Google is proud to announce the birth of a bouncing baby browser. Behold: release 86 of Chrome, Larry and Sergey’s stupidly popular web access app–cum PWA platform.
“So what?” I hear you yell. So it’s got a bunch of things that DevOps needs to think about. Not the least of which is support for the W3C change-password-url standard, and Google’s beefed-up focus on nixing mixing content.
But don’t bother, if none of your users use Chrome. In this week’s Security Blogwatch, we snort at the thought.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: stories.
<!--TODO-->
What’s the craic? Lawrence Abrams reports—Chrome 86 rolls out with massive user security enhancements:
Google has released Chrome 86 … to the Stable desktop channel, and it includes numerous security enhancements … to both desktop and mobile users: … increased password security, protection from insecure downloads and form submissions, and biometric protection when auto-filling saved passwords.
…
.well-known/change-password support: … When Chrome performs a password checkup of saved login credentials, if any passwords are involved in data breaches, it will prompt the user to change their password.
…
Safety Check: … performs a checkup of the browser and saved data to ensure it is secure and not compromised. … Google is enabling this feature in the mobile browser.
…
Enhanced Safe Browser [rolled] to out to Android: … Real-time protection when browsing the web and downloading files … by Chrome sharing additional information with Google Safe Browsing in real-time.
…
iOS users also get a security boost with … biometric authentication when auto-filling saved passwords. … Google now blocks mixed content downloads for executables and archives [and] will now warn users when they submit insecure mixed content forms.
What about phishing? Abner Li adds—Chrome 86 rolling out:
Long URLs that include the correct page name are often used to spoof people into thinking they are on a reputable/desired site. To combat this common phishing tactic, Chrome 86 will test only showing the registrable domain in the address bar as part of a test in Chrome 86.
…
Chrome 86 also features a new “Safety Tip” on sites with URLs that look “very similar” to those of other ones. Meant to combat spoofing, client-side heuristics are leveraged with Google throwing up a “Did you mean… ?” warning that makes you confirm the address before continuing.
…
Chrome will make it more explicit when an “Update” is available by placing a green warning to the right of your profile avatar.
And cache attacks? Eiji Kitamura massacres: [Today is a good day to be fired—Ed.]
The time a website takes to respond to HTTP requests can reveal that the browser has accessed the same resource in the past, which opens the browser to security and privacy attacks. … To mitigate these risks, Chrome will partition its HTTP cache starting in Chrome 86. … Cached resources will be keyed using a new "Network Isolation Key" in addition to the resource URL.
…
It may impose performance considerations for some web services. … For example, those that serve large volumes of highly cacheable resources across many sites (such as fonts and popular scripts) may see an increase in their traffic. … The overall cache miss rate increases by about 3.6%, changes to the FCP (First Contentful Paint) are modest (~0.3%), and the overall fraction of bytes loaded from the network increases by around 4%.
…
Dedicated workers use the same key as their current frame. Service workers and shared workers are more complicated since they may be shared among multiple top-level sites. The solution for them is currently under discussion.
So Google’s Abdel Karim Mardini is proud to announce New Password Protections (and more!) in Chrome:
Passwords are often the first line of defense for our digital lives. Today, we’re improving password security on both Android and iOS devices.
…
We notify you when you have compromised passwords on websites, but it can be time-consuming to go find the relevant form to change your password. To help, we’re adding support for ".well-known/change-password" URLs that let Chrome take users directly to the right “change password” form.
What does DevOps need to do? Ricky Mondello and Theresa O’Connor submit A Well-Known URL for Changing Passwords:
This specification defines a well-known URL that sites can use to make their change password forms discoverable by tools. This simple affordance provides a way for software to help the user find the way to change their password. … This document was produced by the [W3C] Web Application Security Working Group.
…
Sites currently lack a way to programmatically advertise where a user can change their password. By proposing a well-known URL for changing passwords, this specification enables password managers to help users change their passwords on sites which support it.
…
The change password url for origin "https://example.com/" is "https://example.com/.well-known/change-password". … Servers should redirect HTTP requests for an origin’s change password url to the actual page on which users may change their password.
There Google goes again, trying to wrest control of the web, like some sort of Gates-era Microsoft. TheLazyEngineer says there’s more to it than that:
Maybe true, but that does not mean that web developers can ignore that chrome is a major platform that web developers must consider. Because regardless of what one may wish, it is also true that Chrome has over a billion users.
And Emil Protalinski agrees:
With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome’s regular additions and changes, developers have to stay on top of everything available — as well as what has been deprecated or removed.
…
Chrome 86 now autoupgrades forms that don’t submit data securely. … Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection … eavesdropping, man-in-the-middle attacks, and other data modification.
…
Google thus spent at least $72,000 in bug bounties for this release, a massive amount compared to its usual spend. As always, the security fixes alone should be enough incentive for you to upgrade.
But u/malaclypso swearily asks the question on everyone’s lips:
Thing is, why does the most used browser [in] the world not optimise their ****** RAM usage? It would … make a better browsing experience for less fortunate users that don't have lots of RAM.
…
Yes, I only have 8 gigabytes and I refuse to buy more just to feed Chrome. So **** you Google.
Meanwhile, 93 Escort Wagon doesn’t believe the hype:
I protect my passwords by not saving them using any browser’s built-in password management.
The moral of the story?
TODO: Support the change-password-url standard, already. And excise any last vestiges of mixed content.
And finally
All Star, but it’s by Hunter and Zac
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Marek Panek (cc:by)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
