Chrome at 10: Google reshapes web security, now wants to 'kill' the URL

The Google Chrome browser is 10 years old this week.

Let’s review how Chrome has changed web security since 2008. Let’s also check out the new features of Chrome 69, including a much-improved password manager.

But Google’s got a super-controversial proposal to “kill”—or at least hide—the ubiquitous URL. In this week’s Security Blogwatch, we welcome our Googly overlords.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The peculiar randomness of Bill Wurtz 

Application Security Research Update: The State of App Sec in 2018

Chrome has a tweenage tantrum

What’s the craic? Frederic Lardinois offers Chrome gets a new look for its 10th birthday:

It’s been ten years since Google first launched Chrome. At the time, Google’s browser was a revelation. … Here was Google, with a fast browser that was built for the modern web.

To mark the day, the company today officially launched its new look for Chrome and previewed what it has in stock for the future. … The new Chrome user interface, which is going live on all the platforms the browser supports, follows Google’s Material Design 2 guidelines.

Chrome now offers an updated password manager that can automatically generate (and save) strong passwords for you, as well as improved autofill.

Oh, that sounds interesting, right? Marrian Zhou has faint praise—Chrome wants to help you stop recycling the same damn passwords:

[The] improved built-in password manager … automatically generates a random password when you sign up on a new website. … It's one of the new features Google unveiled as part of a redesign of its Chrome browser.

Google saves the auto-generated passwords with your Google account, so they should survive intact even if you drop your phone into the ocean or your laptop dies. And if you're interested in moving from Chrome to a cross-browser password manager like 1Password, LastPass or Bitwarden, you can.

So, happy birthday. Hey, Lily Hay Newman? How Google Chrome Spent a Decade Making the Web More Secure:

As Google's browser hits its 10th birthday … it's worth noting one under-appreciated source of its popularity: how it made the web more secure. Google developers … did architect the service to combine crucial components in a new way, creating a noticeably safer … browsing experience.

Crucially, Chrome managed tabs in a new way; its "sandbox" made each one run with its own permissions and protected memory. … For the first time, a browser functioned more like an operating system, running many isolated programs on a permission system, rather than as a single free-for-all.

The browser is still underpinned by a massive open source project. … Google has even paid out more than $4.2 million through its bug bounty program to researchers who submit Chrome vulnerabilities.

One crucial project over the last few years has been expanding the concept of the Chrome sandbox through a new feature called "site isolation," [which] ended up protecting against Meltdown and Spectre-type processing exploits.

Where formerly sites with HTTPS were marked secure, Chrome changed to treat that as the norm and … marking sites that only used HTTP as insecure. … Chrome engineers also say that bringing phishing under control remains a major priority. … Perhaps most notably, the team says that its next HTTPS-scale project will be working to redesign how URLs are displayed.

Wait, what? Here’s Google’s Adrienne Porter Felt—@__apf__—defending herself:

URLs aren't usable, but people are forced to rely on them for so much – browsing, security, sharing. Expect to see changes to how Chrome displays identity in the coming year. … If you're an academic researcher doing work in this space, I would LOVE to hear from you!

People don't look at them when they ought to. And when they do, they don't know which part to look at. We are exploring ways of drawing attention to the right identity indicators at the right times.

I get it. You like how URLs are now. But we're in a sad state for security: hard to enter correctly, people don't check when they should, and easy to make convincing spoofs. We shouldn't accept the status quo just bc change feels hard. … We have a bunch of user research ongoing right now, which we'll share publicly soon!

People who don't understand URLs generally do not complain about URLs. They don't talk about URLs. Or think about them. That's the problem, and what makes phishing so successful.

Uh-oh. That doesn’t sound good. Tobie Langel—@tobie—replies thuswise:

Why don’t you bring this conversation into a more open forum? URLs are a critical part of how the web works. It’d be great (and much productive) if attempting to change them wasn’t the work of a single company with so much power.

What about other browser vendors? Platforms that let end-users share content through URLs? The various relevant SDOs? The broader web community? … This might very well be a well intentioned effort, but from an outsider’s perspective it looks everything but. Which is a shame.

Regardless of the nature of the intentions behind it—which, knowing many Googlers, I believe are good—this (1) should be discussed in a broader forum, and (2) is going to be perceived as sketchy if it isn’t.

W3C? WHATWG? [Web Incubator CG]? IETF? There are plenty of vendor neutral places designed to carry out precisely these kinds of conversations in public.

A vendor neutral place would be a better fit for such conversation.. … There are second and third order consequences to how URLs are perceived which might have deeper implications.

But what’s the source of all this fear? sinij cuts to the chase:

In other news, Google wants to track you more.

It is not acceptable [to] Google that some browsing bypasses Google search engine when people directly type in URLs.

And Rick Schumann is less subtle about it:

What the hell is this bull****?

Seriously, Google, what the actual **** is wrong with you?

Or is it that people have become so ****ing dumb that they really can't type in {website}.{top_level_domain}? Considering all the stupid **** I see in the news pretty much every single day … I'd be very tempted to believe that, too.

What about a carrot, rather than a stick? Here’s Chris Koss:

Google could accomplish a similar result by publishing a 'nice URL' standard, where your page can be dinged on SEO if it does not conform.

Getting rid of the thousands of ugly URLs used by their own products could also go a long way.

Yet this Anonymous Coward kinda sees Google’s point. Kinda:

People don't understand URLs. … That doesn't mean we should let Google be the arbiter of identity on the internet.

But but but … security! Won’t somebody think of the children, etc? hyades1 scoffs:

Where have we heard this before?

Just like always, some powerful agent seeking to invade the privacy of individuals more comprehensively uses "security" as an excuse. Meanwhile, methods that could make the existing system far more secure (while preserving anonymity for those who need it) are ignored.

If I remember correctly, Google just got caught investigating ways to help China's Big Brother regime weaponize its search engine by turning it into a government-friendly propaganda tool. Google needs to be told in no uncertain terms to shove this … up its corporate ****.

Meanwhile, with a modest proposal, here’s another Anonymous Coward:

Why reinvent the wheel? … Isn't this what SSL Certs were supposed to fix?

The only important part of a URL to the vast majority of end users is the domain name. As long as that's shown and the SSL is valid just show that bit.

Clicking into the address bar gives the entire address to copy/bookmark/whatever.

The moral of the story? Congratulations, we killed Microsoft’s browser oligopoly, and replaced it with Google’s. Be careful what you wish for!

And finally …

Bill Wurtz takes his peculiar brand of randomness to the next level

[Starts off in typical Wurtz style, but then veers off, deep into what-did-I-just-watch territory.]


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Anne Norman (cc:by)

Topics: Security