area for comparison would be the source code itself but here we're defeated before we even begin. The code for Chrome as a wholly packaged program is closed source so unavailable. Certain modules exclusive to Chrome are openly licensed such as the RLZ tag and the Omaha updater, but other things like the PDF viewer and Pepper Flash plugin are not. The source code of Chromium is readily available under a BSD license. Both situations are pretty cut and dry but to really play the skeptic role, what's to say that these open source blobs aren't modified at any point in the distribution line? (Of course that applies to all open source code.)
Here Iron presents a problem. The original version of this article was written in December 2011. At the time, Iron's current release was version 14 but the code available on SRWare's website was only for version 6, and evidently incomplete. This despite Iron always having been released under a BSD license. In 2013, Iron's source was moved to Rapidshare and blocked to outside access. There are no repositories on the traditional project sites like GitHub or SourceForge either. Thus in actuality, SRWare Iron is entirely closed source and has been since at least version 6.
Deep within the bowels of the internet once resided a source code comparison between Iron 4 and Chromium 5, previously available here. Here is a quote from the outcome, taken from this Google Groups post.
Summary: I downloaded the recently released source code for the "privacy-oriented" Iron 4 browser and compared it to the open source Chromium browser from which it was derived. I found that all Iron does is hard-code three privacy options, that were already user-configurable, and add one or two minor features unrelated to privacy, like increasing the number of thumbnails on the New Tab page.
True that was a comparison of very old versions but even now, the differences between Iron and Chrome/Chromium listed on SRWare's website haven't changed and most are immediately noticeable looking through Iron's menus. It seems we're not getting any further here.
The Sniff Test
Now let's see what these browsers are sending back to home base in California. Wireshark was used to capture all traffic in Windows 7 and Linux Mint 13 during four 8-12 hour sessions for each program. The browser was started and just left open for the capture, no extensions were installed and no websites were visited. System updates in Mint and Windows were disabled along with Safe Browsing so there was no background noise of web surfing and minimal interference from other processes. The browsers were otherwise using default settings. In total I logged over 100 hours of packet sniffing these browsers in various states from installation to first start and multiple subsequent sessions. What did I find...?
All three browsers connect to Google. You should not expect otherwise, there's little you can do about it and most of the traffic is encrypted so it can't be read. Focusing on what's unencrypted: on startup, all three send DNS requests to various Google domains and subdomains. Some examples are clients2.google.com, clients.*.google.com (where * can be a number 1 through 9), ssl.gstatic.com, apis.google.com, youtube.com, plus.google.com and developers.android.com. After the Google domains (odd, why after?) were the dummy DNS checks and only Iron did not do these.
Following the DNS resolution, all three browsers initiate encrypted key exchanges with some of these Google servers. The amount of these Client Hellos can range from about 5-10 simultaneously but Chrome and Chromium do over 20 on first start and Iron about half that. These encrypted handshakes assign the browsers TLS session tickets and authenticate them to retrieve information from Google's servers like extension blacklists, updates and such things. Iron always started less of these sessions than the other two but the longer any of these browsers go without being connected to the internet, the more update connections they send out when they do eventually start up.
The unencrypted GET and POST requests were for the browser's module updates. By modules, I mean CRLSets, extension blacklists, dictionary, translator, etc. Each module has its own identifier (appid) and these IDs were the same for every Chromium based browser and platform used. Below are screenshots of CRLSet updates on Chrome (left) and Iron (right) in Windows and Chromium in Mint (center). The appids are identical (but I don't know why Iron identifies itself as Chrome 28).
Here's a shot of Chrome's installation token.
The information about your computer in nearly all of the unencrypted requests to Google is your browser's user agent string, accepted browser encoding formats (gzip, deflate, sdch), date & time and Windows service pack or Linux kernel version. I did no logging on Apple OS X. With Safe Browsing enabled, its updates contain a unique cookie but Safe Browsing can be turned off. The only unique tag per HTTP stream is the requestid.
These were all the observable differences in traffic between Chrome, Chromium and Iron. I also tried using the command line switch --disable-background-networking in Chrome and Chromium but there were still update checks so it wasn't helpful. Iron's privacy.ini file works. It successfully stops any outbound traffic that doesn't come from you browsing websites. However, this also means (among other things) you won't be getting updates for extensions and TLS certificate integrity checks. To sorta kinda do this with Chrome or Chromium, you would need to block all of Google's IP address range in your firewall or HOSTS file, or compile your own version of Chromium to send update checks to 127.0.0.1.
In Conclusion
Chromium based browsers all phone home to Google, that's just the way it is. Internet Explorer expectedly calls Microsoft, Firefox to Mozilla, Safari to Apple and Opera to both Opera and Google. Of course there are more Chromium based browsers than what's mentioned here. Comodo Dragon (which contacts Comodo and Google) is probably the most popular Chrome alternative and worth a mention for Windows people. But let's step back for a moment to look at the big picture: Plugging one or two leaks doesn't fix all the others. If you change nothing else yet think you're taking back any privacy by using Iron or Dragon in place of Chrome or Chromium—you're mistaken.
Cookies are still the primary tool for tracking people across the internet but client fingerprinting with JavaScript is even more effective and quickly becoming omnipresent. It's very difficult to mitigate and arguably impossible to completely stop. And is all your email stashed on Yahoo, Live or whatever.com? Do you let your phone back up your passwords, contacts, etc. to cloud servers (which smartphones do by default)? Most people's computers call out to a lot of different places and contain a wealth of identifiers and other tracking & usage information. You're probably also running Windows and Microsoft has just as strong of a relationship with the American government as Google and they're certainly under the same legal obligations.
The point is that unless you give thought to the sum of all the parts, then worrying about the info Iron, Chromium or even Chrome does visibly give out is only unnecessary stress. Of course it's possible there is something hidden deeper than can be found simply by looking though HTTP and DNS traffic, that but so far there is no evidence or inclination of this.
* * * * *
So now that you're under no illusion that ditching Chrome is a golden ticket to anything, what of the practicality of these three browsers? Well, Chrome of course is strongest there. On all platforms, it's extremely easy to install and keep updated. It includes the PDF viewer and Pepper Flash (which will soon be the only option for Chromium based browsers in Linux). Chromium is at its best when coming from Linux repositories and is just as easy to deal with as Chrome, if not moreso. There's even an Ubuntu package to automate the download and extraction of Pepper Flash so no Adobe stuff needed. Chromium can be fine on Windows, it's just that you may get stuck with a weird bug from the trunk build and you must either update manually or use a 3rd party solution.
Iron is most polished for Windows. In Linux, Iron can be a headache with permissions and dependencies and all for what? An old, unpatched Chromium base with broken sandboxing. You actually get less security compared to Chrome or Chromium and, IMO, it's not worth the effort unless you're committed to using Iron. I've never used Iron in OS X but it's also not updated as often as the Windows release.
To wrap this up, I've personally used Iron in Debian, Mint and Windows from versions 7 to 14 and it was much buggier for me than any Chromium trunk build; buggy with stupid irritations like the back button and page refreshes not working. Some forum searching quickly showed that I wasn't the only one experiencing these things and that's what inspired the first version of this article, wanting to look into the three browsers' differences on a level no one had yet done.
Whatever your preference, the fact is that Chrome is no longer as upsetting as it was in the past, Iron is consequently no longer the safezone it once was (if it ever was) and Chromium still is in the middle wondering what everyone is arguing about. Take your pick and breathe a little easier.
The browser versions used for the first version of this article were Chrome 15.0.900.0 & 16.0.912.63, Chromium 17.0.934.0 & 18.0.983.0 and Iron 14.0.850.0 & 16.0.950.0. All three browsers were used in Debian Wheezy and Windows 7.
For the update, several versions of milestone 33 were used for all three browsers in Windows 7 and Linux Mint 13.
Share this page.
