back to article Chrome 66: Get into the bin, auto-playing vids and Symantec certs!

Chrome the 66th is upon us and has added some features that Google previewed in months past. One is the September 2017 decision to stop trusting Symantec’s digital certificates, ending a long dispute over the way the security vendor managed its partners’ PKI activities before June 2016. Chrome 66 will warn visitors to sites …

  1. Colonel Mad

    Security Certificates

    Some of us, ahem, have had the devils own job of getting our organisations to renew them, mine got sorted yesterday afternoon, I had to resort to the whistleblowing process.

    1. Lee D Silver badge

      Re: Security Certificates

      Oh, I just stopped using them.

      I don't see why any reputable security company would want to be associated with renewing certificates with the name of someone guilty of complete ineptitude with regards security certificates.

      RapidSSL have been bugging me for weeks, but I have no intention to renew with them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security Certificates

        "Oh, I just stopped using them. ... RapidSSL have been bugging me for weeks, but I have no intention to renew with them."

        I see you don't realise that this isn't who you think it is any longer, these are brands that were sold to Digicert, a seperate company. I also assume you also don't know that SSL certificates are mostly smoke and mirrors.

        Government of Saudi Arabia, NCDC

        Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)

        China Internet Network Information Center (CNNIC)

        There's 3 bastions of free speech and openess for you to think about.

        They can issue certificates for any domain they care and MiM you whenever they want.

        1. Lee D Silver badge

          Re: Security Certificates

          Not if you have any kind of certificate pinning. Welcome to several years ago.

          And I don't care that they were sold to Digicert. Digicert picked them up and they were signed by the same certs, and I'm being forced to renew them earlier because the signing company has had all its certificates removed from browsers. Game over. I don't care who owns them now, before or since, they're dead to me as they required an out-of-band re-signing because of the incompetence of one of their signing parties... and that's just not compatible with my use of SSL.

          To be honest, with LetsEncrypt wildcard certificates now valid in the wild, who cares about any of the CA's at all any more?

          1. Gerhard Mack

            Re: Security Certificates

            "Not if you have any kind of certificate pinning. Welcome to several years ago."

            Certificate pining has turned out to be an unmaintainable mess and was deprecated in Chrome last year.

  2. Anonymous Coward
    Anonymous Coward

    Ok, so you have fixed some bugs

    But does it still send everything you do back to the Chocolate Factory?

    If it does then why would anyone use it? Or don't you even care?

    1. ArrZarr Silver badge
      Windows

      Re: Ok, so you have fixed some bugs

      Because your mainstream options are:

      Edge - same shit but with MS

      IE - completely awful

      Firefox - Has been trying to alienate all of its aficionados for the past 5 years

      Opera - same shit but with China

      Chrome also has the strongest extension ecosystem with the possible exception of Firefox.

      Sure, I use Vivaldi because of the above issues but the scarcity of extensions means I have to return to Chrome every now and then for some tasks.

      1. Chewi

        Re: Ok, so you have fixed some bugs

        Erm, you can install Chrome extensions in Vivaldi.

        1. ArrZarr Silver badge

          Re: Ok, so you have fixed some bugs

          @Chewi

          Well...I feel like a pillock now.

          My other points still stand though :)

          1. AndrueC Silver badge
            Happy

            Re: Ok, so you have fixed some bugs

            Well...I feel like a pillock now.

            Anyone working in IT that has never felt like a pillock is probably doing it wrong. Or has no shame.

            1. Anonymous Coward
              Anonymous Coward

              Re: Ok, so you have fixed some bugs

              "Anyone working in IT that has never felt like a pillock is probably doing it wrong. Or has no shame"

              If it's the latter, they're probably IT management.

      2. Tigra 07

        Re: Ok, so you have fixed some bugs

        Try getting a Youtube downloader add-on through Chrome...Nope

        Add blocker? Maybe, depending on how Google feels about them this month.

        1. JDX Gold badge

          Re: Ok, so you have fixed some bugs

          When did Google ban ad-blockers? I've had one installed for years - since they ported from FF - without issue.

          1. Lee D Silver badge

            Re: Ok, so you have fixed some bugs

            Google has one of the most compliant data protection policies I know, for the UK/EU at least. iCloud/Apple has literally NEVER issued a data-protection compliant policy. They still have a line that basically says (paraphrasing but the brevity and gist is correct) "we can send all your data anywhere any time we like". How they've got away with it, especially pushing iPads in schools, I can't imagine and with GDPR it's a death-sentence.

            But Google have always guaranteed EU- or UK-only data storage and never to move your data out and done it on day one of new legislation every time.

            By comparison, you should be berating Apple, not Google.

            And Google banned ad-blockers because IT LETS A PIECE OF SOFTWARE READ EVERY PAGE AND SEND IT TO A REMOTE SERVER, including secure pages. But, hey, keep bashing them on their privacy too and use your ultra-safe Safari "we can do what we like, up yours EU law" instead...

            1. Anonymous Coward
              Anonymous Coward

              Re: Googe and your data

              But Google have always guaranteed EU- or UK-only data storage and never to move your data out and done it on day one of new legislation every time

              That's all gone up in smoke now that the US Congress Critters have decreed that your data wherever in the world it is held is fair game. If the Feds decided that your cat video is really a call to arms for ISIS, they can get it from Google. No ifs, no buts and poof, it is gone to DC.

              1. Lee D Silver badge

                Re: Googe and your data

                "That's all gone up in smoke now that the US Congress Critters have decreed that your data wherever in the world it is held is fair game. If the Feds decided that your cat video is really a call to arms for ISIS, they can get it from Google. No ifs, no buts and poof, it is gone to DC"

                Not true.

                They try. Of course they do. And they decree things. And they have absolutely zero power of enforcement in doing so.

                Because compliance with the US law AUTOMATICALLY means deliberate non-compliance with the EU law.

                The only exception being carved out (by Microsoft, who like Google have a US and EU subsidiaries that are completely different entitiies) is data on US citizens stored on EU servers (because US data law is so lax that can happen).

                But the US can demand, decree, order, cite and write what they like. Nobody at Google (EU) can *allow* even the *potential* for an entity outside EU to access that data (even the US Privacy Shield stuff is a load of nonsense and not really at all EU-compliant, hence is only relevant if you're in a US jurisdiction anyway), or co-operate with such, without being collectively AND personally sued into oblivion.

                Same way that the US can decree they own all of the North Pole, or space. They can say what they like. It doesn't mean it's true.

                Especially when, if they REALLY wanted the data, they could just file a request to an EU court which is quite capable of granting it legally given due cause. They don't because they know it would be refused.

                But the "US can get all your data" is still nonsense and hyperbole.

                It's like me being a magistrate and ordering the coffee shop down the road to provide the full names and addresses of every employee of the franchise they are under who live in Outer Mongolia. 1) They are unrelated entities, 2) they don't have access to it, 3) Outer Monogolia would beg to differ about whether you're allowed it or not, even if someone DID want to risk imprisonment.

                Literally, someone in Google or Microsoft's EU headquarters can go to jail for ALLOWING a way for anyone at Microsoft (US) access to "personal data" that's stored on or on behalf of EU citizens within the EU. Despite Microsoft probably having less of a business relationship with Microsoft (EU) than they do with Google (US).

        2. Anonymous Coward
          Anonymous Coward

          Re: Ok, so you have fixed some bugs

          Youtube downloader add-on (or video download helper add-ons) are quite 'last decade' now: there are plenty of websites which allow you to do that quickly for Facebook, Twitter, Youtube videos. Even the more obscure ones hosted on Chinese video sites.

          Some of the browsers already have a built-in ad blocking feature. You can even enable it on Incognito (private browsing) mode.

        3. Florida1920

          Re: Ok, so you have fixed some bugs

          @Tigra 07

          Try getting a Youtube downloader add-on through Chrome...Nope

          Faster Tube

          Add blocker? Maybe, depending on how Google feels about them this month.

          uBlock Origin

      3. Anonymous Coward
        Anonymous Coward

        Re: Ok, so you have fixed some bugs

        Try a fork of Chromium, minus the Google 'innovations'.

        Advanced Chrome

        http://browser.taokaizen.com/

        It's equivalent to what Pale Moon is to Firefox.

        Also, Russia's finest: Yandex browser. Based on Chromium, but looks sexier and has some UI tweaks which are useful and sorely missed in official Chrome.

        I have some users praising the Brave browser, but I can't comment about it as I never used it.

      4. Teiwaz

        Re: Ok, so you have fixed some bugs

        Firefox - Has been trying to alienate all of its aficionados for the past 5 years

        I was halfway switched to Chromum when Firefox 57 came out.

        Ui changes - didn't bother me, I was using vimperator and the like for most of that debacle.

        plugin/extension changes - don't use many

        Really, really slow to start and heavy on resources was what was pushing me off though.

        Better now.

        1. JLV

          Re: Ok, so you have fixed some bugs

          >Firefox - Has been trying to alienate all of its aficionados for the past 5 years

          I honestly don't know why the OP feels he has to speak for all Firefox users. I wouldn't presume to speak for all Chrome users, though it is one of my fallback browsers.

          Vivaldi is more interesting and waaay less hoggy of RAM than Chrome or FF => pretty much always <500MB.

          Generally happy enough w FF, not least due to the presence of NoScript. Now, as far as resource usage goes, go take a peek under the covers and you will still see tons of RAM in use by FF, albeit split up under other processes than the main ones (a PR-friendly trick - even if process splitting serves other purposes too - it picked up from Chrome). 2.5G to serve 3 tabs, yay! Yes, I know unused RAM is useless RAM, but that's still over the top.

    2. JDX Gold badge

      Re: Ok, so you have fixed some bugs

      >But does it still send everything you do back to the Chocolate Factory?

      >If it does then why would anyone use it? Or don't you even care?

      I don't really care. I rather assume everything I do online is viewable by someone who really cares, but that they almost certainly don't. If Chrome is working within the law(?) I'm OK with that.

  3. Anonymous Coward
    Anonymous Coward

    Version 66 eh? Seems a high number of different versions

    1. Steve Davies 3 Silver badge

      re: Version 66

      Don't worry, Version 666 will be released next week.

  4. Anonymous Coward
    Anonymous Coward

    Execute Order 66...

  5. This post has been deleted by its author

  6. Kevin Johnston
    Joke

    Paranoid or secure?

    I have often wondered with all the conflicting information about Opensource vs MS/Apple and the browser wars etc etc etc

    What if I go online and do lots of things and nobody monitors me or scrapes my data. Could I be that insignificant? It keeps me awake at night

    1. cosmogoblin
      Facepalm

      Re: Paranoid or secure?

      Big Brother is watching you ... because he cares.

  7. Steve Lionel

    Chrome 70 will distrust all Symantec certificates

    My experience with Chrome 66 Beta and older Symantec certificates is that it completely blocked you from opening the page - it doesn't just warn you it's insecure. Maybe they changed that for the public release. I had to complain to my web host that their own login page was affected - they did eventually fix it.

    According to Google (https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html), Chrome 70 will stop trusting ALL Symantec-issued certificates "including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL"

  8. Joe Gurman

    Um....

    “[P]ages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do.”

    Isn't that what Safari, on macOS at least, has been doing for years — long before the CPU vulnerabilities were known, for each page/tab?

  9. Anonymous Coward
    Anonymous Coward

    Available now

    Just checked "About Chrome" and it updated to Version 66.0.3359.117 (Official Build) (64-bit) - I'm UK based

    I can't see the video auto play to disable it - it's one of the things that annoys me from news sites like Metro.

    1. sloshnmosh

      Re: Available now

      "I can't see the video auto play to disable it - it's one of the things that annoys me from news sites like Metro."

      Try: chrome://flags Search for "Autoplay policy"

  10. Steve Graham

    Spectre?

    I don't understand how handling different web pages in separate processes mitigates Spectre. Isn't the whole point of Spectre that a malicious process can infer the content of memory which it doesn't own?

    1. John Gamble
      Boffin

      Re: Spectre?

      It's not a cure-all, but it does mean that anyone trying to make use of the Spectre flaw can't assume the memory to read is at an easily-deduced address.

      It's the same reasoning behind kernel address space layout randomization, or using hash randomization to avoid collision attacks. Making the attack too expensive to use can be an effective counter-measure.

    2. Fullmetal5

      Re: Spectre?

      I don't know Spectre stuff very well but from what I understand this isn't about ALSR like the other commenter was saying but about making the Javascript JIT that is included in Google Chrome avoid generating code that could be abused for speculative execution or generate some speculative execution barrier in the vulnerable parts. This is because Javascript gets compiled to assembly for performance instead of being interpreted. Chrome's JIT implementation (called V8) had the possibility to JIT code that could be abused to do timing attacks against some address and figure out either if there was anything mapped there or if some data they predicted would be there.

      As for your comment on process isolation. I believe it's because Spectre was never about getting info from other SEPARATE processes. It was about getting info from mapped pages that weren't readable to the current process. Like ring-0 code reading something vs ring-3 code reading something. As long as none of the other pages from that process were mapped into memory of the second process then I don't think Spectre affects things like this. The reason Chrome does process isolation is so that if someone gets code execution in a rendering process or such then it won't be able to read things like cookies or the page contents of sites that weren't from the same origin as that rendering process.

  11. steviebuk Silver badge

    Chrome 66 will roll out in coming days and weeks.

    ? Mine has just updated already so the coming days means today then?

    1. Jamie Jones Silver badge

      Re: Chrome 66 will roll out in coming days and weeks.

      Today is one of the coming days, yes.

      "roll-out" is the key term here - packages for all different operating systems and distributions will not be updated today.

      Additionally, android updates don't reach everyone at once.

  12. 404

    So which versions carry site isolation?

    Just updated here to version 66.0.3359.117... running 18 (eightfuckingteen) processes for nine tabs... dayum. Was a process per tab in 65 IIRC?

    1. Anonymous Coward
      Anonymous Coward

      Re: So which versions carry site isolation?

      at least the advanced preferences "chrome://settings/content" of Chrome versh 66.0.3359.117 allowed me to block website access to my effin Clipboard. I had seen clipboard mentioned in some WGET caches from 2012, but I thought "surely they dont have permission for all of that?"

      . . . and possibly now they don't

      (oh, just checked 13 tabs with 19 processes)

      1. 404
        Boffin

        Re: So which versions carry site isolation?

        Got it:

        https://support.google.com/chrome/answer/7623121?hl=en

        When you turn on site isolation, Chrome offers more security protections for your browser.

        Chrome will load each website in its own process. So, even if a site bypasses the same-origin policy, the extra security will help stop the site from stealing your data from another website. Learn more about site isolation.

        On your computer, open Chrome.

        In the address bar at the top, enter chrome://flags/#enable-site-per-process and press Enter.

        Next to "Strict site isolation," click Enable.

        If you don't see "Strict site isolation," update Chrome.

        Click Relaunch now.

        If you’re an administrator, learn how to manage site isolation for your organization.

        Known issues

        Memory: Site isolation will increase Chrome's memory use by approximately 10–20%.

        Printing: Cross-site iframes will be blank. To print the entire page, save the page to your computer. Then, open and print the saved file.

        DevTools: Chrome Developer Tools don't fully support cross-site iframes with site isolation

        ----------------------------------------------------------------------------

        13 processes, 7 tabs, anywhere from 5 to 131.7MBs each process with strict site isolation enabled - some other neat shit in there too if you look lol

    2. diodesign (Written by Reg staff) Silver badge

      Re: So which versions carry site isolation?

      They all do - just enable it in settings (article is updated with info on how to do that).

      C.

      1. 404
        Happy

        Re: So which versions carry site isolation?

        I know - I'm the guy who sent you the correction ;)

  13. bombastic bob Silver badge
    Stop

    by-default blocking of auto-play content that includes sound.

    what about by-default blocking of ALL auto-play content? I do _NOT_ want AD VIDEOS being streamed, EVAR, on ANY web site. A 'click to view content' replacement graphic is acceptable.

    because, you KNOW it's coming!

    I didn't see in the article where you can block ANY auto-play content with any kind of setting. Must I load a plug-in for this? Because, flash blocking is easy, javascript blocking is easy, HTML5 video blocking may NOT be so easy, and I _DEFINITELY_ want to do _THAT_!!!

    1. 404

      Re: by-default blocking of auto-play content that includes sound.

      Here Bob... chrome://settings/content

      Have fun.

  14. peterm3
    WTF?

    Field trial

    I am rolling out Chrome in an enterprise environment with 5000 Windows clients. In Chrome 66 it seems to be the case that the default settings for site isolation chrome://flags/#site-isolation-trial-opt-out means that we are opted in to a field trial? Does that mean it will essentially be a case of random chance whether or not a particular client is using site isolation at a particular time? Apparently Google have fixed the issues with printing iframes since the beta (although I haven' tested it). So my only concern would be RAM usage, as many have only 4 GB of RAM.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like