If you didn’t already know, every Chromebook has a pre-determined shelf life when it comes to getting Chrome OS updates. This has people wondering: are Chromebooks secure? The software update expiration date is based on the CPU inside your Chromebook. Google has a site showing when every Chromebook will stop getting these automatic software updates.
You can also see the date on your device itself: Go into Settings, choose About Chrome OS and then click Additional details.
So what happens after your Chromebook passes the automatic update time period?
Well, it still works, for one thing. Just like it always did. And that’s good. But it won’t get any new features found in any future Chrome OS updates at that point.
That may not be a big deal in the overall picture. However, there is a larger impact that you should be aware of. And that has to do with any security patches.
As it stands now if Google pushes any security fixes to Chromebooks, the devices that are beyond the support date won’t get them. And that’s clearly not good.
Nor is it something you can completely mitigate on your own. I mention this because of an email question I received from Jeff:
Does installing edge or Firefox to a Chromebook that is no longer receiving updates does it provide you security that Chrome does no longer provide?
This is a great question and the answer deserves some explanation because the devil’s in the details.
Yes, you can install Microsoft Edge on a Chromebook, or any alternative browser that supports Android or Linux. And that browser will get software updates, which includes any security patches. However, this only protects your browsing activities in that third-party browser. That’s helpful but it’s not a full security solution.
Why? Because Chrome OS itself is the desktop platform controlling the show.
That means while your browsing activity with Edge, Firefox, or some other browser offers security, the underlying software does not.
Chrome OS runs on Linux, for example. So if the Linux kernel needs a security patch and your device can’t receive the update, you’re at risk. And even though Chrome OS exploits have been few and far between, blindly relying on an unpatched desktop operating system doesn’t give me a warm fuzzy feeling.
So the shorter answer is: Yes, an updated third-party browser improves security on a Chromebook no longer receiving Chrome OS updates, but it’s not an ideal situation.
Don’t panic just yet though. Remember how I said, “As it stands now…”?
I’ve described the current situation, which is in the process of changing in potentially positive ways.
First, Google bought Neverware earlier this year. If you’re not familiar with that company, it makes Chromium OS software images under the CloudReady brand that can turn older devices into Chrome devices.
Chromium OS is the open-source version of Chrome OS; the latter has Google proprietary bits. So they’re similar but not exactly the same. It’s possible that Google’s acquisition of Neverware will bring platform-level updates to older devices.
Second, Google is working to split the Chrome browser from Chrome OS itself. Essentially instead of having the browser baked into the operating system, it will be integrated as a standalone app called LaCros. I’ve covered LaCros before, which is a Linux version of the Chrome browser, but here’s an overview of LaCros vs Chrome vs Chrome OS if you need a refresher.
This essentially lets Google update the native Chrome OS browser after a Chromebook stops getting Chrome OS updates. In a sense, it’s the exact same approach that Jeff is asking about, only it’s for Google’s own browser.
Surely, this approach is helpful, but for maximum security, Chrome OS itself needs to get security patches.
Keep in mind that Chrome OS was designed with security in mind. And there has only been a handful of persistent Chrome OS exploits that stay active on a Chromebook after a reboot. So Chromebook security without future Chrome OS updates doesn’t appear to be a major issue. At least, not yet.
Even with that relatively solid track record, I personally wouldn’t use an “expired” Chromebook and just trust that it’s a secure experience. I’d rather not take the chance. Instead, I would purchase a new Chromebook, knowing that for the next eight years or so it will get Chrome OS software updates. Then again, Neverware’s CloudReady integration might resolve the situation at some point in the future. That would give new, secure life to older Chromebooks.
