A Tale of Two Browsers: Chrome v. Chromium
Is Chrome or Chromium more secure? Numerous security experts place their bets on Chromium, suggested Paul Hill, a senior consultant at SystemsExperts. "Chrome's code has to be able to tie into Flash Player, for instance," Hill explained. "So more code is involved to integrate with other third-party products. This all introduces more complexities and more code paths."
11/26/13 5:00 AM PT
If you've ever used Google's free Chrome browser, you may be aware that it's closely related to another, similarly named Google project called "Chromium."
Chrome and Chromium share a heavy portion of their core browser code, but Chrome is a proprietary Google product, while Chromium is open source. Both serve Linux, Windows and Mac OS X platforms, however, and both continue to vie for user share with Mozilla's open source Firefox, their distant cousin.
"Firefox and Chromium-based browsers are likely to continue to leapfrog each other in minor ways," Paul Hill, senior consultant at SystemsExperts, told LinuxInsider. "Each development community is aware of the other and each benefits the other."
Given the apparent duplication between these two projects, it may seem an exercise in redundancy to have both maintained by an overlapping team of developers. Why have both? What are the differences? Which one is better? Read on for a closer look at what sets these two popular browsers apart.
"Chrome was a big bet five years ago and has made browsing the Web simpler, speedier and safer," Avni Shah, product management director for Chrome at Google, told LinuxInsider.
"Chrome adds a small number of features to Chromium such as a built-in PDF viewer and Flash plug-in, and the official Google Chrome branding," Shah added.
Google released a large portion of Chrome's source code as an open source project called Chromium for the Windows platform in September 2008. The intent was to encourage third-party software developers to review its underlying code and contribute to porting the browser to Linux and Mac platforms.
The Chromium project remains viable and valuable to Google because it was mostly started by Google. The whole idea was to use it as a core open source project to set up a public code review, Hill explained.
A Thriving Open Source Community
Google continues to take an extremely active role in the Chromium open source project, but there's also a thriving open source community behind it, with many contributions from other individuals and organizations, Shah said.
The portion of Chromium that contains Google-authored code is released under the permissive BSD license. Other portions of the Chromium source code are subject to a variety of open source licenses.
That licensing distinction highlights some of the key intellectual property differences. Chrome is the non-public version because Google added features that the Chromium community cannot include in its open source project, noted Hill.
Other distinguishing features include various plug-ins and codecs that have licensing fees associated with them, he said. For instance, the code that Google incorporates into Chrome for MP3 and MP4 files does not appear in Chromium.
As an open source project, Chromium has no licensing fees associated with it. So, anything that has licensing fees for its use is only going to appear in Chrome. That in part is why the two browsers appear as two different projects, Hill said.
On some Chromium installations, a direct connection with the user's Google account is evident. Not so other Chromium installations. This distinction goes far beyond the two-tone blue browser emblem that Chromium sports -- as distinct from Chrome's four-color treatment.
"Chromium is an open source project, and some other organizations may choose to modify it to give their users a tailored experience," said Shah.
One of the main commonalities between Chromium and Chrome is access to the Chrome Web Store. Google introduced this open marketplace for Web apps in 2010.
With this Web app platform, users and software developers have a common tool in both Chrome and Chromium to discover apps and extensions to customize their experience on the Web. Developers can take advantage of convenient distribution to hundreds of millions of users, and they can monetize using the platform as well, noted Shah.
That connected marketing platform stretches across Windows, Linux and OS X operating systems. It is one monetizing feature that is lacking in the development of most other Web browsers.
Chromium users can even log into their Google accounts to have all their Google Services data accessible in the Chromium browser.
Increasingly, Chromium is being included as the default browser in a growing number of Linux distributions. Chrome, on the other hand, -- because it is not completely open source, although still free -- must be downloaded and installed independently. The same goes for Windows, where the default browser is Microsoft's Internet Explorer, and Mac OS X, whose default browser is Apple's Safari.
In terms of community contributions, Firefox had a head start over Chromium, but "Chromium has outpaced Firefox in both total contributors and growth rate over time," Dave Gruber, director of developer programs at Black Duck Software, told LinuxInsider.
Community size and growth reflects the momentum and evolution of a project. While the architecture of a project can affect the overall number of contributors, the growth curve of the project over time often mirrors the adoption curve, acting as a bellwether for future uptake, he explained.
Chrome is viewed by many to have a reputation for security, but a lot of security experts actually take the view that Chromium is superior in this respect, suggested Hill. After all, Chrome is a more complex version of Chromium, so it stands to reason that it it probably is a little bit less secure, at least from a theoretical standpoint.
"Chrome's code has to be able to tie into Flash Player, for instance," Hill explained. "So more code is involved to integrate with other third-party products. This all introduces more complexities and more code paths."
That aspect of Chrome's integration can not be publicly reviewed because those elements are not part of the open source version. So, people just do not know for sure if there are security vulnerabilities that appear in Chrome that are not in Chromium, he said.
"There are a number of security-related plug-ins available for Firefox that provide features that are not yet available for Chromium or Chrome," said Hill.
How They Stack Up
Vulnerability data from the public National Vulnerabilities Database shows considerable variation among Chrome, Chromium and Firefox, Black Duck's Gruber pointed out.
For instance, Firefox has had 1,097 vulnerabilities reported in its all-time history, whereas there have been 845 for Chromium and 1,001 for Chrome, he said.
Over the past 3 months, there have been 48 for Firefox, 51 for Chromium and 52 for Chrome.
Looking back over the past 3 years, Firefox has racked up 471, compared with 708 for Chromium and 775 for Chrome.
Of course, such statistics don't factor in the fact that Firefox has been around longer, noted Gruber, who said he assumes Firefox to be more stable.
More Private, Right?
Another common assumption is that Chromium is not under Google's direct control and so offers better privacy from intrusions such as those recently revealed on the part of the National Security Agency.
"I would say that is still an open-ended question," Hill said. "You are giving developers less information when you are using Chromium. If you go to the Chrome store in Chromium, it is hard to say what additional tracking you are providing."
The bigger risk is if you use Chromium and plug it into Google services like Gmail. If, from within Chromium, you do the sign-in authentication and do your Web browsing, you are probably providing just as much tracking information to Google as if you were running Chrome itself, according to Hill.
"That is where the developers get the majority of information from users," he explained. "It is not necessarily limited to any IP code in the Chrome browser itself."
Users who really want to avoid as much tracking as possible would be better off using one of the Chromium derivatives or Linux distros that use tweaked versions of the Chromium browser that specifically address that ad-tracking feature and related information-gathering issues, suggested Hill.
Another advantage of this alternative-browser approach is additional security evaluations. For example, with some of these Chromium-based browsers, every time the Chromium community releases a new version, the smaller developer communities actually will evaluate the additional code.
That leads to decisions on whether or not to include the newer releases in these other third-party derivative browsers. This could have an impact on privacy and tracking that might not otherwise arise with either the Chromium core project or Google Chrome.
Unlike other third-party software distributed through different repository systems in Linux, Google maintains a direct path to avoid updating delays. Chrome has an auto-update feature, while Chromium does not. That remains an advantage for using Chrome rather than Chromium on Windows and Mac platforms as well.
Chrome is supported directly in a number of cases, according to Google's Shah. For instance, Google maintains package repositories for popular Linux distros to keep Chrome in Linux up-to-date.
"However, we have found that some Linux distribution maintainers prefer open-source software that they have built themselves," he added. "It is possible for maintainers to build Chromium and modify it (if necessary) to work in supported releases of their distro."
Chrome or Chromium?
So, bottom line: Is Chrome or Chromium better? There's even a list of feature comparisons to help you decide.
In general, though, people should choose Chrome or Chromium based on their use case, Shah advised. Since Chrome includes a few additional add-ons such as built-in Flash and a PDF viewer, most people find that it works well for them.
"However, open-source developers may prefer Chromium," he concluded, "if they are often tinkering with source code or modifying their own distribution."