Yes, that is the jist of the last sentence. However that was clearly not the message the bulk of the post was intending to express:
He [Charlie Miller] did mention, in his interview with Ryan Naraine, that Chrome was pretty much in another league. Their 'sandbox' makes it extremely difficult to exploit
It would still take two successive holes to exploit - one to get in, another to get out of the Chrome sandbox. And only 7% of users use Chrome, while 56% users use Firefox (my own web site statistics today ) - If I wanted to do something malicious, I'd get a lot better bang for the bug with Firefox.
The Hack-ability tends to be directly proportional to it's popularity. Nothing has been ever built that was 100% secure (if you did, more power to you). My point is, the the more popular something gets, more minds will be focused on it to break it, and more information be available publicly regarding possible attack vectors, and eventually it will break.
Chrome is a new player, people haven't had much time to play with it, or the motivation to since it doesn't have as much market share at the moment.
I think Chrome and IE are both on track to become proved-secure. I think they are both close to being able to use automatic tools to prove that malware cannot get out of the sandbox without an operating-system exploit.
Microsoft seems to be working on a provably-secure micro-kernel for Windows. In a few years they will be able to legitamately claim that privilege escalation is literally impossible without the user's consent. That is such a big and expensive task that I'm not sure their mainstream competitors will be able to match that claim in any reasonable time frame (except maybe Symbian, because it already has a micro-kernel architecture).
After that, security on Windows will be all about UI. How can we prevent programs from tricking the user into letting them do something bad. How can we prevent programs from doing bad things without the user knowing? How can the user be sure that a program will not violate his privacy? How can the user be sure that a program won't cause data loss?
Chrome is process-per-tab; there's architecturally almost no shared state between two different render contexts. Contrast that with Firefox, where there's a application-layer permeable membrane connecting content-driven code to browser core state.
[+] [-] jgrahamc|17 years ago|reply
[+] [-] gwc|17 years ago|reply
He [Charlie Miller] did mention, in his interview with Ryan Naraine, that Chrome was pretty much in another league. Their 'sandbox' makes it extremely difficult to exploit
[+] [-] jpirkola|17 years ago|reply
[+] [-] dryicerx|17 years ago|reply
The Hack-ability tends to be directly proportional to it's popularity. Nothing has been ever built that was 100% secure (if you did, more power to you). My point is, the the more popular something gets, more minds will be focused on it to break it, and more information be available publicly regarding possible attack vectors, and eventually it will break.
Chrome is a new player, people haven't had much time to play with it, or the motivation to since it doesn't have as much market share at the moment.
[+] [-] briansmith|17 years ago|reply
Microsoft seems to be working on a provably-secure micro-kernel for Windows. In a few years they will be able to legitamately claim that privilege escalation is literally impossible without the user's consent. That is such a big and expensive task that I'm not sure their mainstream competitors will be able to match that claim in any reasonable time frame (except maybe Symbian, because it already has a micro-kernel architecture).
After that, security on Windows will be all about UI. How can we prevent programs from tricking the user into letting them do something bad. How can we prevent programs from doing bad things without the user knowing? How can the user be sure that a program will not violate his privacy? How can the user be sure that a program won't cause data loss?
[+] [-] mikeryan|17 years ago|reply
[+] [-] briansmith|17 years ago|reply
[+] [-] tptacek|17 years ago|reply
[+] [-] Kejistan|17 years ago|reply
[+] [-] alecco|17 years ago|reply
@ http://news.ycombinator.com/item?id=524349