Update January 2017
Our contribution to Chromium was not as big as expected so far, since we had to develop lots of very Avira specific code.
Original Post
A lot of our users asked us to be more transparent and explain what we are doing – so here you go.
The goal we have in mind when it comes to the browser is to create an easy-to-use, secure, and privacy respecting browser. This is not as easy as it may sound.
The Gordian knot
In order to have a secure browser, security issues have to be fixed in a certain time frame. This sounds logically, right? For us that’s only a few days after we get to know about them. Chrome fixes vulnerabilities with every release, so we are also forced to release in sync with the Chrome releases. But every change we make in the Chromium source code causes merge conflicts. When changes made by us (and which are Avira specific) and changes made by Chromium developers overlap our tools cannot combine them together. After about 150 changes we had one conflict per week. This meant spending hours untangling code.
The sword to slice through the knot: We will not introduce differences to the Chromium code.
Let’s see the browser more like a Linux distribution (Ubuntu, for example). We select the best tools. Combine them. Maintain them. Optimize them.
Open Source Extensions
There are awesome security extensions for browsers out there. Let’s just invest some man-years, copying their features. We can make closed source versions of those extensions which are almost as good as the original – but OURS!
… just kidding …
We decided to say ‘hello’ to the communities and explained our plans to them. We already started to contribute and will contribute even more (we struggled with the foundation for the browser longer than expected, so we are a bit behind the original time frame – but more about that in another post). The first extensions are integrated, more are upcoming and planned. Efficient engineering. A win-win situation.
Contributing to Chromium
Only code differences between our browser and Chromium cause issues. If we want a security feature and contribute the code to Chromium we do not have differences nor merge conflicts. We accidentally protect more people than we have to, but nobody is perfect. 😉
We already did contribute a stash of changes that allow simpler branding (see below). But the HTTPS-Everywhere guys alone have a wish list of 2-3 large Chromium code changes. Our next steps will be to extend the extension programming interface (API) because we want more information available in the extensions. For example right now the encryption details (used cypher suite, Certificates) cannot be seen from an extension. That means that something like Calomel cannot be written for Chrome so far.
Contributing to 3rd party code
Chromium contains more than 100 third party libraries. They can contain vulnerabilities, bugs and flaws. When we find something we fix it and send the patches upstream (= to the authors). We are currently experimenting with the best way to release as many fixes per week as possible. As soon as we have figured out a good solution, we will inform you via another blog post.
Our own extensions
Of course we already integrated ABS (Avira Browser Safety) and our Safe Search. This is a no brainer. So let’s just move on.
Our external tools
Right now we plan on integrating our AV scanner into the browser. We already scan with the WebGuard, but the future of the internet is encryption (more HTTPS, \o/). Webguard is a proxy, and scanning encrypted traffic with a proxy causes lots of crypto-headache. Luckily the browser does decrypt the data (it has to) as soon as it gets there: Scanning the content of the decrypted data packages directly inside the browser solves said crypto-headaches.
As of now WebGuard is fine. But of course we already plan for the future. When the future is here we will be ready – with scanning abilities in the browser.
This above are only about 50 % of what we plan on doing. Stay tuned for two more and rather advanced tactics that we plan on using and which will be described in the next blog post!
TL;DR:
There is so much we can do to improve the browser. Without touching the core.
Halfway down the Rabbit Hole. Time for a break.
Thorsten Sick
Please note: This article relates to the Windows version of the Avira Scout browser.
were is the linux version
i mean they talk about a linux and mac beta version but how i get it
Hi ZslayerLP,
I’ve adjusted the article accordingly. Actually, the browser is just available for Windows devices. Originally, it was planned to have a version for Mac and Linux, too. However, we will let you know as soon as there’s a version available for Mac/Linux.
Thanks!
Best,
István
I really hoped that this post was written 1 year ago.
I made a chrome-extension based antivirus system as my Final Year Project during my time in University. The system scans the webpage for any malicious content when its loading, and warn the user from accessing the content. The extension collects data and upload the data to an antivirus engine hosted on my server in virtual machine. The server will download the content and scan them. The server will then return status codes for all the contents in the page.
I’m glad you mentioned Calomel, as I have been lamenting the modern “streamlining” of GUIs, so that users are kept in the dark.
We obviously need a clean interface, but visual cues and detailed info are the best way to educate users without them realising they just became wiser.
Your concept of having the browser as the hands of Avira feeling the web for lumps and bumps, is an idea that is overdue.
The fact that you will be inherently adding more protection to those that do not even have Avira AV, is also wonderful and shows how we are indeed all in this together.
Seeing the problems you face, I must apologise for posting my often radical concepts, but I will still try my hardest to think the unthinkable, and give you ideas to scratch your heads and beard at 😉
I have been using the beta version for a while now and it works really great. You guys are definitely on the right way. Some more minor changes and I will switch to the Avira Browser completely. Looking forward to it!