chrome.security

Tuesday 30 April, 2024

Detecting browser data theft using Windows Event Logs

Will Harris

Chromium’s sandboxed process model defends well from malicious web content, but there are limits to how well the application can protect itself from malware already on the computer. Cookies and other credentials remain a high value target for attackers, and we are trying to tackle this ongoing threat in multiple ways, including working on web standards like DBSC that will help disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.

Keep reading

Thursday 4 April, 2024

The V8 Sandbox

Samuel Groß

After almost three years since the initial design document and hundreds of CLs in the meantime, the V8 Sandbox — a lightweight, in-process sandbox for V8 — has now progressed to the point where it is no longer considered an experimental security feature. Starting today, the V8 Sandbox is included in Chrome’s Vulnerability Reward Program (VRP).

Keep reading

Tuesday 2 April, 2024

Fighting cookie theft using device bound sessions

Kristian Monsen, Chrome Counter Abuse

Cookies – small files created by sites you visit – are fundamental to the modern web. They make your online experience easier by saving browsing information, so that sites can do things like keep you signed in and remember your site preferences. Due to their powerful utility, cookies are also a lucrative target for attackers.

Keep reading

Thursday 14 March, 2024

Real-time, privacy-preserving URL protection

Jasika Bawa, Xinghui Lu, Google Chrome Security; Jonathan Li, Alex Wozniak, Google Safe Browsing

For more than 15 years, Google Safe Browsing has been protecting users from phishing, malware, unwanted software and more, by identifying and warning users about potentially abusive sites on more than 5 billion devices around the world. As attackers grow more sophisticated, we’ve seen the need for protections that can adapt as quickly as the threats they defend against. That’s why we’re excited to announce a new version of Safe Browsing that will provide real-time, privacy-preserving URL protection for people using the Standard protection mode of Safe Browsing in Chrome.

Keep reading

Tuesday 13 February, 2024

Optimizing Safe Browsing checks in Chrome

Jasika Bawa, Chrome Security & Jonathan Li, Google Safe Browsing

Balancing security and usability is always top of mind for us as we strive to stay on top of the constantly evolving threat landscape while building products that are delightful to use. To that end, we’d like to announce a few recent changes to how Chrome works with Google Safe Browsing to keep you safe online while optimizing for smooth and uninterrupted web browsing.

Keep reading

Friday 3 November, 2023

Qualified certificates with qualified risks

Improving the interoperability of web services is an important and worthy goal. We believe that it should be easier for people to maintain and control their digital identities. And we appreciate that policymakers working on European Union digital certificate legislation, known as eIDAS, are working toward this goal. However, a specific part of the legislation, Article 45, hinders browsers’ ability to enforce certain security requirements on certificates, potentially holding back advances in web security for decades. We and many past and present leaders in the international web community have significant concerns about Article 45’s impact on security.

Keep reading

Wednesday 11 October, 2023

Unlocking the power of TLS certificate automation for a safer and more reliable Internet

Chrome Root Program

TL;DR: Automated certificate issuance and management strengthens the underlying security assurances provided by Transport Layer Security (TLS) by increasing agility and resilience. This post describes the benefits of automation and upcoming changes to the Chrome Root Program policy that represent Chrome Security’s ongoing commitment to improving web security.

Keep reading

Wednesday 16 August, 2023

Towards HTTPS by default

Joe DeBlasio

For the past several years, more than 90% of Chrome users’ navigations have been to HTTPS sites, across all major platforms. Thankfully, that means that most traffic is encrypted and authenticated, and thus safe from network attackers. However, a stubborn 5-10% of traffic has remained on HTTP, allowing attackers to eavesdrop on or change that data. Chrome shows a warning in the address bar when a connection to a site is not secure, but we believe this is insufficient: not only do many people not notice that warning, but by the time someone notices the warning, the damage may already have been done.

Keep reading

Thursday 10 August, 2023

Protecting Chrome Traffic with Hybrid Kyber KEM

Devon O'Brien, Technical Program Manager

Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography. Continuing with our strategy for handling this major transition, we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success.

Keep reading

Thursday 10 August, 2023

Making Chrome more secure by bringing Key Pinning to Android

David Adrian, Joe DeBlasio and Carlos Joan Rafael Ibarra Lopez

Chrome 106 added support for enforcing key pins on Android by default, bringing Android to parity with Chrome on desktop platforms. But what is key pinning anyway?

Keep reading

Tuesday 8 August, 2023

An update on Chrome Security updates – shipping security fixes to you faster

Amy Ressler

To get security fixes to you faster, starting now in Chrome 116, Chrome is shipping weekly Stable channel updates.

Keep reading