Google: Chrome now protects you from Spectre password-stealing attacks

Chrome 67 Site Isolation keeps Spectre attacks at bay

To check whether this is enabled, or disable it should you choose (which we don't recommend), you can head to chrome://flags#enable-site-per-process in your location bar, and then set the toggle for Strict Site Isolation to either Enabled or Disabled.

All this sounds good, but it comes at a cost. With Chrome 67, Google added a feature called site isolation that "improves security and helps mitigate the risks posed by Spectre", and it is now enabled by default across Windows, Mac, Linux, and Chrome OS. It has held back one percent to monitor performance.

Google is investigating how to extend Site Isolation coverage to Chrome for Android, where there are additional known issues.

The mitigation is an impressive engineering feat that's created to lessen the damage of attacks that exploit a new class of vulnerability that came to light in January. A website could use such attacks to steal data or login information from other websites that are open in the browser.

In other words, on Windows, macOS, Linux, and Chrome OS devices, Chrome uses the security boundaries provided by the operating system to ringfence each domain into its own browser process.

Google's Chrome browser may be popular, but you'll find a lot of its users complain about high memory usage. Thus, https://google.co.uk would be a site, and subdomains like https://maps.google.co.uk would stay in the same process.

Enterprise users may use policies to enable Site Isolation starting in Chrome 68 for Android, and there is also a manual option to turn the feature on right now. A given tab could even switch processes when navigating to a new site in some cases.

With Site Isolation, a single page may now be split across multiple renderer processes, preventing bad sites from snooping on legit ones. This would allow a successful Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.

As long as you see the subframe processes, Site Isolation is enabled on your system.

"This means all navigations to cross-site documents cause a tab to switch processes".

This also means that all iframes on a page (generally for ads) are put into a separate process than the parent frame, further increasing memory usage, but increasing security at the same time.

Google said it's been working on this for several years, independently of Spectre, so the inclusion of Site Isolation was inevitable. You might need to consider using a tab manager extension. This would normally fail to render and not expose the data to the page, but that data would still end up inside the renderer process where a Spectre attack might access it.

Tip: Firefox supports a similar feature called First-Party Isolation.

Related News:



Most liked

Microsoft takes on Slack with free version of Teams
Upgrading to the paid version also gives you more storage, enterprise security and compliance, and an unlimited number of users. Integrated, real-time content creation with Office Online apps, including built-in Word, Excel, PowerPoint, and OneNote.

Germany to extradite former premier Carles Puigdemont for misuse of public funds
Puigdemont fled to Belgium to avoid prosecution by the Spanish judiciary. The court said in its ruling that he can remain free.

Sandra Oh Makes History with Emmy Nomination! | 2018 Emmy Awards, Sandra Oh
I am thrilled for [creator] Phoebe Waller-Bridge's nomination and for the entire cast/crew of Killing Eve . "P.S. It's too important to not care about it or to not try and be out of the box in some sort of way".

Trump praises Merkel at summit hours after he ripped Germany
Before departing for England on Thursday, Trump signed a joint declaration that reaffirmed America's role in the alliance. The UK announced on Wednesday, July 11, 2018, that it would almost double the number of troops it deploys to Afghanistan.

Oil price bounces back over International Energy Agency fears of supply problems
FILE PHOTO: Oil storage tanks are seen from above at the Cushing oil hub, in Cushing, Oklahoma, March 24, 2016. Iran exports roughly 2.5 million bpd, most of which goes to Asia.

Nadal braced for 'complex' Djokovic in 52nd meeting
Incidently, the Nadal versus Del Potro match lasted exactly the same length as Rafa's win against Roger Federer in the 2008 final. Victory secured, Nadal climbed over the net and ran over to the baseline to help the distraught Del Potro back to his feet.

John Legend closes in on EGOT with Emmy nomination
With the announcement of the 2018 Emmy Award nominees, one star has a lot more at stake than the slew of other contenders. This marks the first time Legend has been nominated for the small screen's biggest award.

Consumer prices rise at highest annual rate since 2012
The government has mandated the Reserve Bank of India to keep inflation at 4 per cent, with a margin of 2 per cent on either side. Fed officials expect to raise short-term rates twice more this year.

Bank of Canada raises rate, predicts economic resilience despite trade risks
The Bank said Canada's economy is operating "close to capacity", implying that it expects to see inflation rise in the future. Business loans, student loans, lines of credit and home equity lines of credit will cost more to service.

Sony Xperia XA2 Plus brings high-res audio to the mid-range
Based on Android Oreo, it runs the Qualcomm Snapdragon 630 processor, which is backed by 4GB/6GB RAM. Though the post did not reveal the price, Xperia XA2 Plus is expected to be a mid-range smartphone .

Surface Go shipping August 2 with top-spec device priced at $549
In terms of connectivity, the device supports WiFi connectivity (802.11 a/b/g/n/a) and an LTE-compatible version is in the works. There's also a Surface Pen for $99 that artists and students can purchase for doodling and note-taking purposes.

Trump Dings ‘Ex-FBI LAYER' Lisa Page for Skipping House Subpoena
As the committees have investigated bias at the Justice Department, they have focused much of their ire on Strzok. Page and fellow Federal Bureau of Investigation employee Peter Strzok were involved in an extramarital affair.

Emmanuel Macron rubbishes Donald Trump's increased North Atlantic Treaty Organisation spending claim
At NATO, Trump did not specify which countries had committed to what, and it remained unclear whether any had changed their plans. Trump tweets: "Why are their (sic) only 5 out of 29 countries that have met their commitment? ".

USA warns of Nord Stream 2 sanctions risk
Five Western firms have invested in Nord Stream 2 - Wintershall and Uniper of Germany, Austria's OMV, Anglo-Dutch supermajor Shell, and France's Engie.

Assad forces set to take city where war began
With critical help from Russian Federation and Iran, Assad has now recovered most of Syria. The attack resulted in deaths among the Syrian army, it said, without providing figures.