Fool me once, shame on me ... Chrome gives Symantec the cold shoulder

Subject: General Tech | September 12, 2017 - 02:29 PM |
Tagged: chrome, symantec, security

The original issue dates back two years ago, when a serious security issue was discovered effecting all Norton and Symantec products which allowed an attacker to easily infect your Windows kernel without any user interaction.  Following that revelation were a round of firings at Symantec which were intended to reassure customers and security experts which were somewhat successful, until earlier this year.  In January it was discovered that Symantec provided digital certificates to verify the authenticity of several questionable sites, including ones never authorized by ICANN.  This has been enough for Google; Chrome will no longer trust older Symantec certs in version 66 and will not trust any as of version 70.  The Inquirer provides a full timeline here.

1406048971_Symantec-Logo.png

"The decision to remove Symantec certificates came as a result of the discovery of a dodgy certificate in 2015, leading to a fuller investigation that brought forward more issues with security at the beginning of this year."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Firefox 51 and Chrome 56 Launch with WebGL 2.0

Subject: General Tech | January 27, 2017 - 03:55 PM |
Tagged: webgl, webgl2, firefox, chrome, google, mozilla, Opera

After quite a bit of anticipation, both Mozilla and Google have just shipped compatible implementations of WebGL 2. This feature was unlocked to the public in Firefox 51 and Chrome 56 for the desktop, both released this week, while Opera will push it out to desktop and mobile on their next version, Opera 43. Microsoft currently has the API “under consideration” for Edge.

As we’ve highlighted in the past, this new version of the graphics API pushes the platform up to OpenGL ES 3.0, with a few exceptions that are typically made for security reasons. This update allows quite a few new features like off-screen render targets, which is useful for deferred rendering. The shading language is also significantly larger, and can now operate natively on integer types and 3D textures.

WebGL 2.0 does not include compute shaders, however, which is a bit unfortunate. That said, it is (at least last I checked) a highly-requested feature and the browser vendors are interested in providing it.

"HTML5 by Default" Rolling in to Chrome Userbase

Subject: General Tech | December 13, 2016 - 02:47 PM |
Tagged: google, chrome, Adobe, flash

Google is about to begin transitioning their users away from Flash, unless they explicitly enable it on a site-by-site basis. This is a step beyond click-to-activate, which refuses to activate the plug-in until the user permits it, that will not even acknowledge the plug-in’s existence unless the user requests it. The difference is that this tells sites to treat the browser as not having Flash, which, for PC Perspective as an example, should load our HTML5 article carousel instead of presenting a click-to-activate Flash one that has an expanding oval transition animation.

Google_Chrome_icon_(2011).png

Because changes like these could have side-effects, Google is dipping their toe before jumping in. About 1% of users on the current Chrome 55 (and ~50% of Chrome 56 pre-release users) will have this change flipped on any day now, which contains the outrage if it breaks something popular or, otherwise, causes user grief. If it all goes well, though, it will be enabled for everyone when Chrome 56 arrives for the general public in February.

Source: Google

About the "Firefox Is Eating Your SSD" Story

Subject: Storage | October 5, 2016 - 07:57 PM |
Tagged: ssd, mozilla, google, firefox, endurance, chrome

A couple of weeks ago, I saw a post pop up on Twitter a few times about Firefox performing excessive writes to SSDs, which total up to 32GBs in a single day. The author attributes it mostly to a fast-updating session restore feature, although cookies were also resource hogs in their findings. In an update, they also tested Google Chrome, which, itself, clocked in over 24GB of writes in a day.

mozilla-2016-donothurt.png

This, of course, seemed weird to me. I would have thought that at least one browser vendor might notice an issue like this. Still, I passed the link to Allyn because he would be much more capable in terms of being able to replicate these results. In our internal chat at the time, he was less skeptical than I was. I've since followed up with him, and he said that his initial results “wasn't nearly as bad as their case”. He'll apparently elaborate on tonight's podcast, and I'll update this post with his findings.

Google Continues Clamping Down on HTTP

Subject: General Tech | September 8, 2016 - 11:02 PM |
Tagged: google, chrome, http, https

Many software vendors want to impose security and encryption basically everywhere. Google and Mozilla are two of the more vocal organizations about it, and they have been slowly implementing ways to discourage insecure HTTP (in favor of HTTPS). Some of these make sense, like preventing insecure sites from accessing your webcam so the video stream cannot be intercepted, while others seem a bit pushy, like lowering HTTP-based sites down in search results.

google-2016-chrome-http-not-secure.png

This announcement's change is technologically benign, but is designed to make HTTP feel a bit uncomfortable. Rather than just promote HTTPS sites with a secure padlock symbol, Google Chrome 56 and later will begin to add a “not secure” label to HTTP sites. At first, Google claims that it will only mark sites that transmit sensitive data, like passwords and credit card info. They intend to expand this to all HTTP websites going forward.

Again, this has pros and cons. The main benefit of encryption is that it's much harder to view or manipulate what flies across the data stream. One major disadvantage is that the content needs to be authenticated, which is a concern for truly anonymous expressions. Google Chrome treats local, offline content as secure, but that use case could be easily forgotten, and that could have terrible rammifications, especially in areas controlled by oppressive governments that massively censor art.

Source: Google

Google Releases Chrome 48 with Interesting Features

Subject: General Tech | January 21, 2016 - 02:59 AM |
Tagged: google, chrome

Web browsers are typically on rapid release cycles so they can get features out frequently. The Web is changing on a constant basis to help it become an effective application platform, which is cross-compatible with competing implementations. A common complaint is that the cycle is to yield high version numbers for marketing, to give a false sense of maturity, but I'd expect that frequent, breaking changes are kind-of necessary to synchronize features between implementations. If Google lands a feature a month after Mozilla publishes a new version, should they really wait two years for their next one? Granted, they probably knew about it pre-release, but you get the idea. Also, even if the theory is true, artificially high version numbers is one of the most benign things a company could do.

Google_Chrome_icon_(2011).png

Some versions introduce some fairly interesting features, though. This one, Google Chrome 48, deprecates RC4 encryption for HTTPS, which forces web servers to use newer cyphers or they will fail to load.

Another major one, and probably more interesting for our audience, is the introduction of VP9 to WebRTC. This video codec is Google's open competitor to H.265. At similar quality settings, VP9 will use about half of the bandwidth (or storage) as VP8. WebRTC is mostly used for video conferencing, but it's really an open platform for webcam, microphone, audio, video, and raw, peer-to-peer data connections. There are even examples of it being used to synchronize objects in multiplayer video games, which has nothing to do with video or audio streaming. I'm not sure what is possible with this support, but it might even lead to web applications that can edit video.

Google Chrome 48 is available today. Also, as a related note, Firefox 44 should release next week with its own features, like experimental rendering of WebGL images offscreen and multi-threaded. The full changelog for Google Chrome 48 from Git is about 42 MB large and, ironically, tends to crash Firefox.

Source: VentureBeat

Google to merge Chrome and Android into their One True OS

Subject: General Tech | October 30, 2015 - 01:25 PM |
Tagged: chrome, Android, google

It has been long suspected that eventually Google would merge their two operating systems into one and we now have a rumoured date, 2017.  An Android runtime for the Chrome OS already exists and almost any Android app can be modified to run on a Chrome powered device but we now have confirmation that the two will finally merge under the Android brand.  The new OS will remain open sourced and programmers may be enticed into programming more applications as they would only need to make one application instead of needing to write two versions.  Pop by The Inquirer for more speculation.

chrome-os-logo.jpg

"ALPHABET SUBSIDIARY Google (still sounds weird, right?), is reportedly planning to merge Chrome OS and Android into a single platform."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Google giveth with one hand whilst taking with the other

Subject: General Tech | August 28, 2015 - 04:40 PM |
Tagged: google, chrome, flash, apple

The good news from Google is that as of next month, Flash ads will be 'Click to Play' when you are browsing in Chrome.  This will be nice for the moving ads but even better for defeating those sick minded advertisers who think audio ads are acceptable.  However this will hurt websites which depend on ad revenue ... as in all of the ones that are not behind a paywall which have Flash based ads.  The move will make your web browsing somewhat safer as this will prevent the drive-by infections which Flash spreads like a plague infested flea and as long as advertisers switch to HTML 5 their ads will play and revenue will continue to come in.

The news of Chrome's refusal to play Flash ads is tempered somewhat by Google's decision to put advertising ahead of security for Apple devices.  The new iOS 9 uses HTTPS for all connectivity, providing security and making it more difficult for websites to gather personalized data but as anyone who uses HTTPS Everywhere already knows, not all advertisements are compliant and are often completely blocked from displaying.  To ensure that advertisers can display on your iOS9 device Google has provided a tool to get around Apple's App Transport Security thus rendering the protection HTTPS offers inoperative.  Again, while sites do depend on advertisements to exist, sacrificing security to display those ads is hard to justify.

adobe-flash-player-icon.jpg

"The web giant has set September 1, 2015 as the date from which non-important Flash files will be click-to-play in the browser by default – effectively freezing out "many" Flash ads in the process."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Google Chrome Team Commits to XP Throughout 2015

Subject: General Tech | April 17, 2015 - 07:00 AM |
Tagged: windows xp, windows, microsoft, google, EoL, chrome

It has been a year since Microsoft cut off extended support for Windows XP including Internet Explorer security updates for the platform. Yeah, I know, it doesn't feel like it. Other browser vendors announced that they would continue to target the retired OS after Microsoft washed their hands of it. At the time, Google said they would give at least 12 months support, which brings us to yesterday.

Google_Chrome_icon_(2011).png

Now Google is extending their commitment to the end of the year. They did not say that it was a hard deadline for their customers, but they also did not add an “at least” qualifier this time. The browser vendor wants people to upgrade and admits that they cannot genuinely provide a secure experience if a known issue bites everyone at the OS level. You can keep training the guard at the door, but if your window falls out, mind the pun, then it is still dangerous to be inside.

Granted, we have not seen a major attack on XP over the last year. You would have to think that, even if the attacks are sophisticated, some of the victims would have noticed and reported it to someone. Still, I wonder how it keeps surviving, especially since I would have thought that at least one vulnerability in the last twelve Patch Tuesdays could be ported back to it.

Maybe it is too small of a target?

Source: Google

Since TLS connections mostly ignore OCSP, Firefox is creating yet another solution

Subject: General Tech | March 5, 2015 - 01:46 PM |
Tagged: security, OneCRL, irony, firefox, CRLSet, chrome

It seems somehow strange that the vast majority of 'secure' connections still completely ignore what were developed as industry standards to ensure security in favour of creating their own solutions but that is the world a security professional lives in.  The basic design of OCSP does carry with it a lot of extra bandwidth usage and while maintaining a time limited local cache, referred to as stapling, would ameliorate this your TLS connection is not likely to support that solution.  Instead of fixing the root cause and utilizing existing standards it would seem that Firefox 37 will start a brand new solution, maintaining a list of revoked certificates ironically called OneCRL which will be pushed out to Firefox users, duplicating the CRLSet which Chrome has already developed and maintains. 

This is good for the end user in that it does add security to their browsing session but for those truly worried about attempting to make the net a safer place it offers yet another list to keep track of and for attackers yet another vector of attack.  At some point we will have to stop referring to standards when referencing networking technology.  Pour through the links on the Slashdot post and read through the comments to share in the frustration or to familiarize yourself with these concepts if the acronyms are unfamiliar.

firefox-crset-onecrl.jpg

"The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot