True North Networks Blog
Chrome 79 released with tab freezing, back-forward caching, and loads of security features
Google has released today Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users.
This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predicitive Phishing protections, a ban on loading HTTPS "mixed content," support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism.
Let's go over each of these new features in greater depth, one by one.
BUILT-IN PASSWORD CHECKUP TOOL
Password Checkup is an online service through which Google takes all your Chrome-synced passwords and checks to see if any have leaked via breaches at other online services.
Until today, Password Checkup was only available as a separate Chrome extension or a section in the Google web dashboard.
Starting with Chrome 79, released today, the Password Checkup utility has been integrated into Chrome itself. To use it, Chrome users must be logged in their Google account inside Chrome.
Once enabled, the feature will let users know for what websites they're using passwords that have been previously leaked online, and prompt the user to change them.
In a blog post published today, and shared with ZDNet, Google explained how this process works, in greater detail:
- Whenever Google discovers a username and password exposed by another company's data breach, we store a strongly hashed and encrypted copy of the data on our servers with a secret key known only to Google.
- When you sign in to a website, Chrome will send a strongly hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy.
- In order to determine if your username and password appears in any breach, we use a technique called private set intersection with blinding that involves multiple layers of encryption. This allows us to compare your encrypted username and password with all of the encrypted breached usernames and passwords, without revealing your username and password, or revealing any information about any other users' usernames and passwords. In order to make this computation more efficient, Chrome sends a 3-byte SHA256 hash prefix of your username to reduce the scale of the data joined from 4 billion records, down to 250 records while still ensuring your username remains anonymous.
- Only you discover if your username and password have been compromised. If they have been compromised, we strongly encourage you to change your password.
REAL-TIME BLACKLISTING OF BAD SITES
For years, Chrome has featured a security setting known as the Safe Browsing API. Through this tool, Chrome downloads a list of known bad sites once every 30 minutes.
When a user visits a site, Chrome checks the URL against this list of known bad sites, which is stored locally inside all users' browsers.
However, Google says that in recent months, threat actors have been changing sites and domains at a faster pace, taking advantage of this 30-minute delay.
Starting today, with the release of Chrome 79, Google says Chrome will get a new option in the "Sync and Google services" section that will allow users to enable the scanning of bad sites in real-time. Option 1 in the image below denotes that Safe Browsing is enabled. Option 2 gives Chrome permission to send URLs to Safe Browsing servers. Turning both options on enables real-time Safe Browsing.
Enabling this feature also means that you're OK with sending your web browsing history to Google. The company says that users have nothing to fear, as all URLs will be anonymized. The company explains how this will work:
"When you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL anonymously with Google (after dropping any username or password embedded in the URL) to find out if you're visiting a dangerous site. Our analysis has shown that this results in a 30% increase in protections by warning users on malicious sites that are brand new."
In our test Chrome 79 install, this feature was enabled by default, a setting that some users or system administrators might want to turn off.
For Chrome enterprise installations, Google has prepared a group policy that will let administrators turn it on or off across an organization, depending on each company's security policies.
PREDICTIVE PHISHING FOR EVERYONE
Another cool security feature added in Chrome 79 is the general availability of Predictive Phishing.
Launched in 2017, Predictive Phishing warns users when they might be entering passwords on suspected phishing sites.
Initially, the feature only supported detecting phishing sites when entering Google account credentials, and only when users were using the Sync feature inside Chrome.
With Chrome 79, Predictive Phishing warnings will be available for all usernames and passwords stored inside Chrome's password database, even if the user is using the Sync feature or not.