Google Chrome OS can’t be perfectly secure

Google’s plan to release a Chrome-based OS next year has garnered the expected fanfare that comes with anything the company announces. I’ve also seen articles in which people at Google are quoted as saying the OS will be free from malware and immune to malicious hackers. My gut feeling is that these folks were misquoted. I don’t think anyone with serious experience in this field would make that sort of claim — but I could be wrong.

Whether or not they said it, the question remains: Is it truly possible for the search giant to accomplish what no other company has and release a perfectly secure OS? The answer: Probably not. (For the sake of full disclosure, I’m a security architect at Microsoft.)

[ See what Microsoft CEO Steve Ballmer had to say about Google Chrome OS. | Gets answers to all your questions in the Google Chrome OS FAQ. ]

For starters, the best indicator of future behavior is past behavior. Every software vendor who has promised perfect security has failed to deliver. Who can forget Oracle CEO Larry Ellison’s pledge of “unbreakable software”? That was hundreds, if not thousands, of patched bugs ago. Unlike Oracle’s offerings, Chrome OS will be available to and used by the general public, making it a huge target for malicious hackers and purveyors of malware. That alone renders the prospect of flawless security all but impossible.

Second, I don’t know of a Google product to date that has not had its share of bugs. Even Google Chrome, the “most secure browser ever,” has had at least eight discovered vulnerabilities in its very short life — and with the browser’s very small market share. If Google Chrome were to gain market share, more vulnerabilities would naturally emerge. No software has ever escaped that fact.

Secure software is static software But let’s say that Google achieves the near-impossible, what no one else has done, and makes a perfectly secure OS. One of the key challenges for any software title is that as it becomes more popular, it must become more functional. Security alone does not make a product popular. Otherwise, software such as OpenBSD or anything written by Dr. D. J. Bernstein would have a much higher install base. These products are well-regarded for being extremely — though not perfectly — secure. Perhaps these products haven’t gained broader acceptance because — I ‘m waiting for the flame mail — they don’t offer the functionality and experience that most users really want.

If a company fails to add functionality and features to its wares, its competitors will grab its customers.

However, adding new functionality and new features requires new code, which in turns increases complexity and the chances for security bugs.

For example, Adobe Acrobat was relatively secure when it simply read PDF text documents. To attract more customers and remain competitive, Adobe added a bunch of new features, such as the ability to run JavaScript and participate in encryption. By no small coincidence, Adobe Acrobat now has lots of security patches. You can say the same of any popular app.

Further, even if Google somehow manages to crank out a perfectly secure OS, it will still need to rely upon other organizations’ software to work. That, in turn, will almost certainly create chinks in the OS’s armor. For example, almost every Internet product relies on DNS, which has proved extremely hackable. Hack that, and you hack everything that relies on it, including otherwise secure browsers and OSes.

Beyond relying on DNS, how will the Google OS and browser render documents and content such as PDFs, Macromedia Flash files, iTunes music, and all other code and content that makes up the rich Internet experience? Google developers will have a hard time delivering all that functionality themselves. They would have to perfectly code every (or at least the most popular) content-type rendering engines. More than likely, Google will allow other vendors’ products to interact with their products, and that brings up dozens of security issues in a given month.

I’m even ignoring for the moment the reports that the Google OS will be a Linux variant. Linux itself has many kernel bugs a year. Google Chrome, the browser, relies upon other components (such as Web Toolkit) with have their own vulnerabilities.

There are other hard questions: How will people be able to save content between sessions or send each other files? How will Google be able to perfectly distinguish between malicious and legitimate file attachments when no other company has been able to do it?

Allow users to save content on the local machine and you’ve opened up a potential security hole. Only allow objects to be saved in the cloud, and the cloud becomes the target. Heck, most of the cloud vendors are still trying to come to grips with what securing the cloud even means, much less having a perfectly secure cloud.

Google can only accomplish a perfectly secure OS by coding with zero bugs (which has never been done and will never be done), by interacting with perfectly secure third-party products (which don’t exist), and/or by providing less functionality and customization to its customers. That’s a tall order and a prescription for strong competition, because no matter what we believe, customers really don’t want perfectly secure software — at least not at the expense of rich features.

To its credit, Google does have a better-than-average chance of making a relatively more secure OS. Google developers don’t have the incredible backward-compatibility issues that Windows, Linux, and BSD product teams must deal with. Google has a chance to strike out on its own and support what it wants want to support. The company did something similar with the Chrome browser. But again, Google’s previous security track record indicates that perfect security — even with less functionality — will be difficult.

A Google Chrome OS could be successful for a lot of other reasons, and I applaud Google for its initiative and innovation. (By the way, congrats for Gmail coming out of beta! ) I’m always a believer in more competition. It improves everyone’s product and usually benefits the customer. But after spending 23 years in the computer industry and hearing the repeated false promises of “perfect security,” please excuse me if I’m skeptical.