Not logged in » Login
May 29 2018

Google Releases Chrome 67

Google's browser developers have kicked off the rollout of the latest version of the world's most popular web viewer. The new edition adds various security fixes, drops a less successful protective technology and supports the Web Authentication (WebAuthn) standard that allows for logins without passwords.

Probably the most important improvement in Chrome 67 is that it further reinforces the distribution of Site Isolation, a security mechanism adopted earlier this year in response to a new class of hardware bugs that were revealed in early January. As the name implies, Site Isolation offers a "second line of defense" against a variety of side-channel and cross-site scripting attacks that attempt to circumvent the barriers set up through same-origin policy. Initially launched in December 2017 with Chrome 63, the mechanism still hasn't left the trial stage, but is gradually opened up for larger numbers of users as browser development continues. However, online sources report that Site Isolation may still be deactivated after a browser update; so users and admins who prefer stricter security and aren't shy of trying out non-standard features need to turn it on manually by navigating to chrome://flags, searching for "strict site isolation," and setting the control to "enabled." If the new setting causes difficulties, it can be deactivated again using the reverse process (i.e. setting the control to "disabled"). Alternatively, there's an opt-out mechanism for any kind of field trial, but that's a step the developers don't recommend.

WebAuthn for its part is essentially a new authentication mechanism and API developed by the W3C consortium with help from the FIDO Alliance and others. The idea is to gradually eliminate the use of password protection to shield sensitive data and replace it with stronger methods, such as biometric or token-based identification and authentication. In Chrome 67, WebAuthn is enabled by default.

Meanwhile, another security feature named HTTP Public Key Pinning, or HPKP for short, is being retired after a rather unsuccessful run. First introduced at the beginning of the decade, HPKP was originally intended to prevent attackers from setting up fake HTTPS websites with the help of fraudulent certificates. However, the mechanism turned out to be hard to implement and bore a risk of rendering sites unusable, so the Chrome developers had voiced their intent to drop the standard at some future point in October last year. That future point has apparently arrived today; web developers are encouraged to use the "Expect-CT" HTTP header instead because it's both safer and easier to deploy for site operators.

Otherwise, Google has paid bounties of up to US-$5,000 to developers and security experts who reported a total of 34 vulnerabilities since the end of last year, and repaired issues such as overly permissive policies and use-after-free memory bugs.

The build number for the new stable channel version is Chrome 67.0.3396.62. According to Google's rapid release scheme, the next update is due out by the end of July.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now