[ad_1]
Google is proud to announce the birth of a bouncing baby browser. Behold: release 86 of Chrome, Larry and Sergey’s stupidly popular web access app, powered by PWA platform.
“And that?” I hear you scream. Therefore, DevOps has to think about a lot of things. No less important is the support for the W3C change-password-url standard, and Google’s reinforced focus on rejecting content mix.
But do not be upset if none of your users use Chrome. This week Blogwatch SecurityWe snort at the thought.
Your humble blog observer selected these blog snippets for your entertainment. Not to mention: stories.
What is the leisure offer? Lawrence Abrams reports:Chrome 86 is implemented with huge improvements in user security:
Google has released Chrome 86 … to the stable desktop channel, and includes numerous security enhancements … for both desktop and mobile users: … increased password security, protection against insecure download and form submission, and biometric protection when autofilling saved passwords.
…
.well-known / change-password support:… When Chrome performs a password check of saved login credentials, if any of the passwords are involved in data breaches, it will prompt the user to change their password.
…
Security verification: … performs a browser check and saved data to ensure that it is secure and not compromised. … Google is enabling this feature in the mobile browser.
…
Improved secure browser [rolled] to go to Android: … Real-time protection when browsing the web and downloading files … using Chrome by sharing additional information with Google Safe Browsing in real time.
…
IOS users also get a security boost with … biometric authentication by automatically filling in saved passwords. … Google now blocks mixed content downloads for executable files and archives [and] will now warn users when submitting insecure mixed content forms.
And phishing? Abner Li adds:Chrome 86 release:
Long URLs that include the correct page name are often used to mislead people into thinking they are on a reputable or desired site. To combat this common phishing tactic, Chrome 86 will test showing only the registrable domain in the address bar as part of a Chrome 86 test.
…
Chrome 86 also includes a new “Safety Tip” on sites with URLs that look “very similar” to other sites. In order to combat phishing, client-side heuristics are exploited with Google launching a “Did you mean …?” Warning that makes you confirm the address before continuing.
…
Chrome will make it more explicit when an “Update” is available by placing a green warning to the right of your profile avatar.
What about cache attacks? Eiji Kitamura Massacres: [Today is a good day to be fired—Ed.]
The time it takes for a website to respond to HTTP requests can reveal that the browser has accessed the same resource in the past, opening the browser to security and privacy attacks. … To mitigate these risks, Chrome will partition its HTTP cache starting with Chrome 86.… Cached resources will be encoded with a new “Network Isolation Key” in addition to the URL of the resource.
…
You can impose performance considerations for some web services. … For example, those offering large volumes of highly cached resources on many sites (such as popular fonts and scripts) may see an increase in their traffic. … The overall cache error rate increases by approximately 3.6%, the changes to the FCP (First Contentful Paint) are modest (~ 0.3%), and the overall fraction of bytes loaded from the network increases by approximately 4%.
…
Dedicated workers use the same password as your current frame. Service workers and shared workers are more complicated as they can be shared between multiple top-level sites. The solution for them is currently under discussion.
So Google’s Abdel Karim Mardini is proud to announce New password protections (and more!) In Chrome:
Passwords are often the first line of defense in our digital lives. Today, we are improving the security of passwords on Android and iOS devices.
…
We notify you when you have compromised passwords on websites, but it can take a long time to search for the appropriate form to change your password. To help, we’re adding support for “.well-known / change-password” URLs that allow Chrome to direct users to the correct “change password” form.
What should DevOps do? Ricky Mondello and Theresa O’Connor present A well-known URL to change passwords:
This specification defines a well-known URL that sites can use to allow tools to discover your password change forms. This simple feature provides a way for the software to help the user find a way to change their password. … This document was prepared by the [W3C] Web Application Security Working Group.
…
Currently, sites lack a way to programmatically advertise where a user can change their password. By proposing a well-known URL for changing passwords, this specification allows password managers to help users change their passwords on sites that support it.
…
The password change URL for the source “https://example.com/” is “https://example.com/.well-known/change-password”. … Servers should redirect HTTP requests for a source’s password change URL to the actual page where users can change their password.
There goes Google again, trying to wrest control of the web, like some kind of Gates-era Microsoft. TheLazyEngineer says there is more than that:
Maybe that’s true, but that doesn’t mean that web developers can be ignorant that Chrome is an important platform for web developers to consider. Because regardless of what you want, it is also true that Chrome has more than a billion users.
YEmil Protalinski agrees:
With over 1 billion users, Chrome is both a browser and an important platform for web developers to consider. In fact, with the regular additions and changes to Chrome, developers should be aware of everything available, as well as what has been deprecated or removed.
…
Chrome 86 now automatically updates forms that don’t submit data securely. … Secure connections are generally seen as a necessary measure to reduce the risk of users being vulnerable to content injection… eavesdropping, man-in-the-middle attacks and other data modifications.
…
So Google spent at least $ 72,000 on bug bounties for this version, a huge amount compared to their usual spending. As always, security fixes alone should be incentive enough for you to update.
But u / malaclypso he swears the question on everyone’s lips:
The thing is, why is the most used browser [in] the world doesn’t optimize its RAM usage ******? It would be … a better browsing experience for less fortunate users who don’t have a lot of RAM.
…
Yes, I only have 8 gigabytes and I refuse to buy more just to power Chrome. So fuck you Google.
In the meantime, 93 Escort car don’t believe the hype:
I protect my passwords by not saving them using the built-in password management in any browser.
The moral of the story?
TODO: already supports the change-password-url standard. And remove any last vestiges of mixed content.
And finally
All Star, but it’s Hunter and Zac
Previously in “And finally”
You’ve been reading Blogwatch Security by Richi Jennings. Richi selects the best blog bits, the best forums, and the weirdest websites … so you don’t have to. Hate mail can be addressed to @RiCHi or [email protected]. Ask your doctor before reading. Your experience may be different. E&OE. 30.
This Week’s Zomgsauce: Marek Panek (cc: by)
Keep learning
[ad_2]
