The Private Life of Chromium Browsers
Updated October 12, 2014.
This site is no longer being maintained so anything below could still be accurate, or very outdated.
There is little argument that Chromium-based web browsers are currently the most secure available, but when it comes to Google and user privacy, the company has a controversial history, to say the least. If you are part of the minority who does everything possible to block traffic to/from Google services, then a Chromium-based browser is not for you (and you'd likely know that already).
However, if you are less strict about where you send your packets or just wondering what Chrome actually does send back home to Mother Ship, then get comfortable because much will soon be revealed. Let us first establish that it's entirely possible to use a Chromium-based browser with all the security benefits and no more of a privacy-breaching downside than 95% of the other software and services you use. Let’s meet the three main contenders.
Google’s proprietary internet browser is the most well known of the three. The privilege isolation of Chrome is currently unmatched by its peers and statistics agree that Chrome has finally dethroned Internet Explorer as the world's most widely used browser. Unfortunately, Chrome is also the browser which frequently made headlines shortly after debuting in 2008 with its unique ID tags and other always-on 'features' of detriment to user privacy.
Yet Chrome is much more mature now than in its early years. Of the reported privacy concerns, all but two have been remedied by becoming either opt-in or opt-out. The remaining two things are the installation token and the Google Update background service. Google has also put good effort into explaining Chrome's main privacy settings and maintains a Whitepaper describing most of the occasions when Chrome communicates with Google or anyone else.
If stable channels just aren't your thing, there are three additional Chrome repositories for various stages of development between Chromium's snapshots and Chrome Stable. They won't spare you the installation token or Google Update if you want to be without them, but they will give you more cutting-edge features in exchange for potential stability.
Chromium (the Chromium Projects) is also a Google creation but fully open source, released under various public licenses like Apache, BSD, and GPL (see chrome://credits) and is the foundation on which Chrome and all other Chromium-based browsers are built. Chromium is more intended to be an ultra-rapid-release developer platform than a daily driver but it still reliably satisfies many non-technical users.
Chromium's nature is basically Chrome minus the Google branding. Chromium is not capable of usage metrics, it does not include an installation token or Google Update; Chromium on OS X and Windows must be updated manually or with a separate updater. Chromium also comes without the Cloud Print module found in Chrome, the PDF viewer and Pepper Flash but both the PDF and Flash libraries can be used in Chromium. A quick web search will show how to do this.
It otherwise looks and feels exactly as Chrome, and Chromium's snapshot builds can even give you some experimental features before Chrome's experimental releases (see chrome://flags). Chromium gives you the same opt-out choices as Chrome for privacy related things like search predictions and DNS pre-resolution. Here is the link to the Chromium Project's download options because it's not intuitive to find from chromium.org, but chromium.woolyss is a better (easier & more stable) download source and all-around great Chromium browser resource.
If you're on Linux, Chromium is infinitely easier to manage from your distro's repositories whereas with the Chromium Project snapshots, you need to know what you're doing. The repos will lag behind the trunk snapshots by a few versions but you'll get a perfectly stable browser with full sandboxing and even Chrome's PDF reader.
Iron is an "open source" browser (more on that later) based on Chromium but is otherwise entirely independent of Google. Iron bills itself as a Chrome/Chromium alternative which protects both security and privacy while even giving a performance boost. It comes from the individual behind SRWare, a private software company in Germany. SRWare says that development on the browser is funded by donations and ads on their website.
Like Chromium, Iron does not have an installation token or Google Update; Iron must also be manually updated, even on Linux. Iron for Windows keeps pace with Chrome’s major releases but the Linux and OS X variants do not. In addition to the differences between Chrome and Chromium, Iron further removes Native Client, the checkbox options to use Google's navigation error pages and address bar search predictions, in addition to locale fetching for Google Search, DNS pre-resolution and the Google logo, accout and apps links on the new tab page.
Iron adds advertisement blocking and a user agent string changer via configuration files without the need for extensions. Yet Iron's most interesting addition is the privacy.ini file which blocks all outbound background services from the browser. And when I say all I do mean ALL—including blacklist checks and updates for extensions, GPUs and TLS certificates, Safe Browsing traffic, even the initial torrent of Client/Server authentication handshakes when the browser is first opened for a session.
Like with Chromium, Iron can use Chrome's Pepper Flash library. Iron includes Chrome's PDF viewer but if you want Native Client back, you'll have to either download it separately from SRWare or pillage its files from another Chrome or Chromium installation. Iron does not use Chrome's web store for extensions though it can use most Chrome extensions and themes perfectly fine. Iron's web store instead points to its own add-on site and also of great interest is that on Linux, Iron is not compiled with SUID sandboxing.
Here are the privacy related differences in a table. If you want to know what each of these things means, read about them individually in Chrome's Privacy Whitepaper.
|Client token||No||No||Yes, but only if metrics is enabled.|
|Search predictions||Can be disabled||No||Can be disabled|
|Alternative navigation error page||Can be disabled||No||Can be disabled|
|Metrics & crash reporting||No||No||Can be disabled|
|Safe Browsing||Can be disabled||Can be disabled||Can be disabled|
|RLZ token||No||No||Not if downloaded from google.com/chrome|
|Search locale||Only if default search engine is Google||No||Only if default search engine is Google|
The Source Code
The best area for comparison would be the source code itself but here we're defeated before we even begin. The code for Chrome as a wholly packaged program is closed source, so it's unavailable. Certain modules exclusive to Chrome are openly licensed such as the RLZ tag and the Omaha updater, but other things like the PDF viewer and Pepper Flash plugin are not. The source code of Chromium is readily available under a variety of open source licenses but as a side note, we unfortunately don't (yet, hopefully) have reproducible Chromium builds to confirm that the open source code is indeed exactly what we run when we open the installed application on our computer.
Here Iron presents a problem. The original version of this article was written in December 2011. At that time, Iron was on version 14 but the code available on SRWare's website was only for version 6, and evidently incomplete. This despite Iron traditionally having been released under a BSD license. In 2013, Iron's source was moved to Rapidshare and blocked to outside access. There are no repositories on the usual project sites like GitHub or SourceForge, either. Thus in actuality, SRWare Iron is entirely closed source and has been since at least version 6.
Deep within the bowels of the internet once resided a source code comparison between Iron 4 and Chromium 5, previously available here. Here is a quote from the outcome, taken from this Google Groups post.
Summary: I downloaded the recently released source code for the "privacy-oriented" Iron 4 browser and compared it to the open source Chromium browser from which it was derived. I found that all Iron does is hard-code three privacy options, that were already user-configurable, and add one or two minor features unrelated to privacy, like increasing the number of thumbnails on the New Tab page.
True, that was a comparison of very old versions but even now, the differences between Iron and Chrome/Chromium listed on SRWare's website haven't changed and most are immediately noticeable looking through Iron's menus. It seems we're not getting any further here.
The Sniff Test
Now let's see what these browsers are sending back to home base in California. Wireshark was used to capture all traffic in Windows 7 and Linux Mint 13 during four 8-12 hour sessions for each program. The browser was started and just left open for the capture, no extensions were installed and no websites were visited. System updates in Mint and Windows were disabled along with Safe Browsing so there was no background noise of web surfing and minimal interference from other processes. The browsers were otherwise using default settings. In total I logged over 100 hours of packet sniffing these browsers in various states from installation to first start and multiple subsequent sessions. What did I find?
All three browsers connect to Google. You should not expect otherwise, there's little you can do about it and most of the traffic is encrypted so it can't be read. Focusing on what's unencrypted: on startup, all three send DNS requests to various Google domains and subdomains. Some examples are clients2.google.com, clients.*.google.com (where * can be a number 1 through 9), ssl.gstatic.com, apis.google.com, youtube.com, plus.google.com and developers.android.com. After the Google domains (odd, why after?) were the dummy DNS checks and only Iron did not do these.
Following the DNS resolution, all three browsers initiate encrypted key exchanges with some of these Google servers. The amount of these Client Hellos ranged from about 5-10 simultaneously but Chrome and Chromium opened over 20 on first start and Iron about half that. These encrypted handshakes assign the browsers TLS session tickets and authenticate them to retrieve information from Google's servers like extension blacklists, updates and such things. Iron always started less of these sessions than the other two but the longer any of these browsers go without being online, the more update requests they send out when they do eventually start up.
The unencrypted GET and POST requests were for the browser's module updates. By modules, I mean CRLSets, extension blacklists, dictionary, translator, etc. Each module has its own identifier (appid) and these IDs were the same for all three browsers and both platforms. Below are screenshots of CRLSet updates on Chrome (left) and Iron (right) in Windows and Chromium in Mint (center). The appids are identical (but I don't know why Iron identifies itself as Chrome 28).
Here's a shot of Chrome's installation token:
The information about your computer in nearly all of the unencrypted requests to Google is your browser's user agent string, accepted browser encoding formats (gzip, deflate, sdch), date & time and Windows service pack or Linux kernel version. I did no logging on Apple OS X. With Safe Browsing enabled, its updates contain a unique cookie but Safe Browsing can be turned off. The only unique tag per HTTP stream is the requestid. These were all the observable differences in traffic between Chrome, Chromium and Iron.
I also tried using the command line switch --disable-background-networking in Chrome and Chromium but there were still update checks so it wasn't helpful. Iron's privacy.ini file works. It successfully stops any outbound traffic that doesn't come from browsing websites. However, this also means that, among other things, you won't be getting updates for extensions and TLS certificate integrity checks. To do this with Chrome or Chromium, you would need to block all Google domains in your system's HOSTS file or a DNS proxy/server like Acrylic, dnsmasq or Squid Cache. To go completely impractical, you could compile your own version of Chromium to send update checks to 127.0.0.1.
The Sanity Test
Chromium-based browsers all phone home to Google, that's just the way it is. Internet Explorer expectedly calls Microsoft, Firefox to Mozilla, Safari to Apple and Opera to both Opera and Google. Of course there are more Chromium-based browsers than what's mentioned here. Comodo Dragon (which contacts Comodo and Google) is probably the most popular Chrome alternative for Windows. But let's step back for a moment to look at the big picture: Plugging one or two leaks doesn't fix all the others. If you change nothing else, yet think you're taking back any privacy by using Iron or Dragon in place of Chrome or Chromium—you are mistaken.
The point is that unless you give thought to the sum of all the parts, then worrying about the info Iron, Chromium or even Chrome do (visibly) give out is only unnecessary stress. Of course it's possible there is something hidden deeper than can be found simply by looking though HTTP and DNS traffic, that but so far this is not evident.
So now that you're under no illusion that ditching Chrome is a golden ticket to anything, what of the practicality of these three browsers? Well, Chrome of course is strongest there. On all platforms, it's extremely easy to install and keep updated. It includes the PDF viewer, Cloud Print support and Pepper Flash (which will soon be the only option for Chromium-based browsers in Linux). Chromium is at its best when coming from Linux repositories and is just as easy to deal with as Chrome. There's even an Ubuntu package to automate the download and extraction of Pepper Flash, so no Adobe stuff needed. Chromium can be fine on Windows, it's just that you may get stuck with a weird bug from the trunk build and you must either update manually or use a 3rd party solution.
Iron is most polished for Windows. In Linux, Iron can be a headache with permissions and dependencies and all for what? An old Chromium base with broken sandboxing. You actually get less security compared to Chrome or Chromium and, IMO, it's not worth the effort unless you're unquestionably committed to using Iron. I've never used Iron in OS X so I can't comment there.
To wrap this up, I've personally used Iron in Debian, Mint and Windows from versions 7 to 14. My experience was that Iron was much buggier than any Chromium trunk build, buggy with stupid irritations like the back button and page refreshes not working. Some forum searching quickly showed that I wasn't the only one experiencing these things and that's what inspired the first version of this article, wanting to look into the three browsers' differences on a level no one had yet done.
Whatever your preference, the fact is that Chrome is no longer as upsetting as it was in the past, Iron is consequently no longer the safezone it once was (if it ever was) and Chromium still is in the middle wondering what everyone is arguing about. Take your pick and breathe a little easier.
The browser versions used for the first version of this article were Chrome 15.0.900.0 & 16.0.912.63, Chromium 17.0.934.0 & 18.0.983.0 and Iron 14.0.850.0 & 16.0.950.0. All three browsers were used in Debian Wheezy and Windows 7.
For the update, several versions of milestone 33 were used for all three browsers in Windows 7 and Linux Mint 13.