March 18, 2013, 1:56 PM — There's a lot to like about Google Chrome's built-in security features. The browser offers unique sandboxing functions and privilege restrictions, and even updates itself in the background to help better protect you from hackers and malware. But like all browsers, Chrome is imperfect, and there are steps you can take to protect it from attack. Here's how to get the most from Chrome's built-in security features, and work around its security shortcomings.
Chrome offers several privacy features that help protect you while you browse. The most notable are its phishing- and malware-protection schemes, and a tool that can auto-correct misspelled Web addresses.
Chrome's phishing and malware protection put up a warning screen whenever you visit a website that Google has identified as potentially malicious, whether it spreads malware or tries to steal your personal information. Meanwhile, Chrome's URL autocorrect feature usees a Google-provided online service to fix misspelled URLS to help you avoid visiting the wrong site--and perhaps a nefarious site--by accident. Indeed, "typosquatting" is still a threat.
To use these features, open the browser's Settings panel and scroll down to the Privacy section (you may need to click Show advanced settings to get there), and check the boxes labeled Use a web service to help resolve navigation errors and Use a web service to help resolve spelling errors. Also, be sure to check the Enable phishing and malware protection box.
Protect your saved passwords and credit card details
If you let Chrome save your website passwords, anyone who uses your PC can easily access them with a little poking around in the Settings panel. But unlike Firefox and its Master password feature, Chrome--and by extension, third-party add-ons--won't let you encrypt your passwords or saved credit card information.
Luckily, there are a few things you can do to help protect your privacy. First, don't allow people you don't trust to use your Windows user account. Instead, either create a new Standard (non-administrative) account for others to use or turn on the Guest account.
If creating another Windows account is too inconvenient, consider using a Chrome extension like ChromePW, Browser Lock, or Secure Profile to password-protect Chrome. This effectively forces others to use another browser on your system like Internet Explorer (which doesn't let others easily view your saved passwords) or Firefox (which lets you encrypt and password-protect your saved passwords).
Another option is to securely store your sensitive data using a third-party password manager. Some third-party password tools let you sync your passwords across other browsers, which might be helpful if you go from one computer to another. KeePass and Xmarks are two popular password managers worth trying.
Secure your synced data
Chrome can sync most of your settings and saved data (including passwords, but not credit card details) across multiple computers and devices that have Chrome installed, but this creates a security vulnerability. By default, Chrome requires you to enter only your Google account password to set up a new computer or device to sync your browsing data. So if your Google account password were hacked, an intruder could potentially access a list of all your passwords.
That is, unless you set a custom encryption syncing passphrase.
Once you set a syncing passphrase, you have to first sign in with your Google account password and then enter the passphrase to set up new synced devices. This adds an important extra layer of security. To set this up, open Settings, click Advanced sync settings, and select Choose my own passphrase.
While you're there, also consider turning on encryption for all synced data instead of just passwords.
Secure your Google account
Google offers several security features to help you better control and protect your account, and you should definitely consider using them if you use Chrome's sync feature. They help secure your entire Google account, so you should also consider using these security features if you tap into multiple Google services.
On the Google Account Security page, consider enabling Google's 2-step Verification. Once you've done that, you'll have to enter a special code--which you'll receive via text, voice call, or the Google app--whenever you attempt to sign in to Google from a new PC or mobile device. This scheme ensures that anyone without direct, hands-on access to your mobile hardware will be denied entry into your Google data. When signing in to applications or features that don't support the verification codes (like Chrome's sync feature), you'll have to sign in to your Google account, access the 2-step Verification settings, and generate an application-specific password.
While on the Google Account Security page, you might also want to turn on email and/or phone notifications for password changes and suspicious log-in attempts. This way, you'll know right away if someone tries to change your password or attempts to log in to your account without your knowledge.
Additionally, review your recovery options in case you forget your password in the future. Last, review your authorized apps and sites and remove those you don't use anymore.
Install extensions for additional protection
We reviewed many of the security features offered by Google and Chrome, but various extensions allow you to add even more security functions. For example, Web of Trust (WOT) can warn you of dangerous sites, and ADBlock can remove annoying or malicious advertisements that can lead to malware or phishing sites. View Thru lets you see the destination of shortened URLs, and KB SSL Enforcer can help you take advantage of HTTPS/SSL encryption on sites that support it.