Using Chrome's accessibility APIs to find security bugs
Chrome’s user interface (UI) code is complex, and sometimes has bugs.
Keep reading
Chrome Security’s mission is to make it safe to click on links.
We have four main focus areas:
- Exploit Defense, which maintains the sandbox, secures process architecture, runs memory safety initiatives, and works to protect Chrome from hackers.
- Secure Web and Network, which maintains the cryptography used by Chrome, secures Chrome’s encrypted network traffic, and works to ensure the core technology of the web is designed with security in mind.
- Counter Abuse, which aims to protect people from phishing, malware, and other scams and malicious content.
- Bug Response, which ensures bugs in Chrome are found and patched quickly, via fuzzing and the Vulnerability Rewards Program.
We provide the building blocks so that all of Chrome is built with security at front of mind.
Recent blog posts
Evaluating Mitigations & Vulnerabilities in Chrome
The Chrome Security Team is constantly striving to make it safer to browse the web. We invest in mechanisms to make classes of security bugs impossible, mitigations that make it more difficult to exploit a security bug, and sandboxing to reduce the capability exposed by an isolated security issue. When choosing where to invest it is helpful to consider how bad actors find and exploit vulnerabilities. In this post we discuss several axes along which to evaluate the potential harm to users from exploits, and how they apply to the Chrome browser.
Keep reading
A new path for Kyber on the web
The Kyber algorithm has been standardized with minor technical changes and renamed to the Module Lattice Key Encapsulation Mechanism (ML-KEM). We have implemented ML-KEM in Google’s cryptography library, BoringSSL, which allows for it to be deployed and utilized by services that depend on this library.
Keep reading
Even more posts!!11!1!oneeleven
Improving the security of Chrome cookies on Windows
Cybercriminals using cookie theft infostealer malware continue to pose a risk to the safety and security of our users. We already have a number of initiatives in this area including Chrome’s download protection using Safe Browsing, Device Bound Session Credentials, and Google’s account-based threat detection to flag the use of stolen cookies. Today, we’re announcing another layer of protection to make Windows users safer from this type of malware.
Keep reading
Building security into the redesigned Chrome downloads experience
Last year, we introduced a redesign of the Chrome downloads experience on desktop to make it easier for users to interact with recent downloads. At the time, we mentioned that the additional space and more flexible UI of the new Chrome downloads experience would give us new opportunities to make sure users stay safe when downloading files.
Keep reading
Sustaining Digital Certificate Security — Entrust Certificate Distrust
The Chrome Security Team prioritizes the security and privacy of Chrome's users, and we are unwilling to compromise on these values. The Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don't go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.
Keep reading
Staying Safe with Chrome Extensions
Chrome extensions can boost your browsing, empowering you to do anything from customizing the look of sites to providing personalized advice when you’re planning a vacation. But as with any software, extensions can also introduce risk.
Keep reading
Advancing Our Amazing Bet on Asymmetric Cryptography
Google and many other organizations, such as NIST, IETF, and NSA, believe that migrating to post-quantum cryptography is important due to the large risk posed by a cryptographically-relevant quantum computer (CRQC). In August, we posted about how Chrome Security is working to protect users from the risk of future quantum computers by leveraging a new form of hybrid post-quantum cryptographic key exchange, Kyber (ML-KEM). We’re happy to announce that we have enabled the latest Kyber draft specification by default for TLS 1.3 and QUIC on all desktop Chrome platforms as of Chrome 124.2 This rollout revealed a number of previously-existing bugs in several TLS middlebox products. To assist with the deployment of fixes, Chrome is offering a temporary enterprise policy to opt-out.
Keep reading
Detecting browser data theft using Windows Event Logs
Chromium’s sandboxed process model defends well from malicious web content, but there are limits to how well the application can protect itself from malware already on the computer. Cookies and other credentials remain a high value target for attackers, and we are trying to tackle this ongoing threat in multiple ways, including working on web standards like DBSC that will help disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.
Keep reading
The V8 Sandbox
After almost three years since the initial design document and hundreds of CLs in the meantime, the V8 Sandbox — a lightweight, in-process sandbox for V8 — has now progressed to the point where it is no longer considered an experimental security feature. Starting today, the V8 Sandbox is included in Chrome’s Vulnerability Reward Program (VRP).
Keep reading
Fighting cookie theft using device bound sessions
Cookies – small files created by sites you visit – are fundamental to the modern web. They make your online experience easier by saving browsing information, so that sites can do things like keep you signed in and remember your site preferences. Due to their powerful utility, cookies are also a lucrative target for attackers.
Keep reading