JIT Compilation Disabled
JIT compilation is a major attack surface in modern browsers. Disabling JIT eliminates entire classes of vulnerabilities:Why Disable JIT?
- Attack Surface Reduction - JIT engines are complex and frequently targeted
- Memory Safety - JIT-related memory corruption vulnerabilities eliminated
- Exploit Mitigation - Many browser exploits rely on JIT spraying and manipulation
- Zero-day Protection - Prevents exploitation of unknown JIT vulnerabilities
Performance Impact
Disabling JIT will impact JavaScript performance on complex web applications. Most websites will work fine, but JavaScript-heavy apps may be slower.
- Normal browsing: Minimal impact
- Complex web apps: Noticeable slowdown
- JavaScript games: Significant performance reduction
- Simple sites: No noticeable difference
chrome://flags if needed.
Isolation and Sandboxing
Origin Isolation
Cromite enables strict origin isolation by default:StrictOriginIsolation
Ensures each origin runs in its own process
SitePerProcess
Each site gets its own renderer process
- Cross-origin attacks prevented
- Process-level isolation between sites
- Spectre/Meltdown mitigation
- Memory safety between origins
Document Isolation
Document Open Inheritance and CookieURL Removal enabled to prevent inheritance-based attacks.
DNS-over-HTTPS (DoH)
DOH secure mode is enabled by default for DNS privacy and security.
- DNS hijacking
- DNS-based tracking
- ISP DNS logging
- Man-in-the-middle DNS attacks
DoH Configuration
Cromite uses secure DoH providers by default (not Google DNS):- Queries are encrypted via HTTPS
- DNS provider cannot correlate queries with IP address easily
- ISP cannot see DNS queries
Certificate Transparency
Certificate Transparency is enabled by default for enhanced HTTPS security.What is Certificate Transparency?
Certificate Transparency (CT) is a security mechanism that:- Logs all issued TLS certificates publicly
- Allows detection of mis-issued certificates
- Prevents certificate-based man-in-the-middle attacks
- Provides audit trail for certificate issuance
Enhanced Sandboxing (Windows)
Cromite significantly improves the browser sandbox on Windows:Network Service Sandbox
Network Service Sandbox
The network service runs in a separate sandbox process:
- Network operations isolated from renderer
- Prevents network-based exploits from escaping
- Additional process boundary for security
Code Integrity Guard (CIG)
Code Integrity Guard (CIG)
CIG prevents dynamic code loading:
- Blocks unsigned DLL injection
- Prevents code injection attacks
- Hardens renderer processes
- Enabled by default in sandbox
Arbitrary Code Guard (ACG)
Arbitrary Code Guard (ACG)
ACG is enabled by default to prevent dynamic code execution:
- Prevents runtime code generation
- Blocks JIT-based exploits
- Prevents memory exploitation techniques
- Major security hardening feature
File System Access Blocklist
File System Access Blocklist
File system access blocklist enabled to prevent access to sensitive system files:
- Blocks access to system directories
- Prevents sensitive file enumeration
- Reduces attack surface
Memory Safety
GWP-ASan
Cromite boosts internal GWP-ASan (Guarded Memory Allocator) checks:GWP-ASan detects memory safety bugs like use-after-free and heap buffer overflow at runtime.
- Android - Opt-in gwpAsanMode enabled
- All platforms - Boosted internal GWP-ASan checks
- Catches memory corruption bugs
- Prevents exploitation of memory vulnerabilities
- Minimal performance overhead
- Automatic bug detection
Security Services Disabled
- Manta service - Undocumented service disabled
- Orca service - Undocumented service disabled
Certificate Handling (Android)
Why Disable User Certificates?
User-installed certificates can be used for:- Unauthorized proxy usage
- Man-in-the-middle attacks
- SSL/TLS interception
- Corporate/malware spying
If you need to use a legitimate proxy or corporate certificate, you can re-enable user certificates via
chrome://flags.HTTPS Enforcement (Android)
When enabled:- All HTTP requests are blocked
- Only HTTPS sites are accessible
- Maximum security for sensitive work
- Prevents downgrade attacks
chrome://flags/#block-non-https
Auto-Update Security (Android)
Browser auto-updater included to ensure you always have the latest security patches.
- Patches vulnerabilities quickly
- No manual intervention required
- Reduces exposure window for exploits
Enterprise Policy Protection
Disabled Enterprise Features
Cromite disables several enterprise management features for security:Enterprise Policies Ignored
Enterprise Policies Ignored
Cromite ignores enterprise policies that could be abused:
- No remote management
- No forced configuration
- No policy enforcement
- Full user control
AppRestrictions Disabled (Android)
AppRestrictions Disabled (Android)
Android AppRestrictions disabled to prevent:
- Unauthorized app management
- Enterprise control of personal devices
- Configuration forcing
Google Side Panel Disabled (Desktop)
The Google side panel could:- Send browsing context to Google
- Create security vulnerabilities
- Leak private information
Best Practices
Keep JIT Disabled
Unless you need maximum performance, keep JIT disabled for security
Use HTTPS-Only Mode
Enable HTTPS-only mode for maximum security (Android flag)
Keep Auto-Update Enabled
Allow automatic updates to receive security patches immediately
Don't Install User Certs
Avoid installing user certificates unless absolutely necessary
Use DoH
Keep DoH enabled for DNS privacy and security
Enable ACG (Windows)
Keep ACG enabled unless extensions break (Windows)
Security vs. Compatibility
Cromite’s security features prioritize security over compatibility. Some features may break:Potentially broken:
- JavaScript-heavy web apps (JIT disabled)
- Some browser extensions (ACG on Windows)
- Sites requiring WebRTC (disabled by default)
- Corporate proxies (user certificates disabled)
Testing Security
Verify Cromite’s security features:Test HTTPS
Visit https://badssl.com/ to test certificate handling