As mentioned the extension didn’t made it into the official Chrome Web Store (yet), users can install it by downloading the extension’s source code from GitHub which requires you going to Chrome’s extensions management page (alias chrome://extensions). You then must enabling “Developer Mode,” in order to install external extension, clicking on the “Load Unpacked” button and then selecting the folder “/chromezero” from inside the extension’s source code will load the extension, don’t delete the folder because it’s needed to load the extension each time you start or restart your Browser, so keep it on a place were it doesn’t bother you.
Fife smilies representing how strong the extension restricts certain attack sectors. The performance impact is minimal on this process, the developers saying it requires 1,54% of the overall Browser resources and has a minimal impact of Browser page loading latency (depending on several variables) from approximately 0.01064s up to 0.08908s.
|Requirement||Off||Low||Medium||High||Tin Foil Hat|
|Memory addresses||–||Buffer ASLR||Array preloading||Non-deterministic array||Array index randomization|
|Accurate Timing||–||Ask||Low-resolution timestamp||Fuzzy time||Disable|
|Multithreading||–||–||Message delay||WebWorker polyfill||Disable|
|Shared data||–||–||Slow SharedArrayBuffer||Disable||Disable|
|Sensor API||–||–||Ask||Fixed value||Disable|
- Low: Most features are enabled, but require permission from the user; the sensor API is allowed.
- Medium: Most features are enabled, user permission is required for sensors.
- High: Protects against all currently known microarchitectural and side-channel attacks.
- Tin Foil Hat: Same as high, but additionally blocks even more functions that we consider a danger to a user’s security or privacy.
I think once the extension made it’s way into the Chrome Web Store it might have a bigger change to get noticed and reviewed. The settings are strange and not really what I expected from security experts but I totally get the point that they just wanted to provide an interface which can be understood by everyone – even beginners. Hopefully we see some more documentation about what each of the options exactly toggle on the official page soon.
I tried the extension and it worked on the maximum settings without any problem on the normal Chrome (66) and Chromium (67) versions, let’s hope that this might native gets integrated into future Browser versions so that you can easily control this via some Browser flags instead of an separate extensions ultimately I expect that all of the listed attack sectors soon or later gets closed without that any workarounds or extensions are required which would be the best solution for everyone.
Please keep in mind that the addon is still in an earlier stage as for now and you might report bugs directly in the bug-tracker.
- ChromeZero (github.com)