SRWare Iron Browser – A Real Private Alternative To Chrome?

Iron Browser claims to eliminate “critical points that the privacy concern” aka: it’s trying to solve Chrome privacy issues.

A noble endeavor. Except it’s all a load of shit and the label “scamware” is fairly fitting (or at the very least “scareware”).

Iron v Chrome

Iron has a page called “Iron Vs Chrome” that ‘matches up’ the privacy features. This is actually the easiest thing to point to to say “wow, this browser really is bullshit.”

1) Installation-ID

This is the only privacy ‘concern’ that isn’t optional. Some facts:

  • The installation ID only runs once and then it’s removed.
  • The installation ID contains no personal information, it’s gibberish

2) Suggest

Suggest is referring to the omnibox suggestions. In order to predict what you’re searching for Chrome sends the text in the URL bar to the default search engine (Chrome has no default search engine, you choose on installation.) You are then subject to that search engines privacy restrictions, I use DuckDuckGo so it’s really them logging me.

This is entirely configurable. You can disable it with absolute ease. All Iron has done is disable the option by default and removed the ability to enable it. To disable it check the Chrome Privacy Settings.

3) Alternate Error Pages

The Iron developer is really reaching with this one. When Chrome hits a page that can’t be reached it replaces the error message.

A few facts:

  • Navigation errors are first checked locally.
  • Only a hash is sent to google.
  • All GET parameters are removed.

And, of course, it can be easily disabled. Again, all Iron has done is disable a feature and not give you the option to add it back.

4) RLZ-Tracking

The RLZ string is an encoded string that contains no indentifying information. It’s used purely to gauge how well promotional campaigns did ie: if an ad runs on Monday they want to know how many people downloaded it Tuesday. That’s the kind of information in the RLZ String and the source code is provided to decode the RLZ and look inside.

It couldn’t really be less malicious unless you have a problem with Google knowing that someone out in the wide world downloaded their browser on a Tuesday.

You can disable this on Linux. Not Windows. It also doesn’t even exist in typical builds downloaded from Google’s website, only for builds having to do with marketing campaigns.

The RLZ String doesn’t actually exist in Chromium.

5) Google Updater

Another big reach. Iron is now claiming that this is a privacy failure. I literally have absolutely no idea what the hell this guys point is for this one so it’s incredibly difficult to refute. The updater is open source. At this point it should be clear that the developer has 0 credibility and is just pulling things out of his ass.

6) URL-Tracker

Google stupidly named this feature “URL-Tracker” which sounds really awful. It’s really not, and they just picked a horrible name.

Basically the URL Tracker connects to three random sites. It does this to check your DNS configuration in order to tell whether your DNS tries to resolve error pages or if Chrome should. Nothing scary here and it’s handled in a very nice way.

So, we’ve now discredited Iron in terms of its use. Obviously it offers absolutely nothing to the user in terms of privacy – the only thing it adds is a slightly modified UI, the ability to block ads from a file, and the ability to change your user agent (something you can do from the command line with Chrome already); basically it adds absolutely nothing an extension wouldn’t. I personally think it’s time to discredit the developer on a more personal level, because, honestly, the project just really annoys me.

Why Does Iron Exist?

Since Iron provides nothing to the user you have to ask yourself, why does it exist? Very simple, and a bit obvious – money. The Iron developer plays off of users fear, creating ‘privacy issues’ where none exist. And how does he get money? Very ironically he uses Google Adsense.

In a conversation with Chromium devs the Iron developer essentially states that he has no interest in making commits to Chromium to improve privacy and is only after the ad revenue.

<mgreenblatt> Iron.. why not propose a patch based on preprocessor defines that disables the sections you dislike without forking the code?
<Iron> because a fork will bring a lot of publicity to my person and my homepage 
<Iron> that means: a lot of money too ;)
<Iron> i dont take money for my fork 
<Iron> but i have adsense on my page ;) 
<Iron> a lot of visitor -> a lot of clicka > a lot of money ;)
<Iron> we are here in germany 
<Iron> the press will love my fork 
<Iron> i talked to much journalists already 
<DrPizza> Why are you forking? 
<DrPizza> to do what? 
<Iron> to remove all things in source talking to google ;) 
<jamessan> to get fame and fortune 
<Iron> nobody here trusts google 
<Iron> the german people say: google is very evil 
<jamessan> yet you use google's adsense

Sure seems trustworthy! Yes, that’s the Iron developer outright saying that he’s playing off of fears rampant in Germany and he’s in it for the adsense money. If you’re supporting the Iron browser you are supporting a product that provides a false sense of privacy, it outright degrades what privacy is about – disclosure and integrity.

I’m a pretty crappy programmer and I could probably do what Iron’s done. It’s just deleting a few snippets of code, adding in a bit of Iron code (like automatically bookmarking his webpage with ads), and the few features added can easily be replicated by extensions. Of course, the developer hasn’t really released the source code in forever so… yeah… that also brings me to my point of it not exactly being open source. I think the last I checked I couldn’t find source code for any recent version of Iron.

Chrome and Chromium are pretty privacy oriented. At least to a fair extent. There’s a Chromium privacy team and they are very responsible. I’ve personally bugged Mike West with my questions on multiple occasions and he’s been nothing but quick to respond and helpful, which has lead to a bug fix or two. Recently I dealt with another member of the Chromium privacy team and got another feature request for privacy, which they took seriously instead of simply saying “no go away.”

Iron is a scam and the developer is using you. It’s  snake oil and it’s dangerous. You’re going to be slower to patch and you’re going to think you’re ‘more private’ when you aren’t.

The defense for Iron is that it has a “privacy by default” configuration, that users may not want to “research” to find out how to make Chrome meet Iron’s configuration. It should be plainly obvious that if a user has taken the time to look for Iron it’s a very short step to find guides that explain how to uncheck the boxes clearly marked in Chrome’s settings. The Iron developer is blatantly disingenuous with the claims made, quite a few of which (as you can read above) are just ridiculous.

Don’t support scamware. If you see someone recommending Iron browser simply link them to some information.

I’ve seen a lot of referrer info from this post on websites and I’m very pleased to say that users are consistently dropping Iron when presented with the facts.

Sources

https://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/intl/en/landing/chrome/google-chrome-privacy-whitepaper.pdf

http://neugierig.org/software/chromium/notes/2009/12/iron.html

http://echelog.com/logs/browse/chromium/1262127600 (IRC log)

mikewest.org/2011/09/chrome-privacy

mattcutts.com/blog/google-chrome-communication/

http://blog.chromium.org/2010/06/in-open-for-rlz.html

About these ads

Tags: , , , , , ,

About insanitybit

Novice programmer interested in computer security. I'll use this blog when I'm bored to post about things I find interesting in that field.

9 responses to “SRWare Iron Browser – A Real Private Alternative To Chrome?”

  1. vasa1 says :

    I had made some comments about that same page here (http://ubuntuforums.org/showpost.php?p=11981618&postcount=23).

  2. n0ts0n says :

    If they don’t want to use Google they should just use Firefox. It’s like Chrome, just not evil.

  3. chanman says :

    You write, “The installation ID is the same for all Chrome installations.”

    Google’s PDF you linked to reads like this, “Requests for component updates contain these IDs and the components’ versions — as every installation uses the same ID, these are not personally identifiable.”

    Seems the component IDs are the same for each installation rather than the Chrome installation ID, which the white paper refers to as the randomly generated “installation token”. Randomly generated would imply that they’re not the samefor all Chrome installtions. Have you read or been told otherwise from Chrome’s privacy team?

    • insanitybit says :

      You are correct, yes.

      First of all, there is an installation ID (iid) which is created at install time to de-dup install counts. This is necessary to accurately count the number of successful installations that have occurred. The iid is generated randomly (not based on any other information) and is deleted in the next update check after first run.

      There is a second ID called the clientID which is used for the user metrics service. This is an opt-in service that lets users send usage statistics to Google so that we can learn how the product is being used for the sake of making improvements. It helps us answer questions like, “Are people using the back button?” and “How common is it that people click the back button repeatedly?” Users can always update their preference about sending usage statistics on the “Under the Hood” tab of options.

      Thanks for the comment I’ll update my post to reflect this. In other words:
      The installation ID is created randomly and then deleted after the next run, the clientID is the same for all installations and is used for metrics if the user Opts-In for that.

      Source:

      http://blogoscoped.com/archive/2008-09-09-n68.html

  4. thetruth says :

    You should also note that RLZ-tracking is actually only included in promotional releases of Google Chrome such as ones bundled in software. RLZ-tracking does not exist in the builds that downloaded and released directly on google.com/chrome

  5. Shane Gowland says :

    Thanks for posting this; I long suspected these “more-secure-chrome” variants were just a marketing ploy.

    I intend to make every effort to spread this article.

    • insanitybit says :

      Thanks Shane. I would say the only legitimate Chromium spinoff is Comodo Dragon – they at one point had added some security features before Chrome. But Iron is just crap.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: