Google has warned web users that they shouldn’t use a new open-source browser developed by security firm WhiteHat called Aviator, claiming coding issues mean it isn’t private or secure. WhiteHat has denied the claims about the Chromium-based browser, which it said provides users with “the industry’s best and tightest security and privacy safeguards – all built-in, all activated, all ready-to-go”.
WhiteHat said it developed Aviator because the “big browsers” don’t do enough to stop hackers who might attempt to make off with personal details.
However, Google information security engineer Justin Schuh has warned users that they “shouldn’t be using the WhiteHat Aviator browser if you’re concerned about security and privacy,” in a Google Plus blog post.
Schuh said that Google security experts have examined the Chromium code behind the Aviator browser and conclude that it isn’t fit for purpose and has a number of vulnerabilities. He also described it as being Chrome with a “superficial” facelift.
“We found that the overwhelming majority of changes were superficial and branding related, but done so in a way that seriously complicates the process of tracking upstream security fixes,” wrote Schuh, who claimed this means “Aviator is perennially at least two major releases behind Chrome, and ships with dozens of publicly disclosed vulnerabilities that are already fixed in the stable Chrome release.”
Schuh also posted evidence suggesting that zero day exploits were already targeting WhiteHat Aviator.
Naturally, WhiteHat hasn’t taken the criticism of its browser lightly, posting a lengthy response to Google’s claim on its own blog.
Before going into details, the company pointed out it doesn’t have the resources that Google has, because unlike the web giant, WhiteHat doesn’t make $50bn a year in advertising.
“Therefore, Google has a lot of vested interest in keeping the browser up to par and capable of delivering more ads to those users. To say we are outmatched is an understatement,” wrote Robert Hansen, vice president of WhiteHat Labs and WhiteHat Security.
Hansen went on to point out that yes, there are bugs in the code, but they’ve been inherited from Google’s Chromium engine and that there are always issues with the initial launch of open-source code.
“We wanted to be honest with our users and give them a chance to see that we don’t have anything up our sleeves and that we are not (nor were we ever) hiding anything from them,” he said, before taking a swipe at Google for refusing to make Chrome open source.
“Going open source is painful, but it is good for project transparency, something Google has long refused to do with Chrome. Chrome is not open source.
“The core issue in all of this is that we set out to create a browser that would provide security and privacy settings by default,” Hansen continued.
“We believe that we made very good strides in that effort and when issues around those settings were brought to our attention, we actively made changes, something that Google has been unwilling to do,” he added.
Hansen concluded by attacking Google’s record over privacy. “It is now up to the community to decide if they’d rather hand over their privacy when they search using other browsers, or stand behind a project that we believe has the user’s best interests as a primary motivator,” he said.
Schuh has already issued a reply to WhiteHat’s response, stating it doesn’t address the “big concerns” he raised.
“I’m just increasingly disappointed that the response continues abdicating responsibility for such sweeping and inaccurate claims (e.g. ‘the most secure browser online’), or that making the source public somehow absolves them of that responsibility,” wrote Schuh.
“As someone who has spent years working in open source every day, I know that posting a public repo does not suddenly create a community. A community grows from engagement and contribution, usually over a period of years,” he continued.
“Nothing like that is even being hinted at here; rather the behaviour here is the kind of thing that just gives open source a bad name,” Schuh concluded.