Google Chrome: Best security tips for safer browsing

Here's how to work around Chrome's shortcomings and protect yourself from attack.

There's a lot to like about Google Chrome's built-in security features. The browser offers unique sandboxing functions and privilege restrictions, and even updates itself in the background to help better protect you from hackers and malware. But like all browsers, Chrome is imperfect, and there are steps you can take to protect it from attack. Here's how to get the most from Chrome's built-in security features, and work around its security shortcomings.

Privacy features

Chrome offers several privacy features that help protect you while you browse. The most notable are its phishing- and malware-protection schemes, and a tool that can auto-correct misspelled Web addresses.

Chrome's phishing and malware protection put up a warning screen whenever you visit a website that Google has identified as potentially malicious, whether it spreads malware or tries to steal your personal information. Meanwhile, Chrome's URL autocorrect feature usees a Google-provided online service to fix misspelled URLS to help you avoid visiting the wrong site--and perhaps a nefarious site--by accident. Indeed, "typosquatting" is still a threat.

To use these features, open the browser's Settings panel and scroll down to the Privacy section (you may need to click Show advanced settings to get there), and check the boxes labeled Use a web service to help resolve navigation errors and Use a web service to help resolve spelling errors. Also, be sure to check the Enable phishing and malware protection box.

Additionally, click the Content settings tab and consider restricting some content. You can, for example, disable JavaScript (which is often exploited by malware) and plug-ins. When you do so, Chrome will notify you when a site is using them so that you can voluntarily opt in for legitimate sites.

Protect your saved passwords and credit card details

If you let Chrome save your website passwords, anyone who uses your PC can easily access them with a little poking around in the Settings panel. But unlike Firefox and its Master password feature, Chrome--and by extension, third-party add-ons--won't let you encrypt your passwords or saved credit card information.

Luckily, there are a few things you can do to help protect your privacy. First, don't allow people you don't trust to use your Windows user account. Instead, either create a new Standard (non-administrative) account for others to use or turn on the Guest account.

If creating another Windows account is too inconvenient, consider using a Chrome extension like ChromePWBrowser Lock, or Secure Profile to password-protect Chrome. This effectively forces others to use another browser on your system like Internet Explorer (which doesn't let others easily view your saved passwords) or Firefox (which lets you encrypt and password-protect your saved passwords).

Another option is to securely store your sensitive data using a third-party password manager. Some third-party password tools let you sync your passwords across other browsers, which might be helpful if you go from one computer to another. KeePass and Xmarks are two popular password managers worth trying.

Secure your synced data

Chrome can sync most of your settings and saved data (including passwords, but not credit card details) across multiple computers and devices that have Chrome installed, but this creates a security vulnerability. By default, Chrome requires you to enter only your Google account password to set up a new computer or device to sync your browsing data. So if your Google account password were hacked, an intruder could potentially access a list of all your passwords.

That is, unless you set a custom encryption syncing passphrase.

Once you set a syncing passphrase, you have to first sign in with your Google account password and then enter the passphrase to set up new synced devices. This adds an important extra layer of security. To set this up, open Settings, click Advanced sync settings, and select Choose my own passphrase.

While you're there, also consider turning on encryption for all synced data instead of just passwords.

Secure your Google account

Google offers several security features to help you better control and protect your account, and you should definitely consider using them if you use Chrome's sync feature. They help secure your entire Google account, so you should also consider using these security features if you tap into multiple Google services.

On the Google Account Security page, consider enabling Google's 2-step Verification. Once you've done that, you'll have to enter a special code--which you'll receive via text, voice call, or the Google app--whenever you attempt to sign in to Google from a new PC or mobile device. This scheme ensures that anyone without direct, hands-on access to your mobile hardware will be denied entry into your Google data. When signing in to applications or features that don't support the verification codes (like Chrome's sync feature), you'll have to sign in to your Google account, access the 2-step Verification settings, and generate an application-specific password.

While on the Google Account Security page, you might also want to turn on email and/or phone notifications for password changes and suspicious log-in attempts. This way, you'll know right away if someone tries to change your password or attempts to log in to your account without your knowledge.

Additionally, review your recovery options in case you forget your password in the future. Last, review your authorized apps and sites and remove those you don't use anymore.

Install extensions for additional protection

We reviewed many of the security features offered by Google and Chrome, but various extensions allow you to add even more security functions. For example, Web of Trust (WOT) can warn you of dangerous sites, and ADBlock can remove annoying or malicious advertisements that can lead to malware or phishing sites. View Thru lets you see the destination of shortened URLs, and KB SSL Enforcer can help you take advantage of HTTPS/SSL encryption on sites that support it.

Join the CSO newsletter!

Error: Please check your email address.

Tags GooglesecurityGoogle Chromeprivacy

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Eric Geier

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place