Slashdot Mirror

Nice try, but this is significantly different from what Firefox does.

From TFA:

The directive “causes Chrome to upgrade insecure resource requests to HTTPS before fetching them”, Google explained today.

TFA's link to chromium.org essentially says the exact same thing:

Upgrading legacy sites to HTTPS
Transitioning large collections of unmodifiable legacy web content to encrypted, authenticated HTTPS connections can be challenging as the content frequently includes links to insecure resources, triggering mixed content warnings. This release includes a new CSP directive, upgrade-insecure-resources, that causes Chrome to upgrade insecure resource requests to HTTPS before fetching them. This change allows developers to serve their hard-to-update legacy content via HTTPS more easily, improving security for their users.

Converting to plain English: If the URL says "http://", Chrome will first try the same link with "https://". You'll only see a mixed-content warning if the website fails to return content for the "https://" link. This obviously assumes that the website is running both HTTP and HTTPS, and that it will give the same content regardless of whether you use HTTP or HTTPS.

Your link to Firefox 23 only talks about issuing warnings for mixed content; it does not say anywhere that it attempts to retrieve the HTTPS version of an HTTP link.

tl;dr: Firefox just blocks it; Chrome looks for a safe alternative and only blocks if the safe alternative doesn't exist.

[ Disclaimer: I use Firefox; I have never used Chrome. ]

What a shock, a slashdot summary that misses the actual salient point of the linked article...

Here's the description of the new feature from the linked article:

If the same site was accessed in Chrome 43 -- which is beta now but should be stable in May -- the warning should vanish thanks to a browser Content Security Policy directive known as Upgrade Insecure Resources. The directive “causes Chrome to upgrade insecure resource requests to HTTPS before fetching them”, Google explained today.

Here's Google's own description of the feature from the Chromium Blog:

Upgrading legacy sites to HTTPS

Transitioning large collections of unmodifiable legacy web content to encrypted, authenticated HTTPS connections can be challenging as the content frequently includes links to insecure resources, triggering mixed content warnings. This release includes a new CSP directive, upgrade-insecure-resources, that causes Chrome to upgrade insecure resource requests to HTTPS before fetching them. This change allows developers to serve their hard-to-update legacy content via HTTPS more easily, improving security for their users.

So basically this means you don't have to worry if you accidentally miss an HTTP asset link on your site when upgrading to HTTPS, Chrome will automatically do that for you.

Hopefully the other browsers will follow suit soon, otherwise it's of limited use.

Should link here.

Though the first link's article does mention the destination, https://blog.chromium.org/2015...

Why does Apple get to decide what certs are trusted or untrusted? They should send out a security notice advising customers about the situation and then let individuals deal with it from there. Also, all certs should be shipped as "untrusted" so that the user can selectively enable what he wants to be trusted.

Have you looked at the root CA list in any of the major browsers/OSs? Why are we required to implicitly trust every single one of these entities to sign anything they want? If those lists illustrate how broken the CA system is, I don't know what will.

The technical people are actually working on this problem:

1. make it super easy to encrypt all websites:
https://letsencrypt.org/

2. In the long run:
"Marking HTTP As Non-Secure"
https://www.chromium.org/Home/...

And many, many more improvements.

It's a branch of firefox, basically the same thing without all the bullshit. I've been using mainly chromium(chrome branch) for the better part of two years. The chromium branch is the same as chrome minus the tracking components stripped out. For anyone interested you can grab the prebuilt here or grab the uncompiled version from the repository here and build your own.

Presence of overflow does not indicate a bug. Consider lots of video codecs and cryptographic functions which require the mod 2n provided by processor arithmetic.

Their process detects integer overflows in memory allocation only. That's not useless, but it's not what the slashdot summary says. This isn't about C's signed vs. unsigned, their software works on x86 assembly anyways.

Having just read the paper, the interesting part is where they figure out how to produce inputs which trigger the bug in the real software. It's a mix of fuzzing techniques (start with a seed and mutate) to get up to the memory allocation, plus SMT solving to solve for an input locally that triggers the flaw.

http://www.chromium.org/chromi...

https://docs.google.com/presen...

C710 has hardware write switch and SDCard reader. In theory, you could flash it with your own signed firmware to read your own signed kernel. Now, do you trust that the hardware has no backdoor?

"TSYNC is a new sandboxing flag for seccomp that was recently added to the Linux kernel." -- from the description of the change to Chromium

Sounds like more browsers should be using it.

... when the feature is present.

"TSYNC is a new sandboxing flag for seccomp that was recently added to the Linux kernel." -- from the description of the change to Chromium

Sounds like more browsers should be using it.

More standards compliant based on what? Chrome is 100% acid 3 compliant and has one tiny pause. Chrome has kicked IE's ass in standards compliance for years and continues to do so.

Opera up to 12+ always passed the acid tests, even acid test #1 when they shouldn't of been prepared for it. I don't think any other browser can make this claim. Opera 26 passes #3 100/100 (no pause and one tab edit from default) but it's chrome with a different skin. While not actually Chrome they are stepping in it's foot prints. About Opera 26: made possible by http://www.chromium.org/ it will import bookmarks but not Opera's :)

The newer protocols will reduce latency. See http://www.chromium.org/spdy/s...

Yes it sais so and links straight to the ppapi code used in chrome which is fully open source: https://src.chromium.org/viewv... . Hell even the chrome repository for ppapi is full of examle code if you want to write your own plugins.

Each web tab runs in its own process; you can see the CPU, Memory, per tab. Use: More tools > Task Manager

Looks like Chrome removed the FPS column

Fast forward a few days, and someone tracked that bug down to an incorrect setting in Chrome code: https://codereview.chromium.or...
So yes, it was very straightforward, and wasn't drivers' fault.

To run Chromium without the proprietary extras that come with Google Chrome, Google's solution is "compile it yourself", as far as I can find. Many GNU/Linux distributors provide Chromium, but the "Beta or Dev channel" link on Google's "getting involved" page points at Google Chrome including proprietary extras. Or are Windows and OS X "big brother operating systems" that defeat the purpose of running open source Chromium?

Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

Add --ssl-version-min=tls1 as a command line flag. Check here for the way to do that, depending on your OS:

http://www.chromium.org/for-te...

Here is a post from the Chromium Blog that explains how 64 bit improves Chrome. Incidentally this applies to software generally, not just Chrome. The key part of the post that explains the expected improvements:

64-bit Chrome has become faster as a result of having access to a superior instruction set, more registers, and a more efficient function calling convention. Improved opportunities for ASLR enhance this version’s security. Another major benefit of this change comes from the fact that most programs on a modern Mac are already 64-bit apps. In cases where Chrome was the last remaining 32-bit app, there were launch-time and memory-footprint penalties as 32-bit copies of all of the system libraries needed to be loaded to support Chrome. Now that Chrome’s a 64-bit app too, we expect you’ll find that it launches more quickly and that overall system memory use decreases.

While you may appear to be using more RAM because the 64 bit Chrome processes are larger than the 32 bit, the net memory usage should be the same or less because 64 bit Chrome will not pull the 32 bit stack into RAM to operate. ASLR is a security technique that mitigates vulnerabilities that appear in applications and libraries; lack of a form of ASLR is among the reasons Heartbleed became a thing.

So stop quibbling and use modern software. If you are experiencing a RAM shortage — as opposed to obsessing needlessly over monitoring tools and being difficult — then get more RAM or use a less demanding browser; Chrome use more resources than its contemporaries and makes no apologies for it.

No, Chromium development is nothing like Android development. You can watch Chromium checkins go in around the clock: http://build.chromium.org/

Chromium is indeed still open source. Pre built here Build your own here

Luckily this isn't the bad old days where it was just IE and netscape, today you DO have options! There is Comodo Dragon (what I use, better security features and no phone home to Google) Chromium, SWIron, and Opera which my oldest boy swears is the greatest thing ever (boy is he still pissed they quit using presto) and on the gecko side there is Firefox, PaleMoon (the other browser I use, I prefer the UI over IceDragon and it seems snappier), SeaMonkey, IceDragon, if you need really low resource there is always Kmeleon which runs really well even on a P3 running Win98SE and if you want to avoid BOTH the Chromium and Gecko engines you can go with QTWeb which is just what it says on the tin, a cross platform browser that uses Webkit and the QT framework...quite nice actually and of course Safari if you are into Apple. There is one other....what was it? Oh yeah the big blue E thing. ;-)

So if you don't like the direction Google is going? Don't use their products. After they started getting nasty with the TOS and trying to ram G+ down our throats I dropped Google like a bad habit, I set up a throwaway Gmail I never use just for my Android phone (so they can't tie my desktop and mobile together) and use my main Gmail for a spam dump, switched to Bing for my search and Yahoo for my mail so no one company has access too all my online data and ya know what? couldn't be happier. What DOES really piss me off about Google is how they have become a drive by spammer, you have no idea how many Chrome "infections" I've had to clean off of customers PCs because some "freeware" had Chrome tied into it. We used to get seriously pissed at how McCrappee and Horton used to dump their stupid scanners onto us with freeware so why isn't everyone mad at how Google is spamming Chrome? An unwanted install that takes over defaults...hmmm...if it walks like a duck and quacks like a duck?

True, old news but no, unless it comes from their blessed store or points to their blessed store you can't http://www.chromium.org/develo...

For those of us on the Dev channel for Chrome hit this in February. It's definitely a fucked up decision by the Chrome team and has led to a lot of folks ripping out Chrome in favor of something else. The claim made by the devs is that it's safer if the extensions come out of their web store and would eliminate malicious activity from extensions. They obviously didn't want to fix the browser to alert the user when malicious extensions are installed or provide a sysadmin set of functions necessary to install necessary, safe extensions. Of course we all know it's another fucking walled garden take-over by Google. I've already recommended to clients that they don't use Chrome and have removed it from a little over 4000 systems thus far. Personally Google is fucking the user community on this one, so fuck Google.

Of course if they're just going to pretend to be Google and fool browsers into thinking they're talking to Google and decrypt/re-encrypt at that point, there's not much Google can do about it anyway.

Yeah, not much they can do.

Or you could use Chromium

Is looking darker and darker every year

Actually, Aura has been part of the Chromium project for quite some time, so it isn't any darker today, than it was yesterday, or even last year or two. Most likely, this has more to do with ChromiumOS than Chromium/Chrome.

Here's the link: http://www.chromium.org/develo...

Reading through the documents, it doesn't look like a trivial task to recompile all your GTK-2 apps against it. From the UI Toolkit standpoint, it looks like a combination of NextStep and Swing.

AFAIKT Aura is a more than just a UI Toolkit, it's a complete Window Manager. A replacement for Gnome (wow! I hope that takes off!) Apparently it's been running on the Chromebooks. Here is Linus' take on the topic.

The main reason I would be reticent to use it is because Google doesn't always have a strong commitment to backwards compatibility. So you may end up having to rewrite pieces of your code, just to keep them compiling. If you're ok with that though, go for it.

You think that's the real problem in Chrome 33?

Well, compare that to this fact: on Chrome 33 on Windows (and Windows only) all non-Chrome-Web-Store extensions are forcibly disabled and will not install anymore, with the exception of pushing them through domain group policy.

http://www.chromium.org/develo...

So, say goodbye to anything not blessed by Google, like extensions that allow "the unauthorized download of streaming content or media".
Unless you want to use the Dev channel as an official workaround, or are content with loading extensions unpacked, with no auto-update.

It's not like I don't understand the problem, I've seen rampant Chrome crapware on clueless people's computers. But this is heavy-handed.

Perhaps a better approach is Google's NaCl, where intermediate code is translated more directly to native code, while putting security guarantees in place. But here, of course, cross-platform support is an issue.

You might find Portable Native Client interesting, which is built out of LLVM+NaCl.
http://www.chromium.org/native...

I'm hoping that eventually browsers, mobile phones, and cloud hosting will just become sandboxed LLVM targets. Then people could use whatever language they like, wherever they want.

Chrome developer here. If you are deleting your extensions and they are showing back up in a few minutes, you have malware on your system that is actively re-installing them (I have seen this in action).

Under normal circumstances, deleting an extension on one machine (assuming you have extensions sync turned on) will cause it to be deleted in your central account, and this delete will propagate to your other machines. Chrome won't push an extension back to your machine that you just deleted. Also, side-loaded extensions (ones that you didn't get from the Web Store) are never synced.

The problem is that many users have malware running in their system that continually installs a particular extension into Chrome, so if you delete it, it goes right back (through no fault of Chrome's). The only solution for now is to find and disable the malware. On Windows, we will soon be blocking side-loaded extensions to prevent this sort of thing from happening.

It's started the process of ECMA standardization.

Dart team member here. The Dart project, like Chromium, is being run as a fully open source project accepting patches from Googlers and non-Googlers alike. We've also begun the ECMA Standardization process, meaning that like JavaScript we'll have a open standard that anyone can implement to. In terms of Dart users, here's a list of some. Hope that answers your questions!

Actually, that's not true at all. A while back, François Beaufort noted that the extension had been preemptively whitelisted so that it alone doesn't repeatedly need explicit permission to use the microphone. Usually, any website or extension that wants to use the microphone must ask the user for it at least once, repeatedly if the site doesn't use HTTPS. See here: https://plus.google.com/100132233764003563318/posts/YRq7NrS5waS

(The ilnk is messed up; the actual diff of interest is here: https://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/media/media_capture_devices_dispatcher.cc?r1=225124&r2=226242&pathrev=226242)

What you really want is PNaCl. LLVM bitcode running sandboxed in the browser at native speed is the pinnacle of client-side scripting - you are not limited in your choice of languages and frameworks at all; if you want to script in C, you're welcome to do so, and if you prefer some high-level dynamic language like JS or Python, then you just run the corresponding VM in the sandbox.

If that were the motivation, would they not also do this on the Mac?

This is about _fucking_ annoying windows malware repeatedly reinstalling chrome extensions.

The fact that they are not breaking the capability on 'enterprise' policy installs suggests the same.

Incidentally, even if you aren't on a domain, this should mean that it isn't exactly rocket surgery to install the 'blocked' Chrome extensions. Winkey+r, gpedit.msc, import the chromium policy templates, modify 'ExtensionInstallForcelist' to taste. Game over.

If that were the motivation, would they not also do this on the Mac?

This is about _fucking_ annoying windows malware repeatedly reinstalling chrome extensions.

The fact that they are not breaking the capability on 'enterprise' policy installs suggests the same.

Incidentally, even if you aren't on a domain, this should mean that it isn't exactly rocket surgery to install the 'blocked' Chrome extensions. Winkey+r, gpedit.msc, import the chromium policy templates, modify 'ExtensionInstallForcelist' to taste. Game over.

> Any reason you didn't go for chrome-frame instead? Chrome frame is being retired Jan 2014. http://blog.chromium.org/2013/06/retiring-chrome-frame.html

Must we have this troll comment every time someone mentions Java applets?

Java applets are commonly used, as they have been for many years. According to this Chromium blog post from September 2013, 8.9% of Chrome users had launched something using the Java plugin in the past month.

Among the common uses that get mentioned every time this discussion comes up are: public access to banking and government systems in various countries, games, user interfaces for devices (scientific equipment, network infrastructure, all kinds of examples), access to local hardware devices that aren't yet available via newer technologies, some popular teleconferencing and VPN software, and little demo graphics written by academics to go on their web sites a decade ago that are still just as relevant today.

In other words, just because you don't use Java applets yourself or know when they're still useful, don't assume everyone else is in the same situation.

The same still applies. Sure, you're circumventing the eavesdropping of your employer. You still have a long list of trusted signing authorities in your browser.

Firefox list

Microsoft/MSIE

Chrome

There's no good reason to believe your encryption is end-to-end safe. It's end-to-whoever-runs-the-proxy-server encrypted. Someone in your house won't eavesdrop on it, but ye olde MITM by a large enough organization can. There are some telecom providers included.

So your employer can't sniff your traffic, and you've compromised their internal security. You're safe from your desk to your home machine and that's it. I'd say you're totally safe on your computer, but as your employer could use keystroke loggers, watch your screen, and even access your files (via \\yourdesktop\C$\), the only thing you're protecting is the easy logging of the URLs you've browsed. If they're already doing deep packet inspection, either the VPN connection won't be established because VPN won't traverse the content inspector, or they'll notice massive amounts of encrypted traffic always going to the same place. So it won't work, or you'll raise red flags.

What if a government agency got in on this game? They could sign and eavesdrop without you knowing. Oh wait. They are already there.

Firefox: France, Hong Kong, Japan, The Netherlands, Spain, Taiwan, Turkey

Microsoft/MSIE: Austria, Brazil, Finland, France, Hong Kong, India, Japan, Korea, Latvia, Macao, Mexico, Portugal, Serbia, Slovenia, South Africa, Spain, Sweden, Switzerland, The Netherlands, United States, Tunisia,Turkey, Uruguay, Venezuela,

Chrome uses the underlying OS root CA list.

Any one of them can sign valid certs. For MSIE and Chrome users, the US Gov't can sign for *.google.com, and intercept all the traffic, without the need of adding any extra CAs to your browser/computer.

Chrome has certificate pinning. Basically it means that if you access a Google property, it's checking for a specific certificate - not just any old cert signed by any old CA. Sure, this doesn't help you if you're not using Chrome, but if the NSA was trying to do a blanket MITM, all Chrome browsers would blow up and you'd definitely hear about it.

It's actually Chromium based, not Chrome
Chromium is open source:
http://www.chromium.org/

"We don't know since Google keeps the source code secret."

"The Chromium codebase consists of hundreds of thousands of files"

If Google added NSA code to Chrome I'm sure they wouldn't be stupid enough to commit it upstream to Chromium for everyone to see.

"We don't know since Google keeps the source code secret."

"The Chromium codebase consists of hundreds of thousands of files"

http://www.chromium.org/Home/chromium-security/hall-of-fame

See the special-case rewards:

The following special-case rewards were issued for bugs in components external to the Chromium project. We sometimes issue rewards for bugs in external components where information of the bug enabled us to proactively protect our users.

My mistake - it is in http://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state.cc?revision=107993&view=markup&pathrev=107993

and only enabled for google, twitter, tor, and a handful of other sites.

...this project?

http://www.chromium.org/developers/how-tos/build-instructions-windows

Yea, we have this up already, but nice to see an actually-released installer.

The difference is that ChromeOS is open source, so you can verify that's not actually the case.

http://www.chromium.org/chromium-os

This is the resource I viewed. It seems that notifications will now allow users to interact with the process spawning the notification in a predefined manner. For example picking up a call, or some other action an app can perform. I believe this is more similar to android notifications in jellybean. I don't know for sure though... I don't use smartphones because I find them too emasculating.

Practically speaking, for me using my chromebook, when I get a call on google voice, the notification will allow me to pick up the call from the notification bubble itself by clicking a button. At present when I get a notification about an incoming call, the only action I can perform is to dismiss the notification, or switch focus to the process responsible for sending the notification. Also you can pile notifications together into a list for the cases in which that is useful, and then it adds some options for using images as well. There are also settings for notification priority and persistence as well as a "notification center" that allows users to manage their notifications.

  apparently though some functionality is being removed along with this. Its not something I know anything about personally though.

Here is some reading for you, just below the first page, you can see some "real-world" tests against 25 of the top 100 websites in the world using SPDY, which HTTP 2.0 borrows from: http://dev.chromium.org/spdy/spdy-whitepaper