Google Chrome 67 Released for Windows, Mac, and Linux

An anonymous reader shares a report: Google released earlier today Chrome 67, the latest stable release of its web browser. According to changelogs released with Chrome 67, this version adds support for a Generic Sensors API, improves AR and VR experiences, and deprecates the HTTP-Based Public Key Pinning (HPKP) security feature. Probably the biggest change in Chrome 67 is the addition of the Generic Sensors API. As the name implies, this is an API that exposes data from device sensors to public websites. The new API is based on the Generic Sensor W3C standard. This API is meant primarily for mobile use, and in its current version, websites can use Chrome's Generic Sensors API to access data from a device's accelerometer, gyroscope, orientation and motion sensors. Another API that shipped with Chrome is the WebXR Device API. Developers can use this API to build virtual and augmented reality experiences on Chrome for mobile-based VR headsets like Google Daydream View and Samsung Gear VR, as well as desktop-hosted headsets like Oculus Rift, HTC Vive, and Windows Mixed Reality Headsets.

Professor Fritzen Posten

Join my first post seminar today!

Re:Professor Fritzen Posten

[Joce640k]

OK, well...

According to this Chrome has supported these things since version 7, that's eight years ago...

https://caniuse.com/#search=de...

Re: NAZI moments!

Looks like a gay man doing the Macarena

More control for Google?

[Futurepower(R)]

The last time I installed Google Chrome browser, years ago, it installed 3 OS system services. Google Chrome had more control over my computer than I did when using it as a limited user!

Does Google Chrome browser still install system services? If so, I would never use it.

Re:More control for Google?

[SoonerSkeene]

On Windows, if you have UAC enabled, you'll be asked if you want to let the installer elevate. But if you say "no" on that prompt, it will install without creating system services (since the installer never received the privilege escalation to do so). This is also how non-admins can install it on a per-user basis.

Re:More control for Google?

[hcs_$reboot]

Use it on Linux.

Re:More control for Google?

You could always try chromium, which is basically the same thing with most or all of google's spyware removed.

Re:More control for Google?

The last time I installed Google Chrome browser
Does Google Chrome browser

Are... are you doing SEO for Google?
Did you install Google Chrome browser on Microsoft Windows Personal Computer Operating System?

Re:More control for Google?

[sexconker]

For a long period of time Google was exploiting vulnerabilities to install Chrome with admin privileges despite the user not having admin privileges or not granting them to the installation process.

Re:More control for Google?

"Do no evil" indeed.

Re:More control for Google?

[thegarbz]

Does Google Chrome browser still install system services? If so, I would never use it.

Or you could educate yourself on what it means to have a system service vs a normal program, what they do, and why they run as a service. But no ignorance is far easier.

Re:More control for Google?

[thegarbz]

Source?

Re:More control for Google?

For a long period of time Google was exploiting vulnerabilities to install Chrome with admin privileges despite the user not having admin privileges or not granting them to the installation process.

I think that was on Macs, and it wasn't admin privileges it was accessing more user data than they would normally be allowed to.

Re:More control for Google?

[antdude]

What about in Mac OS with its annoying background self updater?

Re:More control for Google?

[antdude]

All Google programs seems to do this like Earth. :(

Mission creep, featuritus syndrome

[Tablizer]

Virtual reality? It's a web browser, not Emacs.

Re:Mission creep, featuritus syndrome

This was made by those racist dip shits at google, of course it will do silly things.

Just avoid all google products until they cease being racist pricks to white people, stop being misandrous towards men, and stop treating straight people like we cannot code.

In other words, just dump the company, there are competing offerings out there. Better search engines, I haven't seen a competitor to youtube yet though, and there are certainly better browsers, mozilla being chief among them because they are interested in making a good browser not stealing all your information to feed back to india.

Re:Mission creep, featuritus syndrome

Mozilla is run by SJW activists. Use Brave instead.

Also, Imgur just started allowing people to upload videos. Could this finally be the death of youtube? Depends if Imgur censors as much as Twitch, the last service with potential to beat youtube that threw it away due to excessive political correctness.

Re:Mission creep, featuritus syndrome

Apple is run by a bunch of white men. Use Safari.

Well, unless people that are anti-social justice hate homosexuals as well.

Re:Mission creep, featuritus syndrome

[kaka.mala.vachva]

That is a one-sided way of putting it. It also has the effect of making applications "os-agnostic" at less expense.

Re:Mission creep, featuritus syndrome

The CEO of Mozilla was fired for donating his own money in his personal time to a conservative cause. It had nothing to do with his performance as CEO, just a SJW lynching. Companies should not be run by mob rule.

Re:Mission creep, featuritus syndrome

Very true, That's the thing about the left, they claim "tolerance" until you disagree with their position, and then you are a target. It's just like public schools now forcing LBGTEIEIOOMG ideology down little childrens' throats. There is zero science behind it. Little children don't need to be exposed to the evils of homosexuality and mental dysphoria issues that make people think their women and vice versa--and we celebrate this shit? (and yes, in some schools, they even talk about LBGTEIEIOOMG preferences, anal, oral, etc.). My own children know all of this to be what it is: leftist ideology with no hope, that teaches people that their feelings are more important than facts.

Re:Mission creep, featuritus syndrome

His own money. His personal time. Anti-gay cause.

He must be pretty anti-gay to put his own money and his own time into an anti-gay causes.

This made him being in charge of Mozilla -- with its gay employees, gay volunteers, and gay contributors -- an untenable position.

Re:Mission creep, featuritus syndrome

What is evil about homosexuality?

Re:Mission creep, featuritus syndrome

[kqs]

Also, since the browser usually limits access, you can run untrusted applications with some chance that they will not successfully attack every other computer in the room.

We tried letting people download and run random programs from the internet on the bare OS. Now we're trying something different.

Re: Mission creep, featuritus syndrome

Yeah, instead of supporting all the different OSes you just have to support all the different browsers instead...

Re:Mission creep, featuritus syndrome

[thegarbz]

Virtual reality? It's a web browser, not Emacs.

What is this a post from the 90s? The web browser stopped being used to display generic graphical and text based content some 20 years ago. Get with the times.

Unlike using Emacs as an OS, Chrome OS actually is a thing.

Re:Mission creep, featuritus syndrome

[narcc]

He was not fired.

Re:Mission creep, featuritus syndrome

That was a good did at Emacs! The Everything and Kitchen sink of editors.

Re:Mission creep, featuritus syndrome

I disagree. I'm completely and utterly anti-homosexual. I don't hate the people, just their lifestyle. Am I ineligible to be employed as a leader of any organization because of my Christian beliefs? I can and do work with all manner of people. I just don't attend homosexual union ceremonies, parties with certain people and lifestyles, etc.

People have a right to disagree with things. Doing so shouldn't be the cause of unemployment, etc. The progressive left has demonstrably shown they are orders of magnitude less tolerant than other positions. The leftists are all good with you until you disagree with them. They will then do their best to shut you down and control the narrative. I simply don't want to be told I *have* to accept homosexuality, gender dysphoria, or any other thing I disagree with. I don't *have* to do anything. My kids, likewise, refuse to accept the ideology of the left because it's based on feelings, relative truth, not absolute truth.

Re:Mission creep, featuritus syndrome

The problem with Brave is that it's not extensible like Firefox. FF is likely the most customisable browser. Brave doesn't allow for add-ons, and for me, this is a deal breaker.

Some of my default add-ons to control traffic are uBlock Origin with all adblockers active, plus custom lists, Privacy Badger, Webmail Ad Blocker, No Coin, Neat URL (strips UTM tokens from URLs), Tracking Token Stripper (removes all Google Urchin tracking), and Link Cleaner. I also block HTTP/S referrer, and more. I also send all traffic through a Pi-hole to get anything else I may miss.

Re: Mission creep, featuritus syndrome

Social justice wankers should be encouraged to commit suicide with government-funded free krokodil.

Re:Mission creep, featuritus syndrome

that's because many (l)users out there know how to use browsers to get email, pr0n, stream movies, etc.. but don't know to use OS as its less 'rewarding'.

Re:Mission creep, featuritus syndrome

[Tablizer]

Chrome's claim to fame used to be simplicity and a light footprint. That's largely why people ditched IE and Firefox for it. It was sort of predictable Google would start using their browser market share for bloatWare and lockinWare.

Re:Mission creep, featuritus syndrome

[grep+-v+'.*'+*]

The OS is simply a support for something called a web browser in which people try to replicate what the OS does anyways but in the most complex and resource-hungry way possible.

A Brand New! plug-in coming SOON to a browser near you: SystemD.CRX (or XPI for FF).

You just THOUGHT your browser was slow and bloated now. Just wait -- for all of you that leave your browser up for weeks at a time, this will start it perhaps 1 microsecond faster while completely changing Every Single One of the native plug-in APIs and configuration files.

Just imagine what you can do with all of that time saved! Soon we'll ALL have the same identically-responding browser. A glorious utopia will have then been reached, where everything fails everywhere! (Expect for those heathen holdouts still using lynx and gopher)

Re:Mission creep, featuritus syndrome

[schweini]

I, for one, am happy that most stuff is done in a browser nowadays. My Chromebook convinced me (even though I obviously also have full fledged Linux running on it)
Now, It is way easier to recommend Linux or even tablets to companies, because most things will simply just work. No hassles with permissions, interoperability and cross-platform-ness.
HTML5, and IE's deserved demise makes it completely acceptable to simply require Firefox or Chrome/Chromium (or maybe Safari), and send other people away to get with the program.
Sure - for some big applications, a 'real' executable is still prefereble. But As Chromebooks popularity show, 99% of stuff,a nd light office work, can be done in a browser.

Re:Mission creep, featuritus syndrome

[thegarbz]

Chrome's claim to fame used to be simplicity and a light footprint.

The computer's claim to fame used to be it's ability to spit out number on an orange and black screen able to run accounting software. Should we go back to that too because that was the claim to fame?

It was sort of predictable Google would start using their browser market share for bloatWare and lockinWare.

So to be clear you don't want Google to support web standards and prefer the days of IE6 where a website may or may not work in your browser? Got it.

You have a very screwed view of both bloatWare and lockin, neither of which have anything to do with Chrome.

Re:Mission creep, featuritus syndrome

[Tablizer]

Should we go back to that too because that was the claim to fame?

I'm just saying why it gained market share. Whether those consumer choices were wise is a different issue.

From a marketing standpoint, they gained popularity by doing X; but once popular, stopped doing X. Sounds like a risky strategy. Firefox took a hit when it wandered too far from its roots.

My opinion is many of these side features not directly related to browsing or niche preferences should be add-ons, not hard-wired into the base browser.

Re:Mission creep, featuritus syndrome

[thegarbz]

I'm just saying why it gained market share.

Nope, You're assuming why it gained market share / popularity. And you'd be wrong. The reason it gained market share was aggressive adherence to standards, providing very good functionality and impressive speed (all the while actually being a very heavy browser from the onset), combined with aggressive advertising across the entire Google platform, combined with woeful mismanagement by both its main competitors. It was never very good on resources, and has been pumping in more and more features even back in the days where it was still aggressively gaining market share. They were the only ones who had a javascript engine worth a damn at a time when more and more things moved to javascript.

In other news benchmarkings show that Windows 10 runs programs and manages memory faster than Windows 7 or XP, so I take it that means by your standards its free from bloat and lockin?

My opinion is many of these side features not directly related to browsing or niche preferences should be add-ons

That would be my opinion for anything that isn't listed as part of the internet standards. E.g. That pocket garbage in Firefox. On the other hand I expect and wish for a day where we can get to any website with a vanilla browser without having to install yet another shitty extension from some crappy untrustworthy source.
Or when you actually need to visit a website for something do you want to put a bullet in the barrel and give it a spin: https://tech.slashdot.org/stor...

Re:Mission creep, featuritus syndrome

[Tablizer]

The reason it gained market share was aggressive adherence to standards

Hogwash, consumers don't know standards from a hole in the wall. (Plus, many of the standards are ambiguous and confusing. The standards bodies are shitty writers. Their "reason" for deprecating "b" tag is some of the worse {intended} technical writing I have ever seen.)

I never would have guessed.

[Futurepower(R)]

Thanks for the reply.

I never would have guessed that. I thought if I didn't say yes to a UAC request, Google Chrome browser would not install.

My opinion: Google is becoming more and more badly managed. Now, when a Google map is displayed, the map shows hotels! To me, that might be useful: I know that any CEO of a hotel that displays on Google maps is not a sensible person. I would never stay at that hotel, no matter where it is located.

Re:I never would have guessed.

[bogaboga]

Please remember that whatever your choice, Google makes the bucks; when hotels are displayed as in the case you mention.

What you do with your knowledge, (the knowledge that such and such a hotel has been displayed), is immaterial.

I will give you some advice:

If you want to be of consequence, you and those who think like you do, will need to stop using the damn browser in big enough numbers, and from critical markets.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Encrypted ads

[AHuxley]

From an ad company deep into your OS. For free.

I have to stop using chrome...

Yesterday i went to order some shit from a memorial day sale and chrome popped up some bullshit "payments" form and tried to intercept my billing info. I thought it was malware, but apparently it's actually a real part of chrome. Finally i reloaded the website and it let me check out. Can't use a browser that is indistinguishable from malware.

A Better Idea....

How about I just open all the windows on my house, post all my account information on line, start using electric billboard based email/chat/tweets, and let the people Google sells my data to just cut out the middle man and see it all firsthand.

Chromium browser has Google's spyware also?

[Futurepower(R)]

You said, "most or all of google's spyware removed". Most?

Google is so wackily managed, in my opinion, that I would not trust that there is no spyware in the Chromium browser. If there is no spyware now, maybe it would be added later. And, how would I know? I don't want to spend hours dealing with those details.

Re:Chromium browser has Google's spyware also?

How would you know? It's open source! Therefor you know everything about it! Or atleast that's what everyone around here says.

Re: Chromium browser has Google's spyware also?

Those darn people pointing me towards a library and expecting me to be able to read!

What?

Probably the biggest change in Chrome 67 is the addition of the Generic Sensors API. As the name implies, this is an API that exposes data from device sensors to public websites.

Why the fuck would I want a web browser to do any of that shit?

I want websites to have less information about me, not more.

Honestly, make a fucking web browser, the rest is just bullshit we don't want.

Re:What?

[Joce640k]

Why the fuck would I want a web browser to do any of that shit?

When did you become the spokesperson for the human race?

Don't like it? Don't use it.

Re:What?

When did you become the spokesperson for the human race?

When did you become so stupid?

Re:What?

[Bengie]

Because many apps would work just fine as a web app, except that they need access to sure information to work, like augmented reality. So what you're saying is instead of just being able to go to a webpage and accepting or denying access to these sensors, you'd rather every company to have their own app that you have to install to use? Of course you might not want to install the apps, but there are people who want/need these features and they'd rather not have to go so far as installing apps for something that may be one time use.

One example that comes to mind is if you're at a museum and they have some sort of app that uses AR to let you interact virtually with the exhibits. Do you want to download an app or just hit their web page?

Re:What?

Learn it. Use it. Look like slightly less of an idiot.

Re: What?

Bbbbbut the ad revinue!

We paid a lot of money to get that sense or api into the standard! Won't someone think of the shareholders!

Re: What?

Downlad their app.

Another API, another Advertising Opportunity.

[xack]

I expect the sensors will be used to make forced interactions with ads and tracking. It's time a web browser gets released that says we won't add any more APIs, just a plain text browsing experience. A modern gopher basically

Getting close to...

[thegreatbob]

... that all important benchmark value, 69! Highest version number wins! Remember that, kids.

NSA objects to HPKP, Google relents

[WaffleMonster]

Certificate transparency = Lifelock commercial.

There is no equivalence between the two systems.

Re:NSA objects to HPKP, Google relents

Certificate transparency = distributed HPKP + the ability for a site owner to detect when an SSL key has been issued for their site.

Re:NSA objects to HPKP, Google relents

[WaffleMonster]

Certificate transparency = distributed HPKP

HPKP allows the operator to declare this certificate or bust to regular users. Certificate transparency offers no such capability.

Certificate transparency only provides "transparency". It doesn't allow operators to set declarative limits on what is acceptable.

If your website was gearing up for protest against local dictator and chief and they conspired against you obtaining a MITM cert from your CA and properly logged it to transparency log accordingly that information sure as hell won't do your users any good who are now being rounded up thanks to this ridiculous assertion of equivalence.

Certificate transparency *IS* a good thing and it is worth doing yet value offered by each approach does not fully overlap. Removal of HPKP only reduces security. It does not improve it.

Re:NSA objects to HPKP, Google relents

HPKP allows the operator to declare this certificate or bust to regular users. Certificate transparency offers no such capability.

Certificate transparency only provides "transparency". It doesn't allow operators to set declarative limits on what is acceptable.

We don't need that ability if lack of CT causes the connection to bust. Admittedly we aren't quite there yet, but in the mean time, there's an HTTP header called Expect-CT is implemented in every evergreen browser. (There's DNS CAA, but it's not like a suborned CA will validate CAA, and I'm not aware of any plans to make browsers validate SSL cert against CAA statement, and this all assumes we can secure DNS.)

If your website was gearing up for protest against local dictator and chief and they conspired against you obtaining a MITM cert from your CA and properly logged it to transparency log accordingly that information sure as hell won't do your users any good who are now being rounded up thanks to this ridiculous assertion of equivalence.

In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.

The situation you described where a dictator suborns a regional certificate authority and publishes to the CT log is indeed a problem. The CT model calls this "getting caught" and doesn't deal with it beyond that. (Presumably Google thinks that if this happens to google.com they could trigger a diplomatic incident. Small guys are not so lucky.)

It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system.

In either case, I think the technical solution is working revocation (state of the art being OCSP). I should be able to revoke any key that refers to my domain, through ACME-style proof of domain ownership.

Certificate transparency *IS* a good thing and it is worth doing yet value offered by each approach does not fully overlap. Removal of HPKP only reduces security. It does not improve it.

OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial" (and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.

I agree that the timing of the removal of HPKP is not security-first, I'd rather see full CT enforcement by default before we talk about removing HPKP, and I think the community should have a discussion about the difference, and how we handle those tough cases like the dictator case you suggested.

Chrome claims that it doesn't matter when they remove HPKP because nearly nobody is using it (netcraft claims 4,100 certs in the world).

Re:NSA objects to HPKP, Google relents

[WaffleMonster]

We don't need that ability if lack of CT causes the connection to bust.

I offered an example why CT is insufficient even assuming it is fully deployed and made mandatory.

There's DNS CAA

Have a feeling when DNS CAA means something from a security perspective everyone will be using DANE anyway rendering DNS CAA redundant.

Again not that CAA is worthless or not worth doing but it's fundamentally toothless from a security perspective so long as DNS as actually deployed remains insecure.

In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.

This is widely known. Similar to HSTS having the latch in practice useful or at least better than nothing. Heck virtually the entire constellation of DV certs currently deployed is based on the same leap of faith as certificates are initially provisioned automatically relying on insecure responses from insecure protocols over insecure transports.

It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system

I don't accept this argument. Your users trust you. Should it turn out that trust was misplaced it isn't the falling of technology. It's a failing of yourself and a price MUST unavoidably be paid for that failing. Attempting to weasel out of paying MUST only lead to more insecurity. After all technology is only a means of conveying trust. It doesn't turn people into paragons of integrity and mindfulness.

In the event of this type of subversion having no site or having to start over and build trust from scratch even if it means lighting up a different domain or subdomain may well be seen as ideal or at least acceptable.

OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial"

Essentially that's what it is. I do not retract my comment. The security monitor and the dental monitor commercials are exactly what CT is. And this is being generous about CT because practically operationally end users have no way of reasoning about CT. Nobody is actively announcing that a bank is being robbed or a bad cavity. Was the CA subverted? Did an attacker get a cert from a different CA or did the domain holder? Users have no clue. How many CA's exist in the world today? How many are state run? By political and commercial rivals?

(and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.

First I walk back nothing. When I said NSA I didn't really mean NSA specifically I meant "government" in general. Stating an opinion about CT is obviously a separate matter from opinion about or cause of any possible reason for removal of HPKP.

Second yes it is a conspiracy theory of mine that may well be misplaced or wrong. After the Snowden drip, increasing coziness of Alphabet with government and fact every damn secure everything platform always manages to eventually get subverted either through sale to a bigger fish or internal policy changes I suspect there is a good chance of it ringing true.

The thing that really gets me is the sheer pointlessness of this behavior. The feature already exists, people are already using it. They knew from day one that HPKP would always be a NICHE feature used by only a few security cautious people and paranoid fools. It was never intended at any point for mass consumption. So why on earth remove it? What good does that do anyon

Re:NSA objects to HPKP, Google relents

[WaffleMonster]

We don't need that ability if lack of CT causes the connection to bust.

I offered an example why CT is insufficient even assuming it is fully deployed and made mandatory.

There's DNS CAA

Have a feeling when DNS CAA means something from a security perspective everyone will be using DANE anyway rendering DNS CAA redundant.

Again not that CAA is worthless or not worth doing but it's fundamentally toothless from a security perspective so long as DNS as actually deployed remains insecure.

In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.

This is widely known. Similar to HSTS having the latch in practice useful or at least better than nothing. Heck virtually the entire constellation of DV certs currently deployed is based on the same leap of faith as certificates are initially provisioned automatically relying on insecure responses from insecure protocols over insecure transports.

It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system

I don't accept this argument. Your users trust you. Should it turn out that trust was misplaced it isn't the falling of technology. It's a failing of yourself and a price MUST unavoidably be paid for that failing. Attempting to weasel out of paying MUST only lead to more insecurity. After all technology is only a means of conveying trust. It doesn't turn people into paragons of integrity and mindfulness.

In the event of this type of subversion having no site or having to start over and build trust from scratch even if it means lighting up a different domain or subdomain may well be seen as ideal or at least acceptable.

OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial"

Essentially that's what it is. I do not retract my comment. The security monitor and the dental monitor commercials are exactly what CT is. And this is being generous about CT because practically operationally end users have no way of reasoning about CT. Nobody is actively announcing that a bank is being robbed or a bad cavity. Was the CA subverted? Did an attacker get a cert from a different CA or did the domain holder? Users have no clue. How many CA's exist in the world today? How many are state run? By political and commercial rivals?

(and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.

First I walk back nothing. When I said NSA I didn't really mean NSA specifically I meant "government" in general. Stating an opinion about CT is obviously a separate matter from opinion about or cause of any possible reason for removal of HPKP.

Second yes it is a conspiracy theory of mine that may well be misplaced or wrong. After the Snowden drip, increasing coziness of Alphabet with government and fact every damn secure everything platform always manages to eventually get subverted either through sale to a bigger fish or internal policy changes I suspect there is a good chance of it ringing true.

The thing that really gets me is the sheer pointlessness of this behavior. The feature already exists, people are already using it. They knew from day one that HPKP would always be a NICHE feature used by only a few security cautious people and paranoid fools. It was never intended at any point for mass consumption. So why on earth remove it? What good does that do anyone? What is the incentive for that? I have yet to hear a reason that passes sniff test. I think the answer is more likely than not to be pressure from government. CT is simply NOT a replacement for HPKP. Simply put governments don't care about "getting caught".

Re:NSA objects to HPKP, Google relents

[Carewolf]

Certificate transparency = distributed HPKP

HPKP allows the operator to declare this certificate or bust to regular users. Certificate transparency offers no such capability.

Certificate transparency only provides "transparency". It doesn't allow operators to set declarative limits on what is acceptable.

Pretty sure CT includes an option for websites to require their certifice must be a transparent, which means it would be detected if it was false, though not necessarily in real time.

Google and Microsoft: In the spyware business?

[Futurepower(R)]

Yes, on Windows 7. Most of our computers aren't running Windows 10.

Many articles say Microsoft and Windows cannot be trusted. Two of those articles: Windows 10 is possibly the worst spyware ever made.

And: 7 ways Windows 10 pushes ads at you...

So, it seems to me that Google and Microsoft are, more and more, poorly managed. They are in the abuse business, not in any real business.

Several years ago, I talked with a mid-level Google manager who said that Google had more money than it knew how to manage. Also, that it was difficult for Google employees to know what was happening inside the company.

And Linux: We have 2 computers running Linux. Mostly they don't get used. It is too difficult to deal with all the poorly-documented variations. This story about Linux makes me laugh: Why is the Number of Linux Distros Declining? Linux had 285 variations when that article was published!

Being more complete is easier for some readers.

[Futurepower(R)]

Why did I say "Google Chrome browser", and not just "Chrome"? I was trying to make my comment easier to read. I didn't want to assume that every Slashdot reader has experience with Chrome.

Progressive Web Apps

[dmt0]

On the positive side, PWAs will now have access to sensors and there's even less need for native apps.

A better analogy:

[Futurepower(R)]

There is a book filled with poison in a library of 100,000 books. Just open all the books to find that bad book. You have nothing else to do, is that correct?

Also, the poison may be extremely well-disguised as a typical hamburger.

Also, if the poison is found, a new version of the book may be released that disguises the poison in a different way.

The answer? Stay away from those who have demonstrated an intention to harm you.

It's a huge bag of don't want.

[blind+biker]

Where are the features that would make the browser immune to malware? Defend from pop-under, javascript exploits, malware of all ilk. THOSE are the priorities that everybody and their dog cares about. VR, generic sensor API... it's just bloatware we didn't ask for.

Re:It's a huge bag of don't want.

[Merk42]

Where are the features that would make the browser immune to malware? Defend from pop-under, javascript exploits, malware of all ilk.

In the minor, security updates, that happen all the time, aren't major feature versions, and therefore don't get articles made about them.

THOSE are the priorities that everybody and their dog cares about.

Sadly, that's not the case.

VR, generic sensor API... it's just bloatware we didn't ask for.

Maybe you didn't, but this isn't the browser solely made for blind baker.

Re:It's a huge bag of don't want.

[blind+biker]

but this isn't the browser solely made for blind baker.

Did you misspell my handle on purpose? Or is blindness contagious via Slashdot posts?

Re:It's a huge bag of don't want.

[Merk42]

Just a typo. Though I guess technically correct since the browser isn't solely made for blind baker either.

Re:It's a huge bag of don't want.

[thegarbz]

it's just bloatware we didn't ask for

So to be clear you want browsers to not implement standards, and not have functionality needed as more and more software moves to a browser based platform? Got it. May I interest you in Lynx? It's immune to those other things you complain about too.

Re: It's a huge bag of don't want.

Yes, he said it right the first time, and you missed it. Bloatware. We don't want web apps, we want apps we control and install on our computers. Fuck off with this thin client bullshit. It was a fad then and it's a fad now.

Re: NAZI moments!

Well, history does show us that the vast majority of Nazi Brownshirts were, in fact, homosexuals. Ernst Röhm and many other senior Nazis were outright sodomites. This is not often discussed, but is very true. Not just a few of them were outright paedophiles, but then again,quite a few homosexuals are attracted to younger boys anyway, another fact homosexuals will outright deny, but has been borne out as fact over and over again.

Chrome 67 released for Mac

[DontBeAMoran]

But you need to run OS X 10.10 for some magical reason because the new version of the browser uses... eh, what exactly?

Why does it need 10.10?

Re:Chrome 67 released for Mac

[Carewolf]

But you need to run OS X 10.10 for some magical reason because the new version of the browser uses... eh, what exactly?

Why does it need 10.10?

Because that is that is the oldest version still supported by Apple. Getting things to work on OS versions abandoned by their maker is difficult.

But yes, it is an entirely artificial limitation, but one mainly set by Apple.

Mostly garbage posts below ..

[najajomo]

Mostly garbage posts below, sad seeing slashdot reduced to a hosting platform for trolls.

Re: Mostly garbage posts below ..

You must be new here.

A system service could possibly do anything,

[Futurepower(R)]

You are indicating that you think you are more knowledgeable than someone else.

This is the issue: A system service could possibly do anything, including changing what it does at any time. Most people don't want to spend the time to investigate.

There is NO good reason why a browser should include a system service. If there is a system service, there is no certainty of privacy or control over the entire computer by the owner and user. Somewhat like Google's Android operating system.

Yeah my speculations came true

Google (as well as other web giants) has always been pushing new web standards such as WebGL, sensors APIs and so on, boasting they could solve shits. However there are many apps floating here and service providers just want you to use their apps which uses many APIs in the native OS in order to suck up more of your data or privacy or something like that, and as a result the websites just became liberally crippled. I forgot hedging here, but in most cases they are correct.
So actually those damn APIs just became something that smart ass Web (or today something like nodejs) developers are happy to suck more data out of you. Consider WebRTC local address leak (why not use a real native software or app to communicate? Given today's popularity of WhatsApp or the seemingly political incorrect Facebook Messenger), WebGL fingerprinting (yeah except for web games, however most sites you visit just used webgl to drawing random stuff and *get graphics card information*, totally absurd to do that) and so on andsoforth, and that's just the tip of the iceberg. Now the W3C just passed (or more accurately, have passed) the generic sensor API, which makes me wonder why don't they deprecate 10 or so older APIs (yeah just like battery percentages and *distance sensor* which non-tech folks might never even hear about) to make way for the new shiny clusterf**k one. More fingerprinting dimensions, I suspect.
Recently there's the fact that more and more seemingly open Web standards are pushed by the big dogs, prominently Google, such as Web biometrics API (yeah *real* permanent cookies, something living in the paradise of advertisers and governments and harassers and whatever) and this. I cannot even think about the reason why it's needed to add a cluster**** to another pile of the same ones. Even Web three point zero might not need that kind of APIs. Yeah I know the Web is being enriched, and former Web extensions, predominantly Flash, has been abandoned by the extensions and extensions and extensions of HTML5 and new JavaScript APIs. But richer and richer and richer web features implemented by the browsers is also a factor. Flash on Linux is a pita though.
Nowadays W3C just mostly became a puppet-like thing under the big dogs. Want new tracking methods and so-called web enrichment? Big dogs bark, and the puppets make a referendum. Then it goes along the course.
The solution? Just block APIs or use something like an extension to implement a whitelist. Nowadays where the web is the new Java or something more like an mostly centralized and OS independent computing environment, new APIs adds little excluding more powerful sucks of your data or privacy. The less you disclose, the safer you are. Personally as a Firefox fan, maybe you can support Mozilla (they're partly backed by Google and is seeking solution, however) by using Firefox. AFAIK, only Firefox implemented the *technically proper* way of mitigating time-based attacks on the processor - add randomness, which might make fingerprinting less accurate. Only Firefox blocks really really privacy invading APIs (that is, the APIs on distance sensor). Only Firefox technically allows more control of script execution (yeah on webextensions, however they tend to be giving more control over chrome), which gives more power on website internal frontend logic. Additionally, Mozilla tends to take part in most talks on standards besides the big dogs, as a matter of fact. They do have the right to speak. If Mozilla falls, I wonder there is any entity which has as much influence as Mozilla. It's existence is better than not, at least.
It's natural and normal to see big dogs dominating everything in a particular field, and the web is no exception. However, countermeasures is better than none.

Re: NAZI moments!

just another reason not to repress gay behaviour, or countries for that matter.

Glad I read this.

[jtgd]

Probably the biggest change in Chrome 67 is the addition of the Generic Sensors API. As the name implies, this is an API that exposes data from device sensors to public websites.

HOLY F'CK! Seriously? The audacity!

I am glad I read this so I know to uninstall and never look back.