Slashdot Mirror

We have been developing a web application for the last two years and I have become more familiar with Chrome than I ever had intended. There has been frustration from time to time (lots of crashes in a "stable" version last summer, a change in performance profiling that made life difficult for a while), but all in all I must say that Chrome is an amazing piece of software. I have not seen a crash in a while (and we are doing some wild stuff, believe me) and with every new release Javascript on Chrome just feels a little bit faster. Before I get too sentimental I just want to say "Thank You" to rhe Chrome and Chromium team.

And I really hope and pray that in one of the next releases we will see SVG Font support. That would be awesome.

For those not aware the vulnerability has already been patched as part of KB4016240 which is already been pushed out on windows update. The details of the issue are fully disclosed.

Official announcement: https://technet.microsoft.com/en-us/library/security/4022344

More background / report: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.

Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers.

tl;dr: The Javascript engine in Windows Defender (which tries to figure out if it's a virus) has a flaw. Exploit works and can be leveraged if you can force the victim to write something to disk (triggering a scan): eg, sending an email, viewing an image, writing a log entry, etc.

Not a Windows Update, the fix is coming as part of the Windows Defender definitions updates rollout process.

My mac tells me it's running version 57.___ and it is up to date. So how long do I have to wait for 59?

Probably about 3 months. Beta is the next version, Dev is weekly build, Canary is nightly build. Stable releases are every 6 weeks.

https://www.chromium.org/getti...

It's not a fair comparison if Edge is in effect sacrificing performance - e.g. perhaps the video played smoother and dropped fewer frames on Chrome? We don't know. Could be something as simple as, something in their tests trigger hi-rest timers i.e. timeBeginPeriod to be called on Chrome, e.g.: https://bugs.chromium.org/p/ch... (this was a known issue in Chrome for a long time, and if you read the "fix", it isn't a 100% fix in that Chrome will still active high-res timers in some conditions) ... if Edge say never sets the time period to 1ms but Chrome does then though Chrome might use more power it could be at a benefit of increased performance. If Edge performs as well, and has as responsive a UI, in those same tests, then they have a much stronger case.

Of course, users may want battery life over performance in some cases, e.g. if at a coffee shop or on a plane. If plugged in, I'd want performance over battery life.

For the benefit of others reading this, I'll summarize the top three results for Google c++ chromebook as of right now>:

• The first result, "C++ Compiler for Chromebook", was a soft redirect to "Compile C/C++ on Chrome OS", which states: "You'll probably need to build it yourself," and links to the article "Building and Testing GCC and GNU binutils". This article in turn appears to be oriented toward developing on a GNU/Linux PC and testing on a Chromebook.
• The second result, "Offline c++ editor and compiler for chromebook", has one reply stating: "No compilers will run under ChromeOS. However, there are a number of very good cloud-based programming/IDE sites that work just fine with Chrome." Use of anything "cloud-based" while riding a school bus or city bus requires a tethering subscription, and in the United States, a tethering subscription for the life of a device is more expensive than a Windows license. Another reply recommends use of developer mode, but that's fragile as I've described elsewhere.
• The third result, "Five Best Online IDE's – Making the switch to a Chromebook", mentions several web-based IDE but doesn't mention their support for offline use. This article in turn linked to "Choosing the Best Chromebook for Developers", which an article about Crouton. But Crouton requires developer mode.

So it's either a remote IDE (which fails while offline) or Crouton (which begs to be wiped). Which search terms did you use to find a third option?

Through other searches, I found Trinket, which surprisingly continued to work after I went offline, made changes to the program with Trinket still open, and ran it. But it doesn't appear to work offline after navigating from Trinket and back to it. (This would require use of a Service Worker.)

Oh, you mean like Firefox has been doing for YEARS? You mean as detailed in bug number FOUR HUNDRED AND FIFTY SIX out of 707,000 bugs filed so far in the Chromium bug tracker?

It looks like its actually an underlying issue with Chromium, which is what powers Electron, the UI framework which VS Code is based on.

https://bugs.chromium.org/p/ch...

Simple CSS Keyframe Animation Causes Too High CPU Usage

Steps to reproduce the problem:
It happens on my Mac.

Demo page here: http://output.jsbin.com/vogaxa

Add a simplest keyframe animation to an element and Chrome will use 5-6x more CPU than it should.

e.g: .blinking { animation: 1s blink step-end infinite; }

@keyframes "blink" {
    from, to { visibility:hidden; }
    50% { visibility:visible; } }

What is the expected behavior?
CSS animation should consume equal (or close to equal) CPU load than its Javascript animation alternative.

Javascript setInterval consumes around 1.2% CPU on my Mac (Chrome's task manager)

1.2% for Javascript animation of a blinking cursor btw is the same usage that I get with no animation and the default cursor inside an input element.

CSS animation should produce the same results.

What went wrong?
CSS keyframe based animation consumes 7-8% CPU which is unjustified for such a simple case.

To me, the scariest part of the numerous vulnerabilities report is not the bugs themselves, but rather the response that LastPass had to project-zero #1209. See Comment #4 at https://bugs.chromium.org/p/pr... : "[LastPass] also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac." If this is the level of scrutiny that LastPass is putting into its security incidents, I'm losing confidence in their ability to safeguard user data.

I'm sure that will be the case.

Actually, it won't. That is not exposed to extension-writers with the API.

Here is the "bug", and the person who is closing off discussion is pkasting@chromium.org, who I am sure would love his inbox full of everyone's heartfelt responses.

I'm sure that will be the case.

Actually, it won't. That is not exposed to extension-writers with the API.

Here is the "bug", and the person who is closing off discussion is pkasting@chromium.org, who I am sure would love his inbox full of everyone's heartfelt responses.

Close tabs to the right can be achieved by clicking the first tab, shift clicking the last and then control-w (or -w on mac) since I found out about this (from reading the bug report at https://bugs.chromium.org/p/ch...) I'm less upset about the menu items going away.

Certificate pinning resolves this issue

How should a website get its certificate pinned correctly if a user's first visit is through the corporate MITM?

In fact, Chrome disables pinning when a certificate chains up to a user-installed CA, such as a corporate MITM (source).

On the contrary, the Project Zero team reports bugs to us (I am a Chromium developer), and we fix them. For example, https://googleprojectzero.blog... .

So let's take that example. That appears to be the following bug, correct?

https://bugs.chromium.org/p/ch...

So that bug was reported in January 2014. The patched version of Chromium, M38, was released in October 2014 - much longer than 90 days. Now as far as I can tell, the bug was not made visible to the outside world until October 2014 - am I reading that right? And, if I am, why wasn't it publicly outed sometime in April - the 90-day window Google seems to hold Windows and Mac bugs to?

"As much as it is fashionable to bash MS at this anti MS website"

For a long time, this place has been know as the Microsoft slashdot. Do you have anything to say regarding Microsoft's claims regarding the better security in Edge as compared to other browsers?

"Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology .. Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time." ref

"I will ask if you think Chrome is any better? It is kind of unfair as of course Google won't disclose it's own bugs.

Chromium issue tracker - Monorail

Linux setuid sandbox allows local privilege escalation

That's not true at all. Firefox extends the Chrome extensions API in various places as needed. For example, see the "New APIs" here: https://blog.mozilla.org/addon...
Another example: Firefox has implemented a "sidebar" Webextensions API, Chrome has not. https://bugs.chromium.org/p/ch... https://bugzilla.mozilla.org/s...

So I guess the next thing to do is find a way to make HTTPS practical for a web server on a home LAN, particularly with DNS Service Discovery instead of a purchased domain. A lot of routers, NAS boxes, etc. still use cleartext HTTP because the browser publishers' Baseline Requirements forbid certificate authorities trusted by the web browser from issuing certificates for hostnames in the .local TLD. And with browser publishers threatening to make the Fullscreen API HTTPS-only, this would impair video streaming from a NAS.

Sources for threat to drop Fullscreen API: Secure Contexts: Risks associated with non-secure contexts; Secure Contexts: Restricting Legacy Features; Deprecating Non-Secure HTTP; Deprecating Powerful Features on Insecure Origins
Source for impracticality of HTTPS on home LAN: Question to Let's Encrypt rep in /r/IAmA

That's a bug right?

https://bugs.chromium.org/p/ch...

Smart card access has been broken in Linux Chrome for seven odd years, and that's *with* native PKCS plugins. Browser support for smartcards is still horrible. No wonder they had to go for java.

There was some debate about what to do, and we proposed a compromise where resources with a long max-age would never get revalidated, but that for resources with a shorter max-age the old behavior would apply

This seems like a reasonable change. Now I can sleep better without having to worry about a million calls tomorrow about "your web-based product no longer works in Chrome".

I apologize in advance if I have misunderstood any of your post. You did a very bad job of formatting it, thus making it much less comprehensible than it should be.

- Firefox still has a customizable UI and chrome doesn't, you can have everything back with classic theme restorer, even UI elements from 10 years ago, and you can export your customization to a file for everyone to enjoy.

I shouldn't have to waste my time "customizing" (read: fixing) a broken default UI.

- Firefox is rolling out a multiprocess model that doesn't just blindly give a process to every tab

Chrome has supported this for a long time now. Since you wrongly seem to think that what Firefox is doing is somehow novel, I recommend you read the Chrome documentation to learn about the different process models it supports.

As for your last two points, the only response I can think of is a simple, "Wrong."

"Pebble developers are welcome to keep creating and updating apps"
Sure, in the same way devs are still welcome to create apps for FirefoxOS. Who is going to bother creating apps for a platform that won't exist in 2 years?

Kind of like Chrome Apps?

They do have their own binary diff format. They use it to update Chrome:
https://www.chromium.org/devel...

Google Chrome is based on the open source Chromium. Chromium has the binary diff format, and Google benefits from it. So do I, as I'm a Chromium user on all laptops and desktops here.

They do have their own binary diff format. They use it to update Chrome:
https://www.chromium.org/devel...

Google's compatibility list shows it's only for recent (under 2 year old) Chromebooks. It's not that the older Chromebooks are too slow or anything, they just are older than 2 years old. After all, the list excludes many x86 based Chromebooks (including Google's original Pixel).

You don't need DNS to visit a website.

I can think of two ways to visit a website without DNS, and both have serious drawbacks.

Also, there's nothing preventing you from running your own DNS.

Other than border security intercepting all outbound connections or datagrams on port 53.

See this Chromium bug.

Why would you have the "Media router" flag enabled by default when it breaks functionality??

It's funny that the same people who refuse to add bookmark dividers/separators into Chrome because of "extra UI complexity" have no problem adding bloated cruft like this.

Some software attempts a compromise(Chrome's certificate pinning isn't applied to certificates authenticated against a locally imported trusted root; but is otherwise); but anything that either refused to make exceptions or simply doesn't integrate with the platform's certificate handling very well should break SSL decryption with just certificate pinning.

That's often not the only inspection mechanism in place; but anyone who can actually break SSL without access to a trusted cert is currently being very quiet about the matter.

Native apps can be walled off by lightweight virtualization technologies

Google Chrome already runs inside a sandbox that provides something akin to the "lightweight virtualization" you suggest.

or even simply separate user accounts enforced at the kernel level.

So if a home PC has five users, one for each member of the household, and 50 apps installed, would it need 250 user accounts, one for each member of the Cartesian product of users and apps?

[Appliances on a home network with a web-based administration interface] are not servers and don't need to serve https

The article "Deprecating Non-Secure HTTP" by Richard Barnes begins: "Today we are announcing our intent to phase out non-secure HTTP." Not only Firefox but also Chrome has announced plans to deprecate HTTP. This includes making new web APIs, such as Service Worker, available only to a "secure context". The list of such APIs includes Service Worker, Geolocation, Notification, Fullscreen, Pointer Lock, and Media Stream (camera and microphone).

A secure context is available only if all documents holding references to objects in that context come from a "potentially trustworthy origin", as defined in the W3C's "Secure Contexts" spec. As of right now, web browsers are treating only the 127/8 netblock (that is, localhost) and origins using the https or wss scheme as potentially trustworthy origins. The spec allows a web browser to allow the user to mark other origins as potentially trustworthy, but the present draft doesn't suggest how the web browser might expose this functionality to the user.

as you'll connect on a trusted network - your own, and your own only. Wired or encrypted WiFi.

A web browser cannot tell the difference between my encrypted Wi-Fi network at home and the encrypted Wi-Fi network of the coin laundry near me. For this reason, the RFC 1918 private netblocks 10/8, 172.16/12, and 192.168/16 are by default not treated as potentially trustworthy without the https scheme, unlike 127/8.

Windows has no equivalent function to AppArmor or SELinux to profile an executive's privileges before running it.

Windows 8 introduces "AppContainer", which IE uses for its Enhanced Protected Mode. An AppContainer provides a capability model analogous to Android permissions. UWP applications likewise runs in an AppContainer. Google Chrome is based on Chromium, which has its own sandbox that uses AppContainer when available.

Tell that to the people who have been asking for MRU tab-switching for ages

Chrome doesn't even allow plugins to enable MRU for ctrl+tab.

Just download the latest stable/nightly build of Chromium from https://download-chromium.appspot.com/. Or build it yourself using the instructions at https://www.chromium.org/getting-involved/download-chromium

I don't know if you've looked at what it takes to set up a developer environment for Chromium, but that, to me, seems like a hell of a lot of time investment. It might be worth it if you really wanted something done, but for me that's crossing the line into "I want to be paid for that kind of work," and verging on, "You couldn't pay me to work on that." I don't have a lot of comparative experience with complex build environments, and it does seem to be well documented, but still...it seems quite the ordeal.

Chrome is not an application.

https://www.chromium.org/Home

.

"...Chromium is an open-source browser project ..."

Which is why I weighted my words and went with Chrome which is mainly a branded binary from the Chromium project. Where "Chromium" can be either the application or the project.

Chrome is not an application.

https://www.chromium.org/Home

.
"...Chromium is an open-source browser project ..."

No different for webkit open bugs, or Chromium.

Obviously at first visit the CA-system still applies, so the certificate was/were issued based on some verification process. So that is a form of out-of-band communication channel. It's the most used channel on the Internet right now. This is just an improvement.

What a lot of attackers want to prevent is detection and with this system in place, the risk of detection also becomes much higher.

Anyway, you can also get your site added to the lists that are included in browsers. Chrome and Firefox use that too (obviously in case something breaks it's much harder to change them): https://src.chromium.org/viewv...

I agree DANE/TLSA is a great solution. But it will take time to before most (if not all) networks at least don't break DNSSEC.

Both Chrome and Firefox have adopted a policy not to use the prefixes anymore some years ago: https://www.chromium.org/blink#vendor-prefixes

Also, according to http://caniuse.com/#cats=CSS Firefox's support for CSS seems better than Chrome's

https://www.chromium.org/Home

Chromium is plenty Open Source, where's the problem?

Chromium doesn't have spyware. You can check the binaries yourself.

The nicest thing I can say about FF is that it opened the floodgates, before Firefox/Phoenix/Mozilla Suite you had crappy IE, broken NS, and adware Opera.

Today there is Comodo Dragon (what I use, better security features and no phone home to Google) Chromium, SWIron, and Opera which my oldest boy swears is the greatest thing ever (hates the new version, went back to using presto) and on the gecko side there is PaleMoon (the other browser I use, I prefer the UI over IceDragon and it seems snappier), SeaMonkey, IceDragon, if you need really low resource there is always Kmeleon which runs really well even on a P3 running Win98SE and if you want to avoid BOTH the Chromium and Gecko engines you can go with QTWeb which is just what it says on the tin, a cross platform browser that uses Webkit and the QT framework...quite nice actually and of course Safari if you are into Apple.

I was using FF before it was called Firefox, and the Suite before that and....yeah, its just not very nice now. The UI feels like a bad Chrome ripoff and it still has "senior moments" where the entire UI can just "hang" for several seconds, which when you have 8 fricking cores and 16GB of RAM? is just inexcusable. I don't know what went wrong with Moz, but for the past few years they seem to have gone out of their way to just ruin the browser, do they no longer care? Has the UI team been taken over by Google? All I know is If I wanted Chrome I'd use Chrome and the current FF feels like a really bad Chrome knockoff, its the "Hipad" that looks kinda sorta like the real thing but once you use it? Yeah its just a knock off.

How does a post that gets almost all of its facts wrong get modded up as Insightful? You started on a provably faulty premise, backed it up with inaccurate statements regarding WebGL, and then closed it out by saying something that I'd have hoped most of us here would trivially recognize as incorrect.

When you expect to get most of your revenue from selling apps in the iStore

Apple announced at the start of the year that they've paid out $25B to developers over the life of the App Store. Do some quick math, and that means that Apple is averaging $0.45B in revenue each quarter from the App Store, which would put it at <1% of their quarterly revenue (e.g. Apple posted $60B in revenue in their latest, post-Christmas quarter).

Which is to say, your basic premise here is that Apple is intentionally crippling the product that makes up 60% of their revenue (iOS hardware) in order to bolster the revenue in a segment that accounts for less than 1% of their revenue (App Store downloads). Seriously? Apple's main business isn't selling apps; it's selling selling devices that run apps, and you may even recall that back when the iPhone launched in 2007, the "apps" it supported were web apps, not native apps.

iPhone doesn't support WebGL for doing fancy 3D graphics on a web page

Could've fooled me. iOS 8 has been out for nearly a year at this point, and has had WebGL support from the beginning without any of the weird requirements you're talking about.

The browser actually DOES contain code for WebGL, but it's disabled...UNLESS your web site signs up to display Apple-provided advertising banners

A) You're confused. You're talking about iAds (and I'll discuss why I know you are in a sec), but the iAd advertising network only operates in iOS apps, not on websites. Sites can't sign up to it.

B) It's not disabled. See above. WebGL support was available as an experimental feature in iOS 7, and as a standard feature in iOS8. No ads or other funny business required.

The reason you're confused is because, technically speaking, iOS did have support for WebGL as far back as iOS 4.2, but it was only available to iAd developers. By that, I don't mean people who agreed to put iAds in their app. I mean people who were actually making the iAds themselves, since iAds are basically just mini webpages that display an ad.

If that seems a bit weird at first glance, recall that WebGL was a resource-intensive feature on the devices of that day, and Apple has a history of restricting the scope or operation of resource-intensive features until the implementations or device capabilities improve (see: background processing, native apps on Apple Watch, etc.), so it made sense at the time why WebGL was restricted to iAds, since they were designed to only be on the screen for short periods of time yet could stand to gain the most from such a feature.

The only sense in which what you said is correct is that for a few years the only people who were able to make use of WebGL on iOS were the ones making the ads, but it was never a feature that web developers had to make a Faustian pact with Apple to use. It simply wasn't available to them.

Safari uses the exact same core rending software ("WebKit") as Chrome - so it can trivially support everything that Chrome supports

They haven't both used "WebKit" since Google forked WebKit to create Blink over two years ago, but even before that, they weren't even running "the exact same core rendering software" for the last several years back when they were both running "WebKit".

Google and Apple have had divergent multi-process architectures for quite some time. Google built

Luckily this isn't the bad old days where it was just IE and netscape, today you DO have options! There is Comodo Dragon (what I use, better security features and no phone home to Google) Chromium, SWIron, and Opera which my oldest boy swears is the greatest thing ever (boy is he still pissed they quit using presto) and on the gecko side there is Firefox, PaleMoon (the other browser I use, I prefer the UI over IceDragon and it seems snappier), SeaMonkey, IceDragon, if you need really low resource there is always Kmeleon which runs really well even on a P3 running Win98SE and if you want to avoid BOTH the Chromium and Gecko engines you can go with QTWeb which is just what it says on the tin, a cross platform browser that uses Webkit and QT.

https://www.chromium.org/devel... At least until September 2015, when Chrome v45 will remove support for this flag too.

It will be possible to enable NPAPI in Chrome for some time yet. The reason for disabling it by default is to push plugin vendors to port to better approaches that don't leave your system security at the mercy of whatever web page you happen to hit.

According to this https://www.chromium.org/developers/npapi-deprecation they plan to completely disable NPAPI by September 2015. Your workaround buys him about 4 months.

Multi process, not multi threaded unless you refer to the two threads inside each process https://www.chromium.org/devel... (2011) but if that's the case then Firefox is multi threaded too, just single process https://bugzilla.mozilla.org/s... (2007)

• Chrome: Chromium
• Safari: WebKit.
• IE users are SOOL, but they were already SOOL just by using IE.