chrome.security

Friday 27 February, 2026

Cultivating a robust and efficient quantum-safe HTTPS

Chrome Secure Web and Networking Team

Today we’re announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (“PLANTS”), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography introduces into TLS connections requiring Certificate Transparency (CT). We recently shared our call to action to secure quantum computing and have written about challenges introduced by quantum-resistant cryptography and some of the steps we’ve taken to address them in earlier blog posts.

Keep reading

Tuesday 23 December, 2025

Fixing two ITW bugs in Chrome (Kawaiicon 2025)

Alex Gough

Alex Gough talks about fixing two sandbox escapes in Chrome and how to use postmortems to learn and make improvements to Chrome's IPC stack.

Keep reading

Wednesday 10 December, 2025

HTTPS certificate industry phasing out less secure domain validation methods

Chrome Root Program

Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers.

Keep reading

Monday 8 December, 2025

Architecting Security for Agentic Capabilities in Chrome

Nathan Parker

Chrome has been advancing the web’s security for well over 15 years, and we’re committed to meeting new challenges and opportunities with AI. Billions of people trust Chrome to keep them safe by default, and this is a responsibility we take seriously. Following the recent launch of Gemini in Chrome and the preview of agentic capabilities, we want to share our approach and some new innovations to improve the safety of agentic browsing.

Keep reading

Tuesday 28 October, 2025

HTTPS by default

Chris Thompson, Mustafa Emre Acer, Serena Chen, Joe DeBlasio, Emily Stark and David Adrian

One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secure Connections”. This means Chrome will ask for the user’s permission before the first access to any public site without HTTPS.

Keep reading

Tuesday 8 July, 2025

Advancing Protection in Chrome on Android

David Adrian and Javier Castro Peter Kotwicz

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced Protection gives you the ability to activate Google’s strongest security for mobile devices, providing greater peace of mind that you’re better protected against the most sophisticated threats.

Keep reading

Monday 9 June, 2025

New permission prompt for Local Network Access

Chris Thompson

Chrome is adding a new permission prompt for sites that make connections to a user’s local network as part of the draft Local Network Access specification. The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks, and to reduce the ability of sites to use these requests to fingerprint the user’s local network.

Keep reading

Thursday 8 May, 2025

Using AI to stop tech support scams in Chrome

Jasika Bawa, Andy Lim, and Xinghui Lu, Google Chrome Security

Tech support scams are an increasingly prevalent form of cybercrime, characterized by deceptive tactics aimed at extorting money or gaining unauthorized access to sensitive data. In a tech support scam, the goal of the scammer is to trick you into believing your computer has a serious problem, such as a virus or malware infection, and then convince you to pay for unnecessary services, software, or grant them remote access to your device. Tech support scams on the web often employ alarming pop-up warnings mimicking legitimate security alerts. We’ve also observed them to use full-screen takeovers and disable keyboard and mouse input to create a sense of crisis.

Keep reading

Thursday 8 May, 2025

How we’re using AI to combat the latest scams

Jasika Bawa and Phiroze Parakh

For more than a decade Google has used advancements in AI to protect you from online scams where malicious actors deceive users to gain access to money, personal information, or both. Today, we're releasing a new report on how we fight scams in Search, and sharing the new ways we're using AI to keep you safe across Search, Chrome and Android.

Keep reading

Thursday 8 May, 2025

Fighting Unwanted Notifications with Machine Learning in Chrome

Hannah Buonomo & Sarah Krakowiak Criel, Chrome Security

Notifications in Chrome are a useful feature to keep up with updates from your favorite sites. However, we know that some notifications may be spammy or even deceptive. We’ve received reports of notifications diverting you to download suspicious software, tricking you into sharing personal information or asking you to make purchases on potentially fraudulent online store fronts.

Keep reading

Thursday 1 May, 2025

Document Isolation Policy: Enable powerful web features with ease

Camille Lamy

From Chrome 137, Document Isolation Policy is a new feature that makes crossOriginIsolation adoption easier. Unlike COEP, Document Isolation Policy applies per frame and makes no requirements of subframes. By enabling crossOriginIsolation, Document Isolation Policy unlocks access to powerful web functionalities like SharedArrayBuffers or WebAssembly threads.

Keep reading

Thursday 27 March, 2025

New security requirements adopted by HTTPS certificate industry

Chrome Root Program

Earlier this month, two Chrome Root Program initiatives became required practices in the CA/Browser Forum Baseline Requirements (BRs). The CA/Browser Forum is a cross-industry group that works together to develop minimum requirements for TLS certificates. Ultimately, these new initiatives represent an improvement to the security and agility of every TLS connection relied upon by Chrome users.

Keep reading

Tuesday 11 February, 2025

Defending 1 billion Chrome users with Enhanced Protection

Benjamin Ackerman, Chrome and Jonathan Li, Safe Browsing

Google Safe Browsing helps keep you safe while you surf the web by identifying phishing, malware, scams and other online threats in real time. Launched in 2005, it’s used by Chrome and many other popular browsers, Search, Android, Google Ads and Gmail to keep 5 billion devices safe and help you stay one step ahead of cybercriminals.

Keep reading

Thursday 10 October, 2024

Using Chrome's accessibility APIs to find security bugs

Adrian Taylor

Chrome’s user interface (UI) code is complex, and sometimes has bugs.

Keep reading

Thursday 3 October, 2024

Evaluating Mitigations & Vulnerabilities in Chrome

Alex Gough

The Chrome Security Team is constantly striving to make it safer to browse the web. We invest in mechanisms to make classes of security bugs impossible, mitigations that make it more difficult to exploit a security bug, and sandboxing to reduce the capability exposed by an isolated security issue. When choosing where to invest it is helpful to consider how bad actors find and exploit vulnerabilities. In this post we discuss several axes along which to evaluate the potential harm to users from exploits, and how they apply to the Chrome browser.

Keep reading

Friday 13 September, 2024

A new path for Kyber on the web

David Adrian, Bob Beck, David Benjamin and Devon O'Brien

The Kyber algorithm has been standardized with minor technical changes and renamed to the Module Lattice Key Encapsulation Mechanism (ML-KEM). We have implemented ML-KEM in Google’s cryptography library, BoringSSL, which allows for it to be deployed and utilized by services that depend on this library.

Keep reading

Tuesday 30 July, 2024

Improving the security of Chrome cookies on Windows

Will Harris

Cybercriminals using cookie theft infostealer malware continue to pose a risk to the safety and security of our users. We already have a number of initiatives in this area including Chrome’s download protection using Safe Browsing, Device Bound Session Credentials, and Google’s account-based threat detection to flag the use of stolen cookies. Today, we’re announcing another layer of protection to make Windows users safer from this type of malware.

Keep reading

Wednesday 24 July, 2024

Building security into the redesigned Chrome downloads experience

Jasika Bawa, Lily Chen, and Daniel Rubery

Last year, we introduced a redesign of the Chrome downloads experience on desktop to make it easier for users to interact with recent downloads. At the time, we mentioned that the additional space and more flexible UI of the new Chrome downloads experience would give us new opportunities to make sure users stay safe when downloading files.

Keep reading

Thursday 27 June, 2024

Sustaining Digital Certificate Security — Entrust Certificate Distrust

Chrome Root Program

The Chrome Security Team prioritizes the security and privacy of Chrome's users, and we are unwilling to compromise on these values. The Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don't go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.

Keep reading

Thursday 20 June, 2024

Staying Safe with Chrome Extensions

Benjamin Ackerman, Anunoy Ghosh and David Warren

Chrome extensions can boost your browsing, empowering you to do anything from customizing the look of sites to providing personalized advice when you’re planning a vacation. But as with any software, extensions can also introduce risk.

Keep reading

Thursday 23 May, 2024

Advancing Our Amazing Bet on Asymmetric Cryptography

David Adrian, Bob Beck, David Benjamin and Devon O'Brien

Google and many other organizations, such as NIST, IETF, and NSA, believe that migrating to post-quantum cryptography is important due to the large risk posed by a cryptographically-relevant quantum computer (CRQC). In August, we posted about how Chrome Security is working to protect users from the risk of future quantum computers by leveraging a new form of hybrid post-quantum cryptographic key exchange, Kyber (ML-KEM). We’re happy to announce that we have enabled the latest Kyber draft specification by default for TLS 1.3 and QUIC on all desktop Chrome platforms as of Chrome 124.2 This rollout revealed a number of previously-existing bugs in several TLS middlebox products. To assist with the deployment of fixes, Chrome is offering a temporary enterprise policy to opt-out.

Keep reading

Tuesday 30 April, 2024

Detecting browser data theft using Windows Event Logs

Will Harris

Chromium’s sandboxed process model defends well from malicious web content, but there are limits to how well the application can protect itself from malware already on the computer. Cookies and other credentials remain a high value target for attackers, and we are trying to tackle this ongoing threat in multiple ways, including working on web standards like DBSC that will help disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.

Keep reading

Thursday 4 April, 2024

The V8 Sandbox

Samuel Groß

After almost three years since the initial design document and hundreds of CLs in the meantime, the V8 Sandbox — a lightweight, in-process sandbox for V8 — has now progressed to the point where it is no longer considered an experimental security feature. Starting today, the V8 Sandbox is included in Chrome’s Vulnerability Reward Program (VRP).

Keep reading

Tuesday 2 April, 2024

Fighting cookie theft using device bound sessions

Kristian Monsen, Chrome Counter Abuse

Cookies – small files created by sites you visit – are fundamental to the modern web. They make your online experience easier by saving browsing information, so that sites can do things like keep you signed in and remember your site preferences. Due to their powerful utility, cookies are also a lucrative target for attackers.

Keep reading

Thursday 14 March, 2024

Real-time, privacy-preserving URL protection

Jasika Bawa, Xinghui Lu, Google Chrome Security; Jonathan Li, Alex Wozniak, Google Safe Browsing

For more than 15 years, Google Safe Browsing has been protecting users from phishing, malware, unwanted software and more, by identifying and warning users about potentially abusive sites on more than 5 billion devices around the world. As attackers grow more sophisticated, we’ve seen the need for protections that can adapt as quickly as the threats they defend against. That’s why we’re excited to announce a new version of Safe Browsing that will provide real-time, privacy-preserving URL protection for people using the Standard protection mode of Safe Browsing in Chrome.

Keep reading

Tuesday 13 February, 2024

Optimizing Safe Browsing checks in Chrome

Jasika Bawa, Chrome Security & Jonathan Li, Google Safe Browsing

Balancing security and usability is always top of mind for us as we strive to stay on top of the constantly evolving threat landscape while building products that are delightful to use. To that end, we’d like to announce a few recent changes to how Chrome works with Google Safe Browsing to keep you safe online while optimizing for smooth and uninterrupted web browsing.

Keep reading

Friday 3 November, 2023

Qualified certificates with qualified risks

Improving the interoperability of web services is an important and worthy goal. We believe that it should be easier for people to maintain and control their digital identities. And we appreciate that policymakers working on European Union digital certificate legislation, known as eIDAS, are working toward this goal. However, a specific part of the legislation, Article 45, hinders browsers’ ability to enforce certain security requirements on certificates, potentially holding back advances in web security for decades. We and many past and present leaders in the international web community have significant concerns about Article 45’s impact on security.

Keep reading

Wednesday 11 October, 2023

Unlocking the power of TLS certificate automation for a safer and more reliable Internet

Chrome Root Program

TL;DR: Automated certificate issuance and management strengthens the underlying security assurances provided by Transport Layer Security (TLS) by increasing agility and resilience. This post describes the benefits of automation and upcoming changes to the Chrome Root Program policy that represent Chrome Security’s ongoing commitment to improving web security.

Keep reading

Wednesday 16 August, 2023

Towards HTTPS by default

Joe DeBlasio

For the past several years, more than 90% of Chrome users’ navigations have been to HTTPS sites, across all major platforms. Thankfully, that means that most traffic is encrypted and authenticated, and thus safe from network attackers. However, a stubborn 5-10% of traffic has remained on HTTP, allowing attackers to eavesdrop on or change that data. Chrome shows a warning in the address bar when a connection to a site is not secure, but we believe this is insufficient: not only do many people not notice that warning, but by the time someone notices the warning, the damage may already have been done.

Keep reading

Thursday 10 August, 2023

Protecting Chrome Traffic with Hybrid Kyber KEM

Devon O'Brien, Technical Program Manager

Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography. Continuing with our strategy for handling this major transition, we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success.

Keep reading

Thursday 10 August, 2023

Making Chrome more secure by bringing Key Pinning to Android

David Adrian, Joe DeBlasio and Carlos Joan Rafael Ibarra Lopez

Chrome 106 added support for enforcing key pins on Android by default, bringing Android to parity with Chrome on desktop platforms. But what is key pinning anyway?

Keep reading

Tuesday 8 August, 2023

An update on Chrome Security updates – shipping security fixes to you faster

Amy Ressler

To get security fixes to you faster, starting now in Chrome 116, Chrome is shipping weekly Stable channel updates.

Keep reading

Thursday 3 August, 2023

Redesigning Chrome downloads, to keep you productive and safe online

With the latest release of Chrome for desktop we are introducing a redesign of the Chrome downloads experience to make it easier for you to interact with your recent downloads. Let’s go behind the scenes and learn more about this redesign from Chrome Senior Product Manager Jasika Bawa.

Keep reading

Thursday 20 July, 2023

A look at Chrome’s security review culture

Alex Gough

Security reviewers must develop the confidence and skills to make fast, difficult decisions. A simplistic piece of advice to reviewers is “just be confident” but in reality that takes practice and experience. Confidence comes with time, and people are there to support each other as we learn. This post shares advice we give to people doing security reviews for Chrome.

Keep reading

Thursday 1 June, 2023

Announcing the Chrome Browser Full Chain Exploit Bonus

Amy Ressler, on behalf of the Chrome VRP

For 13 years, a key pillar of the Chrome Security ecosystem has included encouraging security researchers to find security vulnerabilities in Chrome browser and report them to us, through the Chrome Vulnerability Rewards Program.

Keep reading

Tuesday 23 May, 2023

How the Chrome Root Program Keeps Users Safe

Chrome Root Program

A root program is one of the foundations for securing connections to websites. The Chrome Root Program was announced in September 2022. If you missed it, don't worry - we'll give you a quick summary below!

Keep reading

Tuesday 2 May, 2023

An Update on the Lock Icon

David Adrian, Serena Chen, Joe DeBlasio, Emily Stark, and Emanuel von Zezschwitz, and the rest of Chrome Trusty Transport

Browsers have shown a lock icon when a site loads over HTTPS since the early versions of Netscape in the 1990s. For the last decade, Chrome participated in a major initiative to increase HTTPS adoption on the web, and to help make the web secure by default. As late as 2013, only 14% of the Alexa Top 1M sites supported HTTPS. Today, however, HTTPS has become the norm and over 95% of page loads in Chrome on Windows are over a secure channel using HTTPS. This is great news for the ecosystem; it also creates an opportunity to re-evaluate how we signal security protections in the browser. In particular, the lock icon.

Keep reading

Monday 19 September, 2022

Announcing the Launch of the Chrome Root Program

Ryan Dickson, Chris Clements, Emily Stark

In 2020, we announced we were in the early phases of establishing the Chrome Root Program and launching the Chrome Root Store.

Keep reading

Wednesday 14 July, 2021

Increasing HTTPS adoption

Shweta Panditrao, Devon O'Brien, Emily Stark

When a browser connects to websites over HTTPS (vs. HTTP), eavesdroppers and attackers on the network can’t intercept or alter the data that’s shared over that connection (including personal info, or even the page itself). This level of privacy and security is vital for the web ecosystem, so Chrome continues to invest in making HTTPS more widely supported.

Keep reading

Sunday 21 March, 2021

A safer default for navigation

Shweta Panditrao and Mustafa Emre Acer

Starting in version 90, Chrome’s address bar will use https:// by default, improving privacy and even loading speed for users visiting websites that support HTTPS. Chrome users who navigate to websites by manually typing a URL often don’t include “http://” or “https://”. For example, users often type “example.com” instead of “https://example.com” in the address bar. In this case, if it was a user’s first visit to a website, Chrome would previously choose http:// as the default protocol^1^. This was a practical default in the past, when much of the web did not support HTTPS.

Keep reading

Friday 12 March, 2021

Mitigating Side-Channel Attacks

Mike West, on behalf of Chrome's Web Platform Security team

The web platform relies on the origin as a fundamental security boundary, and browsers do a pretty good job at preventing explicit leakage of data from one origin to another. Attacks like Spectre, however, show that we still have work to do to mitigate implicit data leakage. The side-channels exploited through these attacks prove that attackers can read any data which enters a process hosting that attackers’ code. These attacks are quite practical today, and pose a real risk to users.

Keep reading