Archive for the ‘chrome’ Category

Chrome will soon block resource-draining ads. Here’s how to turn it on now

May 14th, 2020
Stylized, composite image of bitcoins against motherboards.

Enlarge (credit: Getty Images)

Chrome browser users take heart: Google developers are rolling out a feature that neuters abusive ads that covertly leach your CPU resources, bandwidth, and electricity.

The move comes in response to a swarm of sites and ads first noticed in 2017 that surreptitiously use visitors’ computers to mine bitcoin and other cryptocurrencies. As the sites or ads display content, embedded code performs the resource-intensive calculations and deposits the mined currency in a developer-designated wallet. To conceal the scam, the code is often heavily obfuscated. The only signs something is amiss are whirring fans, drained batteries, and for those who pay close attention, increased consumption of network resources.

In a post published on Thursday, Chrome Project Manager Marshall Vale said that while the percentage of abusive ads is extremely low—somewhere around 0.3 percent—they account for 28 percent of CPU usage and 27 percent of network data.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, browsers, chrome, cryptocurrencies, cryptojacking | Comments (0)

Study ranks the privacy of major browsers. Here are the findings

March 17th, 2020
Scrabble tiles spell out the word

Enlarge (credit: Wikimedia)

Microsoft Edge received the lowest privacy rating in a recently published study that compared the user information collected by major browsers. Yandex, the less-popular browser developed by the Russian Web search provider Yandex, shared that dubious distinction. Brave, the upstart browser that makes privacy a priority, ranked the highest.

The rankings were revealed in a research paper published by Trinity College Dublin computer scientist Doug Leith. He analyzed and rated the privacy provided by Google Chrome, Mozilla Firefox, Apple Safari, Brave, Edge, and Yandex. Specifically, the study examined the browsers’ sending of data—including unique identifiers and details related to typed URLs—that could be used to track users over time. The findings put the browsers into three categories with Brave getting the highest ranking, Chrome, Firefox, and Safari receiving a medium ranking, and Edge and Yandex lagging behind the rest.

In the paper, Leith wrote:

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, browsers, chrome, EDGE, Firefox, Policy, Privacy, Safari | Comments (0)

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

February 25th, 2020
Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days. The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities, all of which have been marked 'HIGH' in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild.

Posted in chrome, Chrome vulnerability, cyber security, Google Chrome, remote code execution, Vulnerability | Comments (0)

Office365 Pro Plus won’t hijack your search engine after all

February 11th, 2020
Regina George from the movie Mean Girls

Enlarge / Stop trying to make Bing happen, Microsoft. It's never going to happen. (credit: Paramount Pictures)

In late January, Microsoft announced that a near-future Office 365 update would roll out a Chrome extension forcing all searches to run through Bing, regardless of the user's configured search engine preference. Several weeks of torches and pitchforks from sysadmins and users alike seem to have convinced the company that this was a tactical error, and today Microsoft announced a change of plans—although they couldn't resist prefacing it by announcing how exciting the original, unpopular change really was.

On January 22, 2020 we announced in advance that the Microsoft Search in Bing browser extension would be made available through Office 365 ProPlus on Windows devices starting at the end of February. Since then, we’ve heard from many customers who are excited about the value Microsoft Search provides through Bing and the simplicity of deploying that value through Office 365 ProPlus. With Microsoft Search integrated, Bing becomes a single search engine for users to find what they need - both from inside their organization and the public web.

But we’ve also heard concerns about the way we were planning to roll this value out.

The Microsoft Search in Bing browser extension will no longer be deployed by default to Office 365 Pro Plus users. Instead, administrators will get a new toggle in the Admin Center allowing them to deploy the extension to their organization—and, importantly, the toggle defaults to off.

For now, even when an admin decides to toggle the feature on, it only affects managed (Active Directory domain joined) devices—employees' personal and home computers won't get Binged as a result, even if they've used some of the five legitimate installations per license to put Office 365 Pro Plus on those devices. (Microsoft does plan additional settings to allow more granular control of unmanaged devices in the future, so BOFHs will simply need to be patient.)

Read 3 remaining paragraphs | Comments

Posted in Bing, Biz & IT, chrome, microsoft, Office 365, Tech | Comments (0)

Protecting users from insecure downloads in Google Chrome

February 6th, 2020

Update (04/06/2020): Chrome was originally scheduled to start user-visible warnings on mixed downloads in Chrome 82. These warnings, as well as subsequent blocking, will be delayed by at least two releases. Console warnings on mixed downloads will begin as scheduled in Chrome 81.

At this time, we expect to start user-visible warnings in Chrome 84. The Chrome Platform Status entry will be kept up-to-date as timing is finalized. Developers who are otherwise able to do so are encouraged to transition to secure downloads as soon as possible to avoid future disruption.


Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking "mixed content downloads" (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.
Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.
We plan to roll out restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. Our plan for desktop platforms is as follows:

  • In Chrome 81 (released March 2020) and later:
    • Chrome will print a console message warning about all mixed content downloads.
  • In Chrome 82 (released April 2020):
    • Chrome will warn on mixed content downloads of executables (e.g. .exe).
  • In Chrome 83 (released June 2020):
    • Chrome will block mixed content executables
    • Chrome will warn on mixed content archives (.zip) and disk images (.iso).
  • In Chrome 84 (released August 2020):
    • Chrome will block mixed content executables, archives and disk images
    • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
  • In Chrome 85 (released September 2020):
    • Chrome will warn on mixed content downloads of images, audio, video, and text
    • Chrome will block all other mixed content downloads
  • In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
Example of a potential warning
Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.
Developers can prevent users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the "Treat risky downloads over insecure connections as active mixed content" flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.
In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at security-dev@chromium.org.

Posted in chrome, security | Comments (0)

The fractured future of browser privacy

February 1st, 2020
The fractured future of browser privacy

Enlarge

In the 1990s, web browsers like Netscape Navigator and Microsoft Internet Explorer competed bitterly to offer the snazziest new features and attract users. Today, the browser landscape looks totally different. For one thing, Chrome now dominates, controlling around two-thirds of the market on both desktop and mobile. Even more radical, though, is the recent competitive focus on privacy, a welcome change for anyone who's gotten sick of creepy ad tracking and data mismanagement. But as browsers increasingly diverge in their approaches, it's clear that not all privacy protections are created equal.

At the USENIX Enigma security conference in San Francisco this week, developers, security researchers, and privacy advocates presented differing views of how browsers should protect their users against data abuses. In a panel discussion that included representatives from Mozilla Firefox, Google Chrome, Microsoft Edge, and Brave, all participants agreed that collaboration across the industry has driven innovation and helped make privacy a priority. But some browsers are taking a hardline approach, while others prefer to increase protections within the status quo.

Read 16 remaining paragraphs | Comments

Posted in Biz & IT, browsers, chrome, EDGE, Firefox, Policy, Privacy, Safari | Comments (0)

More than 200 browser extensions ejected from Firefox and Chrome stores

January 30th, 2020
Screenshot of the Mozilla add-ons page.

Enlarge (credit: Mozilla)

Mozilla and Google are cracking down on malicious and abusive extensions available for the Firefox and Chrome browsers, respectively. The moves come in response to the recent detection of add-ons that turned out to violate the browser maker's policies, despite review processes designed to weed out wares that are malicious or have the potential to be malicious.

The most significant move was Mozilla's ouster over the past month of almost 200 extensions. The majority of them—129, to be exact—were developed by 2Ring, a maker of business software. There's no evidence the extensions were malicious, but Mozilla officials found they executed code hosted on a remote server, in violation of Mozilla policies. The representative added that current installations aren't affected and users who want to install an extension can still do so manually.

A 2Ring representative said that company officials have contacted Mozilla about the move and are awaiting a response. The representative added that the extensions, which businesses use to integrate select CRM systems with apps installed in customer contact centers, interact only with user white-listed applications specified in the extension's configuration.

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, chrome, extensions, Firefox, google, Mozilla | Comments (0)

Google plans to drop Chrome support for tracking cookies by 2022

January 15th, 2020
A plate of chocolate-chip cookies.

Enlarge (credit: Rdsmith4 / Wikimedia)

Feeling the pressure from competing browser developers, Google on Tuesday laid out a plan to drop Chrome support of tracking cookies within two years.

The plan is laid out in a post titled "Building a more private Web: A path towards making third party cookies obsolete." It articulates a shift from a stance Chrome developers took in August, when they warned that the blocking of support for third-party cookies—which allow advertisers to track people as they move from site to site—would encourage the use of an alternative tracking method. Known as browser fingerprinting, it collects small characteristics of a browser—for instance, installed fonts or plugins, screen size, and browser version—to uniquely identify the person using it. Unlike cookies, fingerprinting is harder to detect, and user profiles can't be easily deleted.

Instead, Google's August post unveiled the "privacy sandbox," a proposed set of open standards that would serve as an alternative to the blocking of third-party cookies. Privacy sandbox uses browser-based machine learning and other techniques to determine user interests and aggregate them with other users. Google—whose ad-driven revenue model strongly favors ads that target individuals' interests and demographics—said the proposed standard would allow advertisers to deliver more relevant ads without allowing them to track individual users.

Read 9 remaining paragraphs | Comments

Posted in Biz & IT, browsers, chrome, google, Privacy, tracking cookies | Comments (0)

ISPs lied to Congress to spread confusion about encrypted DNS, Mozilla says

November 4th, 2019
A Firefox logo is seen outside Mozilla's office in San Francisco.

Enlarge / Mozilla's office in San Francisco. (credit: Getty Images | Iuliia Serova)

Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome.

The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies."

DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.

Read 22 remaining paragraphs | Comments

Posted in Biz & IT, chrome, dns-over-https, Firefox, google, Mozilla, Policy | Comments (0)

Comcast fights Google’s encrypted-DNS plan but promises not to spy on users

October 25th, 2019
The back of a Comcast van driving along a street in Sunnyvale, California.

Enlarge / A Comcast van in Sunnyvale, California, in November 2018. (credit: Getty Images | Andrei Stanescu)

Comcast has gone on the record to say that it does not track its broadband users' Web browsing histories, even though the company is lobbying against a Google plan that could make it harder for ISPs to track their users.

Comcast yesterday released a statement titled, "The Facts about Privacy with Comcast's Xfinity Internet Service." Comcast said:

Where you go on the Internet is your business, not ours. As your Internet Service Provider, we do not track the websites you visit or apps you use through your broadband connection. Because we don't track that information, we don't use it to build a profile about you and we have never sold that information to anyone.

Comcast further said that it does not and has never sold "information that identifies who you are to anyone," and the company claims it has never sold location data gathered from Comcast's mobile service. Comcast also said it deletes DNS queries generated by its Internet customers every 24 hours "except in very specific cases where we need to research a security or network performance issue, protect against security threats, or comply with a valid legal request."

Read 20 remaining paragraphs | Comments

Posted in Biz & IT, chrome, Comcast, dns-over-https, encrypted dns, Firefox, google, Mozilla, Policy | Comments (0)