Another critical security feature that's missing is the ability to place different Web sites into separate security zones or domains. Most browsers provide at least two zones (Internet Explorer has five) or the binary ability to whitelist or blacklist sites. Chrome is also glaringly absent of enterprise management features. SSL/TLS (Secure Sockets Layer/Transport Layer Security) server revocation checking is enabled by default, but Chrome does not support the more efficient OCSP (Online Certificate Status Protocol) revocation-checking protocol, though all of its competitors do.
Google has also washed its hands of responsibility for the security of add-ons. Reviewers are very mixed on this approach. While it is true that browser vendors should not be ultimately held responsible for others' add-ons and applications, Chrome offers no add-on controls. You cannot easily determine which add-ons will render particular content, nor easily disable or manage them.
Many users are perturbed by the treatment of their own saved passwords. Chrome allows the current user to reveal the saved log-on names and passwords in plaintext with a few clicks of the mouse. This is convenient for the user -- and for anyone else who wants to learn all of the user's passwords and finds the computer left unattended for a few seconds. Internet Explorer doesn't allow this at all, and Firefox and Opera at least have the ability to assign another password to protect the saved passwords. On the Password Manager Evaluator testing Web site, Chrome scored the worst among all of the browsers I've tested (including Firefox, Internet Explorer, Opera, and Safari), passing only 4 of 21 tests.
Chrome has a very limited feature set and relatively moderate complexity. This might help it avoid some security issues in the long run, but so far it hasn't. Chrome has had 10 exploits in the five months it has been released (you can search on keyword Chrome at milw0rm.com to see the individual exploits). They have been patched. Most were simple denial-of-service exploits, but at least one allowed complete system compromise and another allowed malicious redirection.
On a good note, Chrome passed all of the Web-browser tests I threw at it and prevented the automatic installation of any malware. These tests included dozens of predefined tests made in the lab, several browser-security tests on the Web (including scanit and Jason's Toolbox). With less than 2 percent market share, Chrome isn't yet the popular target of hackers. That gives its users additional insulation compared with its competitors.
One key feature simply doesn't work as promised. Google repeatedly makes the claim that Chrome's rendering-process isolation prevents one browser session from bringing down another or affecting the whole browser. Yet, vulnerability after vulnerability has proven that Chrome's process separation isn't nearly as perfect as it sounds on paper. Malicious Web pages of all kinds have caused DoS problems, lockups, and complete system failure. I and every other Chrome user I know have experienced complete browser lockups from simple, legitimate Web-page browsing.