Slashdot Mirror
Google Chrome 31 Is Out: Web Payments, Portable Native Client
An anonymous reader writes "Google today released Chrome version 31 for Windows, Mac, and Linux. The new version includes support for Web payments, Portable Native Client, and 25 security fixes. 'Under the hood, PNaCl works by compiling native C and C++ code to an intermediate representation, rather than architecture-specific representations as in Native Client. The LLVM-style bytecode is wrapped into a portable executable, which can be hosted on a web server like any other website asset. When the site is accessed, Chrome fetches and translates the portable executable into an architecture-specific machine code optimized directly for the underlying device. This translation approach means developers don’t need to recompile their applications multiple times to run across x86, ARM or MIPS devices.' You can update to the latest release now using the browser's built-in silent updater, or download it directly from google.com/chrome."
Java for the 21st century. And you thought applets were dead...
How they maintain security with C and C++ applets?
-- hendrik
"Chrome fetches and translates the portable executable into an architecture-specific machine code optimized directly for the underlying device. This translation approach means developers donâ(TM)t need to recompile their applications multiple times to run across x86, ARM or MIPS devices.'
Ummmm... sounds like Java?
That approach sounds familiar. What's to stop this being Just Another Vulnerability Apparatus?
Why would chrome even need phosphoric sodium chloride? Seems like Ferro-Cesium Sulfate is more appropriate.
They can take my LifeAlert pendant when they pry it from my cold dead fingers.
It's a fallacy to think that 'native' equates to insecure.
Sadly browser wars turned into the race to rebuild AOL. Why so much bloat? Browser should do one, and only one thing well - render web pages. Native client? Web Payments? Why not throw in TurboTax, because more the merrier, right?
Seems like Ferro-Cesium Sulfate is more appropriate
What about FeCsSO3 makes it better?
Instead of using the native OSX notifications, they added their own spammer to the menu bar... complete fail.
I don't think that ActiveX itself was a bad idea.. Setting the email client to "local" security context instead of "untrusted", and marking activex controls that can access the file system as "safe for scripting" while the browser is allowed to run in "administrator" security context.. those were poor decisions all around.. but having a flexible plugin architecture in and of itself isn't a bad idea.
Michael J. Ryan - tracker1.info
n/t
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
One day, hear knock on door.
Man ask "Who is?"
"Is potato man, I come around to give free potato"
Man is very excite and opens door.
Is not potato man, is secret police.
ActiveX was such a good idea after all....
This is the opposite of ActiveX.
ActiveX allowed trusted code (native code with local binary privileges) to be created and controlled from untrusted source (a web page served from anywhere).
NativeClient runs untrusted code from untrusted sources, with the privileges of untrusted content. Untrusted code never controls a component that is trusted.
The javascript in this page has the same privileges as a native client program.
Good news everyone! Chrome isn't just a browser. It's an OS.
I do. The browser should not be scriptable, period. Whatever dynamic generation is needed should be done on the server. If you want an interactive application, build executables for the target. Fuck SaaS.
I don't get this "Google's software isn't really open because they control the direction it goes in" bullshit. I'm not sure if it's stupid people or paid Microsoft plants.
If they're paying for the development they get to choose what goes in the their codebase. They release the source under an open source license, so be happy and shut the fuck up or fork it and try to out do them (which we all know you will fail at).
Fuck you.
Mod me down, my New Earth Global Warmingist friends!
The big problem with ActiveX was the installation policy was way too loose. IE3 would automatically download and run any ActiveX which was signed, which practically meant everyone who could afford a $100 certificate. Later versions tried to hide that behind more and more OK/Cancel dialogs, because that's what passes for browser security.
The other big problem was that COM is way too general of a mechanism because it's used by nearly every other Windows application. So if you have any random program which installs a "safe for scripting" component, you might get owned by a webpage. Consequentially, IE ships with a huge ActiveX blacklist ... it would have made much more sense to whitelist things instead. (Firefox plugins avoid this problem because at least the programmer knows they're developing a browser component.)
Browsers have been slowly becoming self-contained OSs for a decade now.
Very annoying that chrome wont support 64 bit java. If you make 64 bit java the default on your computer, because say you want to run minecraft's latest server, then you can't run java in chrome cause it won't work and it uses the default path installed java.
Some drink at the fountain of knowledge. Others just gargle.
Yes, and oral sex pregnancies are possible too.
http://abcnews.go.com/Health/Wellness/teen-girl-vagina-pregnant-sperm-survival-oral-sex/story?id=9732562
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
For the sake of security then we shouldn't be allowing the browser to run any remotely fetched code, whether it is high level or low level is irrelevant. Fundamentally it is a form of remote code execution fire both JavaScript and c/c++. If you are going to allow it, the chrome team has come up with a good method to make it as secure as possible running all such code in a managed sandbox environment with extremely limited APIs.
I like the idea of running native code in the browser, but I will be really excited when (if?) this becomes a standard. Ever since the now-defunct NPAPI stopped being the cross-browser solution of choice, we've been in dire need of something that is both native (i.e., not Javascript) and standard (i.e., not Chrome NaCl). Interesting nonetheless!
Even if the GP was a bit harsh, I don't understand why you think its wrong to be suspicious of Google's motives? What happening is fairly obvious. They want to become a platform like Windows/Linux/OSX and establish control. Chrome (the browser) + NaCl is the trojan horse to accomplish this. I personally would definitely *NOT* want a future with a SaaS model where running applications on my machine would necessitate internet access to Googles servers.
Your 'if you don't like it, fork it' attitude is misplaced. That works for tiny 'hello world' type open source projects. Once OSS projects get to be complex you cannot just fork them without major $ resources. Without the money all you can do is complain on online forums.
Also, One could say a similar thing to you. If you don't like the comment, ignore it :)
... suddenly, all my extensions weren't running under incognito mode without disabling and enabling them again every time I went into incognito mode.
Back to FF I go.
Basically you are saying this:
NaCl tries to do the same as java, but with marginally less attack surface and a static compile. The marginally less attack surface is considered "safe" because JavaScript has the same surface and we all trust that.
This seems to me as Google's attempt to kill java. NodeJS is already gaining popularity on the server side and once the version of V7 that is in NodeJS will be able to do NaCL, it will be able to replace it both on the server and the client side. Even though I agree with the conclusion that Java is a steaming pile when it comes to security, having Google replace it with something marginally less steaming doesn't seem like a good idea to me.
I was promised a flying car. Where is my flying car?
Why would that have anything to do with this native client thing? Active X were a bunch of DLLs that would only run on windows/X86 and the standard was such that only IE would be able to run the applications. I don't see a bytecode, VM or architecture independence happening with ActiveX, while those are the main characteristics of NaCL. The only thing in common here is the ability to run code on the client. I don't really see ActiveX being "such a good idea" compared to NaCL, regardless of who made it.
I see a whole plethora of problems with this, one of them being Google being in control of the "operating system" that the Chrome browser is becoming this way, but purely from a technological stand point, ActiveX is far worse than NaCl.
I was promised a flying car. Where is my flying car?
There is a small group of people that see a problem in this and I personally think their arguments are valid. The thing is, over 90% of people just use technology like a supermarket. Milk comes from supermarkets, it tastes the way the supermarket makes it taste and they know what taste of milk is best for you. The whole thing about starting your own diary farm and breeding cows and such is totally lost to these people. Once the nations largest supermarket starts adding bath salts to the milk, to keep people coming back for more groceries, those 90% will not complain and even actively defend the super market, because they like bath salts added to the milk and you should get your own cow and sell the excess milk if you don't like it.
I might be slightly exaggerating here, but you're defending a company that is trying to pull "a MicroSoft" on us all. Once Google has control of the UI we all use and the API, they get to say what applications run on it, who makes the money and who gets all the juicy information about the users of these products. Don't forget that currently, all NaCL applications are approved by Google and are exclusively distributed by "Google Play". You may say there are alternative markets, but those are fragmented and most are riddled with malware and pirated software. Anything commercially viable, apart from maybe Cydia is run and/or controlled by Google.
People that own an official Android device will in the near future have the ability to use all their Android apps on all their devices, providing they run Google's Chrome, not some other browser that just happens to support NaCl. This will mean a very large domination of the application market for Google, rendering all other web browsers and end-user operating systems insignificant. With Google being the only party to effectively censor what applications we get to use and who gets what slice of the pie, I think we have a right to be worried here. It's not about the ability, but the viability of a fork. Even if it were technically superior, it'd still lose.
I was promised a flying car. Where is my flying car?
Well, in case you didn't get the memo, the definition of World Wide Web has changed dramatically since the 1990s.
World Wide Web is no longer about seeing pages to present you with information. It's about running applications to give you functionality. This effectively turned the web browser into a not-so-thin application client.
I believe this whole thing happened because Microsoft had control of what gets installed on desktop for a long while, and the only application-client technology installed on all machines was a web browser. If all machines were shipped with an X server or a VNC client or some other application-client technology, maybe things could have been different. But we are where we are, and because of that features like Canvas, HTML5, WebGL, NaCl, very fast JavaScript JIT engines get added to the browser to make it more efficiant APPLICATION client, not a page browser.
--Coder
Dumb terminals evolved into "smart" PCs as networking evolved from mainframe computing to powerfull clients.
The the Web shifted things back to server side computing with the browsers as dumb terminals. Now those formerly dumb terminals become smarter and do more of the workload client-sided. I can see a pattern here.
The next step that already started in paraless is moving the servers to become clients on a SaaS platform as GoogleAppEngine or Amazon AWS.
bickerdyke
The reason ActiveX got the heat was that authors were meant to self-declared controls as safe for scripting, and IE honoured that declaration. If I had installed BadlyWritenControl then any website could instantiate it and exploit it. Scripting a control was easy too thanks to OLE automation and IDispatch interface. Worse, even if I didn't have BadlyWrittenControl installed, the website could still reference the CAB file that contained it and IE would facilitate the automatic download and installation of it.
Conversely installing a plugin was a pain in the ass. Even if a page said it needed a plugin and provided the url to it, the user still had to manually go off and install it. Therefore by default plugins had a level of safety which IE did not have. And it was also a pain for developers to write a scripting API for a plugin, so many plugins didn't bother or offered only minimal scripting. I don't think this was intentional security, just the general craptitude of LiveConnect provided better security as a side effect.
Anyway, I don't see PNaCl as being unsafe per se but it should be something that is disabled by default, and even when it is enabled, users should be alerted and given the option of blocking execution of apps on a per site basis.
If you are going to allow it, the chrome team has come up with a good method to make it as secure as possible running all such code in a managed sandbox environment with extremely limited APIs.
You've just described what the NaCl project has been about all along! They already have this "managed sandbox environment with extremely limited APIs" that you're talking about. What PNaCl adds is plaform-independent "binaries" for long-term compatibility (well, the files *are* binary, but in a subset of LLVM bitcode).
Ezekiel 23:20
Which is a symptom of OSes not doing their work properly. Of course, the demand for network-distributed, compound documents with extensible and replaceable components has been here ever since the 1970s. Since the OSes currently in use don't implement any of it, many people have logically resorted to trying to do that in the closest thing they new: the web. I wouldn't blame them, it's not their fault.
Ezekiel 23:20
Security problems came as a corollary of all this.
JavaScript wasn't chosen as the official language for interactive HTML pages because of technical advantages of the language itself. It was chosen because it was already standardised, it was platform-neutral, and it was already ubiquitous. Those motivations still hold, against the adoption of NaCL.
The other major weakness of ActiveX was that it used pre-compiled native binaries. At least if you use an intermediate bytecode you can sanitize it when translating it to native x86/ARM. You can enforce certain standards too, like stack checking.
Even when running with low permissions there is a danger that an exploit could elevate to a higher level, and having intermediate bytecode makes that much more difficult.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Perhaps 'vulnerable' is more your taste? Ask a native American about their insecure imigration policy.
I really wish people would stop trotting that out as if it really indicated you could get pregnant by oral sex. You're probably being humorous, but I've actually seen morons using that story to push their "abstinence only" crap.
The fact that there was a knife raked through her abdomen makes kind of a big difference, and the truth is that a girl should probably already be taking care to avoid people who will stab her in the goddamn stomach, long before that particular oddity.
Chrome now operates as an unregistered vehicle transporting executable code handing off to server farms who knows what...surely not - YOU
Dumb terminals evolved into "smart" PCs as networking evolved from mainframe computing to powerfull clients.
No they didn't, that's utter bullshit, young man. PCs started out as hobbyist affairs, with the Altair, which was an IC version of the early tube computers. Like mainframes, they were improved on and by the late 1970s there were stand-alone "microcomputers" like Osbourne and Apple and Commodore. VisiCalc brought these hobbyist machines into the office. IBM brought out its toy (their term), the IBM-PC. It would be two more decades before these small machines would be networked, and meanwhile the dumb terminals connected to mainframes were in the office, side by side with the Wang word processing dumb minicomputer terminals and IBM/Sun/etc. mainframe terminals.
Don't try to teach history to your elders, we've lived through it and didn't have to read it in a book or, like you, simply guess at how it must have been.
Free Martian Whores!
Argh. Stupid typo. I meant Ferro-Cerium Sulfur.
They can take my LifeAlert pendant when they pry it from my cold dead fingers.
yeah, 'cos having everyone download a native application just to provide a decent type-ahead drop-down would improve security on the web a ton.
no, you'd need some way to sign the code to ensure that what you downloaded was what you expected. you'd need some kind of sandboxing to ensure that the native code didn't steal all your secrets. you'd need some kind of UI/communications framework that worked well on every operating system, so companies didn't have to develop 5 different versions of their application. it would be nice to have a unified language that was easy to learn and suited just for the task, in fact, why not just compile it on the client then you don't need to store different versions of the binary.
oh look... a browser!
fool.
You should probably stop posting on the interactive application known as Slashdot then.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Actually I was more impressed by pregnancy without a vagina. I didn't know there was a condition where they would be vaginaless yet fertile prior to reading that story, I assumed that implied a guaranteed non-functional placenta previously (which apparently is usually the case with that condition, even though the ovaries and eggs are fine.)
I'm probably the last person you'd ever see advocate abstinence though. I've made it pretty clear in the past that I think prostitution should be legalized - Germany seems to be doing fine with it.
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
Wait, you were actually interested in the biological oddity of it?
Don't you know all the actual nerds left ./ in the "Ultima Exodus of 2002?"