Hacking

Google’s Chrome 79 Puts Heavy Emphasis on Security

Google on Tuesday released an update to its Chrome browser with a slew of new features that are heavy on security.

Chrome 79.0.3945.79 has 51 security fixes. It offers improved password protection over earlier versions, real-time phishing protection, and predictive phishing tools.

Fifty-one security fixes is high compared with past Chrome releases, and it shows that Google recognizes the issues and has taken steps to fix them, noted James McQuiggan, security awareness advocate at KnowBe4.

Users with multiple Chrome profiles will see a new visual representation of the profile currently in use so they can save their passwords to the correct profile. This does not change their current Sync settings.

The profile menu allows for easier switching and clearly shows whether a user is signed into Chrome.

Chrome 79 also has tab freezing, which reduces drain on CPU and RAM and saves battery life, and can cache Back and Forward histories for faster loading of sites.

New features for developers include maskable icons, Web XR, new origin trials, and Wake Lock.

Chrome 79 will roll out for Windows, Mac and Linux over the next few weeks.

Security Is the Watchword

To help keep you safe online, @googlechrome will now warn if your username & password have been compromised when you type them into a website. We’re also enhancing phishing protections to be real-time on desktop to alert you when visiting malicious sites. https://t.co/XuStf4sKQP

— Sundar Pichai (@sundarpichai) December 10, 2019

When users enter their credentials on a website, Chrome 79 will issue a warning if they have been stolen. This is an evolution of the Password Checkup in users’ Google Accounts and can be controlled in Chrome Settings.

The browser offers real-time phishing protection on users’ desktops, along with enhanced predictive phishing protection, which warns Chrome users when they enter their Google Account password into a suspected phishing site, even if they have not enabled Sync.

Predictive phishing protection works for all passwords stored in Chrome’s password manager.

“Some commercial paid password management programs have built-in password monitoring features,” McQuiggan told TechNewsWorld. “Google is delivering this for free to their end users if they wish to store their passwords with them.”

Scrambling to Catch Up

Features such as predictive phishing “are table stakes today,” remarked Liz Miller, principal analyst at Constellation Research.

“Google has been widely bashed for well over two years, almost since the last update to NIST 800-171 in 2017, for multiple instances of noncompliance — from login attempt limitations to password reuse or complexity standards,” Miller told TechNewsWorld. “So they have been playing catch up.”

Based on replies, there seems to be a lot of misunderstanding to this announcement. When an email/password breach occurs on ANY site, leaked credentials are added to existing public breach databases. What Google is doing here is a net win for users (and btw NIST recommended). 1/2 https://t.co/kHOFAFVVOb

— Kenn White (@kennwhite) December 11, 2019

Further, NIST now requires checking new passwords against common or known lists that may include passwords from breached sites such as Ashley Madison, social media sites such as LinkedIn, and dumps.

Allowing consumers to find out if their private information was compromised by a data breach is a capability Mozilla has been offering for a long time with its Firefox Monitor.

The Real Issue

A bigger problem is that while Google has been playing catch up, “areas like quantum have been innovating and advancing,” Constellation’s Miller noted.

Are standards that once were considered future-forward enough “when the reality of a quantum encryption cracking feels just around the corner?” she wondered.

“It’s not just about passwords but also data protection,” said Steve Wilson, principal analyst at Constellation Research.

“If browsers had access to physical chips in the computing platform, and embedded keys, then we could start to digitally sign all routine e-commerce transactions to prevent card-not-present fraud and identity theft,” he told TechNewsWorld. “The focus on passwords per se is actually limiting visibility of a bigger authenticity issue.”

Further, checking passwords in the operating system is not necessarily a great idea, Wilson remarked.

“Some sites don’t need or deserve great passwords,” he explained. “It’s actually a mystery to me why so many silly little media sites force you to use a password at all. If a site doesn’t really need to know who you are, then why not use a fake name, a fake date of birth, and ‘password’ as your password?”

Using “toy” free email addresses as IDs is “a nice way to protect your privacy,” Wilson said, “but if the browser suddenly starts to force people to use serious passwords for every single account, then it creates a new type of problem. It exacerbates password fatigue, and it jeopardizes the care that people do put into their high-worth accounts.”

Those Squishy Humans

“Technology can stop a lot of [phishing] attempts, but criminals are evolving their types of attacks,” KnowBe4’s McQuiggan observed. “Technology is only part of the environment to protect against phishing; the human firewall is the other.”

Chrome 79’s new features will be only as effective as the user who chooses to comply and prioritize security, Constellation’s Miller said.

“How many times do people ignore the expired SSL warning and choose ‘advanced settings’ and go to the website anyway? We can do any number of updates, patches and improvements to try to bring all of the fish to the security water,” she said. “The question is, can we force them to drink?”

Richard Adhikari

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Hacking

Technewsworld Channels