Google giveth with one hand whilst taking with the other

Subject: General Tech | August 28, 2015 - 04:40 PM |
Tagged: google, chrome, flash, apple

The good news from Google is that as of next month, Flash ads will be 'Click to Play' when you are browsing in Chrome.  This will be nice for the moving ads but even better for defeating those sick minded advertisers who think audio ads are acceptable.  However this will hurt websites which depend on ad revenue ... as in all of the ones that are not behind a paywall which have Flash based ads.  The move will make your web browsing somewhat safer as this will prevent the drive-by infections which Flash spreads like a plague infested flea and as long as advertisers switch to HTML 5 their ads will play and revenue will continue to come in.

The news of Chrome's refusal to play Flash ads is tempered somewhat by Google's decision to put advertising ahead of security for Apple devices.  The new iOS 9 uses HTTPS for all connectivity, providing security and making it more difficult for websites to gather personalized data but as anyone who uses HTTPS Everywhere already knows, not all advertisements are compliant and are often completely blocked from displaying.  To ensure that advertisers can display on your iOS9 device Google has provided a tool to get around Apple's App Transport Security thus rendering the protection HTTPS offers inoperative.  Again, while sites do depend on advertisements to exist, sacrificing security to display those ads is hard to justify.

adobe-flash-player-icon.jpg

"The web giant has set September 1, 2015 as the date from which non-important Flash files will be click-to-play in the browser by default – effectively freezing out "many" Flash ads in the process."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Google Chrome Team Commits to XP Throughout 2015

Subject: General Tech | April 17, 2015 - 07:00 AM |
Tagged: windows xp, windows, microsoft, google, EoL, chrome

It has been a year since Microsoft cut off extended support for Windows XP including Internet Explorer security updates for the platform. Yeah, I know, it doesn't feel like it. Other browser vendors announced that they would continue to target the retired OS after Microsoft washed their hands of it. At the time, Google said they would give at least 12 months support, which brings us to yesterday.

Google_Chrome_icon_(2011).png

Now Google is extending their commitment to the end of the year. They did not say that it was a hard deadline for their customers, but they also did not add an “at least” qualifier this time. The browser vendor wants people to upgrade and admits that they cannot genuinely provide a secure experience if a known issue bites everyone at the OS level. You can keep training the guard at the door, but if your window falls out, mind the pun, then it is still dangerous to be inside.

Granted, we have not seen a major attack on XP over the last year. You would have to think that, even if the attacks are sophisticated, some of the victims would have noticed and reported it to someone. Still, I wonder how it keeps surviving, especially since I would have thought that at least one vulnerability in the last twelve Patch Tuesdays could be ported back to it.

Maybe it is too small of a target?

Source: Google

Since TLS connections mostly ignore OCSP, Firefox is creating yet another solution

Subject: General Tech | March 5, 2015 - 01:46 PM |
Tagged: security, OneCRL, irony, firefox, CRLSet, chrome

It seems somehow strange that the vast majority of 'secure' connections still completely ignore what were developed as industry standards to ensure security in favour of creating their own solutions but that is the world a security professional lives in.  The basic design of OCSP does carry with it a lot of extra bandwidth usage and while maintaining a time limited local cache, referred to as stapling, would ameliorate this your TLS connection is not likely to support that solution.  Instead of fixing the root cause and utilizing existing standards it would seem that Firefox 37 will start a brand new solution, maintaining a list of revoked certificates ironically called OneCRL which will be pushed out to Firefox users, duplicating the CRLSet which Chrome has already developed and maintains. 

This is good for the end user in that it does add security to their browsing session but for those truly worried about attempting to make the net a safer place it offers yet another list to keep track of and for attackers yet another vector of attack.  At some point we will have to stop referring to standards when referencing networking technology.  Pour through the links on the Slashdot post and read through the comments to share in the frustration or to familiarize yourself with these concepts if the acronyms are unfamiliar.

firefox-crset-onecrl.jpg

"The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Rumor: 15.4" Broadwell-U Chromebooks Are Coming

Subject: General Tech, Systems | December 29, 2014 - 01:42 PM |
Tagged: laptop, google, dell, ChromeOS, Chromebook, chrome, acer

According to DigiTimes via The Tech Report, because of course DigiTimes, we should receive 15.4-inch Chromebooks in the near future. Their sources claim that both Acer and Dell have products planned with that operating system, in that size, and will cost less then $300. The Acer system is expected in March 2015 with Dell scheduled for some time in the first half of 2015.

12-failslow-Chrome.png

One part that stands out for me is the maximum price of $300. The claim is that this is a Google mandated ceiling for Chromebooks with up-to Core i3 performance. This is troubling for two reasons. First, depending on the details, it might dance around inside the minefield of price-fixing laws, although I am sure that Google is doing this in a legally. I mean, Apple has been getting away with enforcing maximum retail prices of iPods and iOS devices for around a decade and I believe console manufacturers do about the same.

Second, and more importantly, it limits the ability for manufacturers to be creative and innovative, which is the major advantage of an open ecosystem. Being a web browser-based platform, there is already constraints on what manufacturers can implement. Sure, Google is probably open to communication with their partnered hardware vendors, but it is uncomfortable none-the-less. I could use the Nexus Q as an example of an experiment but unfortunately it was neither a hit nor did it cost over $300. Sure, they could add a more powerful processor to escape that clause but it is still

These Chromebooks are expected to launch in the early half of 2015.

Source: Tech Report

ARChon Brings App Runtime for Chrome Outside ChromeOS

Subject: General Tech | September 20, 2014 - 02:33 PM |
Tagged: chrome os, chrome, google, Android

Last week, we reported on Google's App Runtime for Chrome (ARC) beta release. Its goal is to bring apps from the Google Play Store to ChromeOS through an Android stack built atop Native Client. They are sandboxed, but still hardware-dependent for performance. Since then, vladikoff on GitHub has published ARChon, a project which brings that initiative to desktop OSes.

archon-project.jpg

Image Credit: ARChon Project

To use Archon, you will need to use an x86-64 version of Chrome 37 (or later) on Windows, Mac, or Linux. This project is not limited to the handful of ARC-compatible apps that Google officially supports. The Android apps need to be converted into Chrome extensions using a tool, also available, called chromeos-apk. In fact, the example app is an open source version of the game, 2048, rather than just the four launch apps from Google.

Whether Google intends to offer this, officially, with their Chrome browser is the most interesting part for me. I would prefer that everything just works everywhere but, failing that, having a supported Android platform on the desktop without dual-booting or otherwise displacing the host itself could be interesting. And yes, Bluestacks exists, but it has not been something that I would recommend, at least in my experience of it.

Source: ARChon

Chrome officially hits the 64-bit era

Subject: General Tech | August 27, 2014 - 12:34 PM |
Tagged: chrome, 64-bit

The new version of Chrome can now supports 64-bit if you so choose to install that version of Google's browser.  The ability to address more memory is not the only benefit to this new version, it is also optimized for the P9 codec used for Youtube HD which The Inquirer was told now processes 15% more quickly and they agreed that it felt generally faster when using the new browser to surf.  The new version should also offer improved protection from memory layout vulnerabilities so it is certainly worth using on your 64 bit machine.

chrome-64-bit.jpg

"GOOGLE'S 64-BIT EDITION of the Chrome web browser for Windows has been declared stable with the release of Chrome 37."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Chrome might be less polite than you think

Subject: General Tech | January 24, 2014 - 01:37 PM |
Tagged: google, chrome, snooping, mic

If you have never heard the phrase "Those who eavesdrop hear nothing good about themselves" you are in good company as Google Chrome has not either.  A developer by the name of Tal Ater has discovered that Chrome can enable your microphone when you view certain malicious websites without your knowledge.  According to Google's online documentation, when Chrome enables your microphone you should see both a blinking red light appear in the tab you are viewing and a persistent icon in the system tray.  Unfortunately when The Register saw a test, the site created a pop-under window which displayed the red light and was not visible until the other browsing session was closed or moved, nor was there a system tray icon.  Even more worrying, the initial specification called for recording to be disabled when the tab with access to the mic was not active but was never implemented.

hqdefault.jpg

"A design flaw in the Chrome browser allows malicious websites to use your computer's microphone to eavesdrop on you, one developer has claimed, although Google denies this is the case."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Need another reason to upgrade from WinXP? You might be stuck with IE

Subject: General Tech | October 29, 2013 - 12:27 PM |
Tagged: winxp, firefox, chrome, browser

With 160 days remaining until the current official support expiration for WinXP unless you are willing to pay for the privilege of getting critical updates there is only a little time left in which third party providers need to continue support for the aging OS.  Two of the most noticeable of these will be Firefox and Chrome, both of which will be discontinuing development for their browsers on WinXP.  Their older versions will still work but will slowly succumb to more and more security vulnerabilities as they are discovered but not patched for WinXP.  This may not be the straw that breaks XP's back but recall that YouTube abandoning IE6 support was one of the driving forces behind the decline of that browser.  Slashdot comments for your entertainment here.

An update to this information does show that you have a while to go before this is a major concern as Firefox does not have a specific date in mind and Chrome is extending development for a few years yet.  You should still really consider upgrading to Win7 in the near future.

winxp.jpg

"While Windows XP is still going strong the sun is rapidly setting on this old platform fast. Firefox plans to end support for XP which means no security fixes or improvements. Chrome is being discontinued a little later as well for Windows XP. Windows XP has its die-hard users refusing to upgrade as they prefer the operating system or feel there is no need to change."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Beware the click-jacking Captcha of Evil!

Subject: General Tech | July 2, 2013 - 01:29 PM |
Tagged: Malware, IE10, chrome, security

Just in case you weren't already getting tired of captchas there is a new click-jacking technique which works on both IE9 and 10 in Windows 7 and also on Chrome for Windows 8 so for the time being you might want to avoid any captchas that begin with an 'R'.  The new Smartscreen features on Win8 as well as UAC should give you at least some defense and require you to allow the exectuable to run and infect your machine but you can be guaranteed that some less observant users will click straight through without reading the messages which appear.  While this type of attack is nothing new, the particular technique mentioned at The Register does have some new tricks.

CAPTCHA.jpg

"A security researcher has discovered a sneaky social engineering trick that might be used to disguise the go-ahead to run hostile code on Windows 8 machines.

The so-called keyjacking technique, uncovered by Italian security researcher Rosario Valotta, is similar to clickjacking. However, instead of fooling marks into generating fake Facebook likes, the keyjacking involves disguising a "run executable" dialogue box within a CAPTCHA challenge."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Android Version of Chrome May Get SPDY Proxy Speed Boost

Subject: General Tech | March 5, 2013 - 02:17 AM |
Tagged: web browser, mobile, chrome, Android

Chrome for Android will allegedly be getting a speed boost thanks to a new SPDY-assisted proxy service. If a recent patch is any indication, future versions of Chrome may adopt a proxy service similar to Opera Turbo, Amazon Silk, or BlackBerry Proxy. Google would take advantage of its SPDY protocol to compress and multiplex web sites. We requests would be sent through Google, where Google would take the HTTP/HTTPS pages, compress and otherwise optimize them, and send them to your Android smartphone.

 

Chrome for Android.png

While on Wi-Fi or a wired connection, the performance merits of such proxy services are minimal at best (and at worst can actually slow down page loads). With that said, over a mobile network--especially if you are living in an area with (at best) 3G speeds, the new SPDY proxy service could make a huge difference in page load times. If my experiences using Opera and its Turbo proxy service over a 3G connection for the past month is any indication of the potential benefits of such a setup, some pages will load much faster, a few sites will actually load slower than browsing without the proxy, and the majority of websites will fall somewhere in between those two extremes, providing a slightly faster web browsing experience. Google may be taking things a step further by introducing its SPDY protocol to speed up the HTTP requests, which is an interesting tactic beyond the basic compression and/or caching that the existing alternatives employ.

Details on the hinted-at Google-run SPDY proxy service are scarce, but I hope that it holds true. There are some privacy considerations, but if you are just reading articles and have resigned yourself to the fact that Chrome/Google tracks you anyway (heh) it is a nice optional feature to have!

Source: Engadget