Privacy And Security Settings in Chrome

11 March 2014

Chrome has a lot of handy privacy and security options, but it isn’t always obvious how to use them. In this post I’ll demonstrate my favorites, and try to explain a bit about what they do.

My goal with these configuration changes is to get Chrome to expose less attack surface to potentially malicious web pages, and to be less chatty on the network. I definitely can’t and don’t guarantee that they will work for you or solve any particular problem you have. But maybe you’ll find this to be a fun learning experience. (Also, although I work for Google on the Chrome Security team, I am not blogging in any official capacity, and I don’t have an omniscient view of Chrome security.)

Chrome has a feature that allows you to create multiple “profiles”, each with their own distinct settings. Because we want to change the settings in a way that will make some web sites work less well (or even not at all), we won’t want to be locked in that mode. Therefore, we need to create a new, distinct profile to use as the private/secure mode. That way, you can always go back to a regular profile easily, to get normal web functionality.

First, create a new profile:

Create a new profile.

After creating the new profile, you get a new window running that profile (note the cat icon in the upper right corner):

After creating a new profile.

In this privacy- and security-sensitive special profile, do not sign in to Chrome. Signing in to Chrome, also known as Chrome Sync, is a convenient feature that syncs all your settings across all your signed-in Chrome profiles on all your devices, and makes it easier to log in to Google services. You might like it in your regular mode profile, but we want this profile be more loosely coupled to the cloud.

Go to the Settings page in the new profile’s window, and click on “Show advanced settings...” (shown here at the bottom):

Scroll down to the Privacy section of the Settings page, and check or un-check the various options as you see fit. Here’s how I set them for this profile:

These options (except for Do Not Track) cause Chrome to send extra traffic on the network (some of that traffic is encrypted), and is a prime candidate for un-checking — especially if you intend to use Chrome with Tor. For more information, see the Chrome Privacy Whitepaper. (In particular, think carefully about disabling phishing and malware protection; see its section in the privacy whitepaper.)

Click on that Content settings... button here in the Privacy section, as well:

Block 3rd party data and clear all upon exit.

I’ve changed the Cookies and site data settings, as you can see: “Block third-party cookies and site data” means that when you are reading e.g. http://blog.example.com, an ad included in the page from http://ad-company.com cannot set new cookies or site data. “Keep local data only until I quit my browser” means that Chrome will clear the locally-stored data (like cookies and HTML5 LocalStorage) when you quit. (This is similar to, but not exactly the same as, what Chrome’s Incognito mode provides.)

Scroll down and you will see many more options for Content settings. I’ll highlight some that are particularly important. First, block JavaScript by default:

However, you can optionally re-enable JavaScript in HTTPS pages:

I like to do this so that I can get rich JavaScript functionality in web sites like Twitter and Gmail that go to the trouble of authenticating themselves (and their code) using HTTPS — but sites serving unauthenticated junk cannot run JavaScript. It’s interesting how many sites still work without JavaScript. (Sometimes they even work slightly better.)

Next, we disallow external protocol handlers, and we block all plug-ins:

Disallow external protocol handlers and block
all plugins. — Disallow external protocol handlers and block all plugins.

Important note about blocking plug-ins: The “Click to play” option means that plug-ins are disabled by default, but that you can (left-)click on their area on the screen to run them. However, that left-click is clickjackable. It’s better to select “Block all”, which is really “right-click to play” — yes, you can still run plug-ins when you want to. To run plug-ins, right-click on their screen area, which brings up a native-type (operating system) context menu, and select Run This Plug-in:

Run This Plug-in — You can run or not run plug-ins at run-time.

Thus, you can be ensured that plug-ins run only when you want them to.

Next, we disable location services and notifications:

Disallow sites from taking over the mouse or capturing data from media sensors:

Turn off un-sandboxed plugins and don’t allow automatic downloads:

No un-sandboxed (NPAPI) plugins and no
automatic downloads. — No un-sandboxed (NPAPI) plugins and no automatic downloads.

Do not remember passwords or form field entries:

Tell Chrome not to auto-detect what language the page is in, to ask where to place each download, and not to fetch certificate revocation data:

Don’t auto-translate, ask where to place each
download, and don’t fetch certificate revocation data. — Don’t auto-translate, ask where to place each download, and don’t fetch certificate revocation data.

Note that you can still use Google Translate by right-clicking on a page and selecting Translate to English (or whatever your native language is). Un-checking “Offer to translate...” disables the automatic language detection functionality.

We leave certificate revocation disabled by default because the protocol that does it can leak information about your browsing to a server.

Finally, visit chrome://plugins and affirmatively disable the ones you don’t need, for good measure:

Have fun!