Aviator, the Web browser developed by WhiteHat Security with security and privacy in mind, is is not as secure as it should be, Google engineers pointed out last week.
Aviator, which is based on Chromium, the open source project on which Google Chrome is built on, has been available for Windows and Mac OS X for several months. WhiteHat Security made Aviator open source on Thursday in an effort to allow the community to audit the code and contribute to making the application better.
Within 24 hours after the code was released to the public, Google engineers identified several security issues in the Web browser and advised users concerned about security and privacy not to install it.
Justin Schuh of the Google Chrome Security Team noted in a post on Google+ that an “overwhelming majority” of the changes made by WhiteHat Security are superficial and related to branding. The engineer believes that the changes made by the security firm make it more difficult to track upstream security fixes.
Google security researcher Tavis Ormandy reported uncovering a remote code execution (RCE) vulnerability in Aviator, and Schuh pointed out that it wasn’t an isolated issue.
“The added code doesn’t seem to have been written with a sufficient understanding of how Chrome works, or with adequate regard for security,” Schuh wrote.
Schuh believes the security improvements in Aviator are well-documented default settings and features that are already provided by the Disconnect extension for Chrome.
In response to the comments made by the Google engineer, WhiteHat Security’s Robert Hansen published a blog post in which he highlighted that it’s impossible for a small company to compete with Google when it comes to releasing updates.
“Advising users to not use Aviator misses the bigger picture. To tell people that if they use Chrome, add Disconnect and change some privacy settings you’ll get the same thing as Aviator is not at all accurate. We have made changes in Aviator that are beyond configuration, such as the browser’s ability to stop referring URLs from being sent cross domain as well as always being in private mode by default,” Hansen said.
“But far more importantly, when we talk to average users it becomes clear that consumers can’t actually do what the post is suggesting,” he added. “Most people do not know the first thing about Disconnect and therefore, they don’t know what they need to do to add it. Our argument all along has been that consumers need better options by default. They don’t even know what to search for to start learning how to protect themselves.”
In an update to his post, Schuh said he wasn’t satisfied with WhiteHat Security’s response.
“I’m just increasingly disappointed that the response continues abdicating responsibility for such sweeping and inaccurate claims (e.g. ‘the most secure browser online’), or that making the source public somehow absolves them of that responsibility,” Schuh wrote. “As someone who has spent years working in open source every day, I know that posting a public repo does not suddenly create a community. A community grows from engagement and contribution, usually over a period of years. Nothing like that is even being hinted at here; rather the behavior here is the kind of thing just gives open source a bad name.”
