Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome 67 Released for Windows, Mac, and Linux (bleepingcomputer.com)

Posted by msmash on from the marching-forward dept.

An anonymous reader shares a report: Google released earlier today Chrome 67, the latest stable release of its web browser. According to changelogs released with Chrome 67, this version adds support for a Generic Sensors API, improves AR and VR experiences, and deprecates the HTTP-Based Public Key Pinning (HPKP) security feature. Probably the biggest change in Chrome 67 is the addition of the Generic Sensors API. As the name implies, this is an API that exposes data from device sensors to public websites. The new API is based on the Generic Sensor W3C standard. This API is meant primarily for mobile use, and in its current version, websites can use Chrome's Generic Sensors API to access data from a device's accelerometer, gyroscope, orientation and motion sensors. Another API that shipped with Chrome is the WebXR Device API. Developers can use this API to build virtual and augmented reality experiences on Chrome for mobile-based VR headsets like Google Daydream View and Samsung Gear VR, as well as desktop-hosted headsets like Oculus Rift, HTC Vive, and Windows Mixed Reality Headsets.

51 of 85 comments (clear)

  1. More control for Google? by Futurepower(R) · · Score: 1

    The last time I installed Google Chrome browser, years ago, it installed 3 OS system services. Google Chrome had more control over my computer than I did when using it as a limited user!

    Does Google Chrome browser still install system services? If so, I would never use it.

    1. Re:More control for Google? by SoonerSkeene · · Score: 5, Informative

      On Windows, if you have UAC enabled, you'll be asked if you want to let the installer elevate. But if you say "no" on that prompt, it will install without creating system services (since the installer never received the privilege escalation to do so). This is also how non-admins can install it on a per-user basis.

    2. Re:More control for Google? by hcs_$reboot · · Score: 1

      Use it on Linux.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    3. Re:More control for Google? by sexconker · · Score: 2

      For a long period of time Google was exploiting vulnerabilities to install Chrome with admin privileges despite the user not having admin privileges or not granting them to the installation process.

    4. Re:More control for Google? by thegarbz · · Score: 2

      Does Google Chrome browser still install system services? If so, I would never use it.

      Or you could educate yourself on what it means to have a system service vs a normal program, what they do, and why they run as a service. But no ignorance is far easier.

    5. Re:More control for Google? by thegarbz · · Score: 1

      Source?

    6. Re:More control for Google? by antdude · · Score: 2

      What about in Mac OS with its annoying background self updater?

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    7. Re:More control for Google? by antdude · · Score: 1

      All Google programs seems to do this like Earth. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. Mission creep, featuritus syndrome by Tablizer · · Score: 5, Funny

    Virtual reality? It's a web browser, not Emacs.

    --
    Table-ized A.I.
    1. Re:Mission creep, featuritus syndrome by kaka.mala.vachva · · Score: 1

      That is a one-sided way of putting it. It also has the effect of making applications "os-agnostic" at less expense.

    2. Re:Mission creep, featuritus syndrome by Anonymous Coward · · Score: 1

      The CEO of Mozilla was fired for donating his own money in his personal time to a conservative cause. It had nothing to do with his performance as CEO, just a SJW lynching. Companies should not be run by mob rule.

    3. Re:Mission creep, featuritus syndrome by kqs · · Score: 1

      Also, since the browser usually limits access, you can run untrusted applications with some chance that they will not successfully attack every other computer in the room.

      We tried letting people download and run random programs from the internet on the bare OS. Now we're trying something different.

    4. Re:Mission creep, featuritus syndrome by thegarbz · · Score: 1

      Virtual reality? It's a web browser, not Emacs.

      What is this a post from the 90s? The web browser stopped being used to display generic graphical and text based content some 20 years ago. Get with the times.

      Unlike using Emacs as an OS, Chrome OS actually is a thing.

    5. Re:Mission creep, featuritus syndrome by narcc · · Score: 1

      He was not fired.

      --
      Required reading for internet skeptics
    6. Re:Mission creep, featuritus syndrome by Tablizer · · Score: 1

      Chrome's claim to fame used to be simplicity and a light footprint. That's largely why people ditched IE and Firefox for it. It was sort of predictable Google would start using their browser market share for bloatWare and lockinWare.

      --
      Table-ized A.I.
    7. Re:Mission creep, featuritus syndrome by grep+-v+'.*'+* · · Score: 1

      The OS is simply a support for something called a web browser in which people try to replicate what the OS does anyways but in the most complex and resource-hungry way possible.

      A Brand New! plug-in coming SOON to a browser near you: SystemD.CRX (or XPI for FF).

      You just THOUGHT your browser was slow and bloated now. Just wait -- for all of you that leave your browser up for weeks at a time, this will start it perhaps 1 microsecond faster while completely changing Every Single One of the native plug-in APIs and configuration files.

      Just imagine what you can do with all of that time saved! Soon we'll ALL have the same identically-responding browser. A glorious utopia will have then been reached, where everything fails everywhere! (Expect for those heathen holdouts still using lynx and gopher)

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    8. Re:Mission creep, featuritus syndrome by schweini · · Score: 1

      I, for one, am happy that most stuff is done in a browser nowadays. My Chromebook convinced me (even though I obviously also have full fledged Linux running on it)
      Now, It is way easier to recommend Linux or even tablets to companies, because most things will simply just work. No hassles with permissions, interoperability and cross-platform-ness.
      HTML5, and IE's deserved demise makes it completely acceptable to simply require Firefox or Chrome/Chromium (or maybe Safari), and send other people away to get with the program.
      Sure - for some big applications, a 'real' executable is still prefereble. But As Chromebooks popularity show, 99% of stuff,a nd light office work, can be done in a browser.

    9. Re:Mission creep, featuritus syndrome by thegarbz · · Score: 1

      Chrome's claim to fame used to be simplicity and a light footprint.

      The computer's claim to fame used to be it's ability to spit out number on an orange and black screen able to run accounting software. Should we go back to that too because that was the claim to fame?

      It was sort of predictable Google would start using their browser market share for bloatWare and lockinWare.

      So to be clear you don't want Google to support web standards and prefer the days of IE6 where a website may or may not work in your browser? Got it.

      You have a very screwed view of both bloatWare and lockin, neither of which have anything to do with Chrome.

    10. Re:Mission creep, featuritus syndrome by Tablizer · · Score: 1

      Should we go back to that too because that was the claim to fame?

      I'm just saying why it gained market share. Whether those consumer choices were wise is a different issue.

      From a marketing standpoint, they gained popularity by doing X; but once popular, stopped doing X. Sounds like a risky strategy. Firefox took a hit when it wandered too far from its roots.

      My opinion is many of these side features not directly related to browsing or niche preferences should be add-ons, not hard-wired into the base browser.

      --
      Table-ized A.I.
    11. Re:Mission creep, featuritus syndrome by thegarbz · · Score: 1

      I'm just saying why it gained market share.

      Nope, You're assuming why it gained market share / popularity. And you'd be wrong. The reason it gained market share was aggressive adherence to standards, providing very good functionality and impressive speed (all the while actually being a very heavy browser from the onset), combined with aggressive advertising across the entire Google platform, combined with woeful mismanagement by both its main competitors. It was never very good on resources, and has been pumping in more and more features even back in the days where it was still aggressively gaining market share. They were the only ones who had a javascript engine worth a damn at a time when more and more things moved to javascript.

      In other news benchmarkings show that Windows 10 runs programs and manages memory faster than Windows 7 or XP, so I take it that means by your standards its free from bloat and lockin?

      My opinion is many of these side features not directly related to browsing or niche preferences should be add-ons

      That would be my opinion for anything that isn't listed as part of the internet standards. E.g. That pocket garbage in Firefox. On the other hand I expect and wish for a day where we can get to any website with a vanilla browser without having to install yet another shitty extension from some crappy untrustworthy source.
      Or when you actually need to visit a website for something do you want to put a bullet in the barrel and give it a spin: https://tech.slashdot.org/stor...

    12. Re:Mission creep, featuritus syndrome by Tablizer · · Score: 1

      The reason it gained market share was aggressive adherence to standards

      Hogwash, consumers don't know standards from a hole in the wall. (Plus, many of the standards are ambiguous and confusing. The standards bodies are shitty writers. Their "reason" for deprecating "b" tag is some of the worse {intended} technical writing I have ever seen.)

      --
      Table-ized A.I.
  3. I never would have guessed. by Futurepower(R) · · Score: 1

    Thanks for the reply.

    I never would have guessed that. I thought if I didn't say yes to a UAC request, Google Chrome browser would not install.

    My opinion: Google is becoming more and more badly managed. Now, when a Google map is displayed, the map shows hotels! To me, that might be useful: I know that any CEO of a hotel that displays on Google maps is not a sensible person. I would never stay at that hotel, no matter where it is located.

    1. Re:I never would have guessed. by bogaboga · · Score: 1

      Please remember that whatever your choice, Google makes the bucks; when hotels are displayed as in the case you mention.

      What you do with your knowledge, (the knowledge that such and such a hotel has been displayed), is immaterial.

      I will give you some advice:

      If you want to be of consequence, you and those who think like you do, will need to stop using the damn browser in big enough numbers, and from critical markets.

  4. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  5. Encrypted ads by AHuxley · · Score: 1

    From an ad company deep into your OS. For free.

    --
    Domestic spying is now "Benign Information Gathering"
  6. Chromium browser has Google's spyware also? by Futurepower(R) · · Score: 1

    You said, "most or all of google's spyware removed". Most?

    Google is so wackily managed, in my opinion, that I would not trust that there is no spyware in the Chromium browser. If there is no spyware now, maybe it would be added later. And, how would I know? I don't want to spend hours dealing with those details.

  7. What? by Anonymous Coward · · Score: 1

    Probably the biggest change in Chrome 67 is the addition of the Generic Sensors API. As the name implies, this is an API that exposes data from device sensors to public websites.

    Why the fuck would I want a web browser to do any of that shit?

    I want websites to have less information about me, not more.

    Honestly, make a fucking web browser, the rest is just bullshit we don't want.

    1. Re:What? by Joce640k · · Score: 1, Insightful

      Why the fuck would I want a web browser to do any of that shit?

      When did you become the spokesperson for the human race?

      Don't like it? Don't use it.

      --
      No sig today...
    2. Re:What? by Bengie · · Score: 1

      Because many apps would work just fine as a web app, except that they need access to sure information to work, like augmented reality. So what you're saying is instead of just being able to go to a webpage and accepting or denying access to these sensors, you'd rather every company to have their own app that you have to install to use? Of course you might not want to install the apps, but there are people who want/need these features and they'd rather not have to go so far as installing apps for something that may be one time use.

      One example that comes to mind is if you're at a museum and they have some sort of app that uses AR to let you interact virtually with the exhibits. Do you want to download an app or just hit their web page?

  8. Another API, another Advertising Opportunity. by xack · · Score: 1

    I expect the sensors will be used to make forced interactions with ads and tracking. It's time a web browser gets released that says we won't add any more APIs, just a plain text browsing experience. A modern gopher basically

  9. Getting close to... by thegreatbob · · Score: 1

    ... that all important benchmark value, 69! Highest version number wins! Remember that, kids.

    --
    There is no XUL, only WebExtensions...
  10. NSA objects to HPKP, Google relents by WaffleMonster · · Score: 1

    Certificate transparency = Lifelock commercial.

    There is no equivalence between the two systems.

    1. Re:NSA objects to HPKP, Google relents by WaffleMonster · · Score: 2

      Certificate transparency = distributed HPKP

      HPKP allows the operator to declare this certificate or bust to regular users. Certificate transparency offers no such capability.

      Certificate transparency only provides "transparency". It doesn't allow operators to set declarative limits on what is acceptable.

      If your website was gearing up for protest against local dictator and chief and they conspired against you obtaining a MITM cert from your CA and properly logged it to transparency log accordingly that information sure as hell won't do your users any good who are now being rounded up thanks to this ridiculous assertion of equivalence.

      Certificate transparency *IS* a good thing and it is worth doing yet value offered by each approach does not fully overlap. Removal of HPKP only reduces security. It does not improve it.

    2. Re:NSA objects to HPKP, Google relents by WaffleMonster · · Score: 1

      We don't need that ability if lack of CT causes the connection to bust.

      I offered an example why CT is insufficient even assuming it is fully deployed and made mandatory.

      There's DNS CAA

      Have a feeling when DNS CAA means something from a security perspective everyone will be using DANE anyway rendering DNS CAA redundant.

      Again not that CAA is worthless or not worth doing but it's fundamentally toothless from a security perspective so long as DNS as actually deployed remains insecure.

      In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.

      This is widely known. Similar to HSTS having the latch in practice useful or at least better than nothing. Heck virtually the entire constellation of DV certs currently deployed is based on the same leap of faith as certificates are initially provisioned automatically relying on insecure responses from insecure protocols over insecure transports.

      It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system

      I don't accept this argument. Your users trust you. Should it turn out that trust was misplaced it isn't the falling of technology. It's a failing of yourself and a price MUST unavoidably be paid for that failing. Attempting to weasel out of paying MUST only lead to more insecurity. After all technology is only a means of conveying trust. It doesn't turn people into paragons of integrity and mindfulness.

      In the event of this type of subversion having no site or having to start over and build trust from scratch even if it means lighting up a different domain or subdomain may well be seen as ideal or at least acceptable.

      OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial"

      Essentially that's what it is. I do not retract my comment. The security monitor and the dental monitor commercials are exactly what CT is. And this is being generous about CT because practically operationally end users have no way of reasoning about CT. Nobody is actively announcing that a bank is being robbed or a bad cavity. Was the CA subverted? Did an attacker get a cert from a different CA or did the domain holder? Users have no clue. How many CA's exist in the world today? How many are state run? By political and commercial rivals?

      (and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.

      First I walk back nothing. When I said NSA I didn't really mean NSA specifically I meant "government" in general. Stating an opinion about CT is obviously a separate matter from opinion about or cause of any possible reason for removal of HPKP.

      Second yes it is a conspiracy theory of mine that may well be misplaced or wrong. After the Snowden drip, increasing coziness of Alphabet with government and fact every damn secure everything platform always manages to eventually get subverted either through sale to a bigger fish or internal policy changes I suspect there is a good chance of it ringing true.

      The thing that really gets me is the sheer pointlessness of this behavior. The feature already exists, people are already using it. They knew from day one that HPKP would always be a NICHE feature used by only a few security cautious people and paranoid fools. It was never intended at any point for mass consumption. So why on earth remove it? What good does that do anyon

    3. Re:NSA objects to HPKP, Google relents by WaffleMonster · · Score: 1

      We don't need that ability if lack of CT causes the connection to bust.

      I offered an example why CT is insufficient even assuming it is fully deployed and made mandatory.

      There's DNS CAA

      Have a feeling when DNS CAA means something from a security perspective everyone will be using DANE anyway rendering DNS CAA redundant.

      Again not that CAA is worthless or not worth doing but it's fundamentally toothless from a security perspective so long as DNS as actually deployed remains insecure.

      In the situation where a single entity has complete packet rewrite ability for the connection to a user at all times, then neither HPKP nor CT will help you.

      This is widely known. Similar to HSTS having the latch in practice useful or at least better than nothing. Heck virtually the entire constellation of DV certs currently deployed is based on the same leap of faith as certificates are initially provisioned automatically relying on insecure responses from insecure protocols over insecure transports.

      It's the flip side to another problem though. Suppose that the dictator suborns the regional web host for my site and steals its key. I can set up a host elsewhere but I need to rotate the key. With HPKP, users will reject my new key and continue to use the old key to connect to the dictator-owned system

      I don't accept this argument. Your users trust you. Should it turn out that trust was misplaced it isn't the falling of technology. It's a failing of yourself and a price MUST unavoidably be paid for that failing. Attempting to weasel out of paying MUST only lead to more insecurity. After all technology is only a means of conveying trust. It doesn't turn people into paragons of integrity and mindfulness.

      In the event of this type of subversion having no site or having to start over and build trust from scratch even if it means lighting up a different domain or subdomain may well be seen as ideal or at least acceptable.

      OK. I think you understand how CT and HPKP work well enough that I don't feel the need to keep arguing. I was mostly upset about "Certificate transparency = Lifelock commercial"

      Essentially that's what it is. I do not retract my comment. The security monitor and the dental monitor commercials are exactly what CT is. And this is being generous about CT because practically operationally end users have no way of reasoning about CT. Nobody is actively announcing that a bank is being robbed or a bad cavity. Was the CA subverted? Did an attacker get a cert from a different CA or did the domain holder? Users have no clue. How many CA's exist in the world today? How many are state run? By political and commercial rivals?

      (and claim that this move is caused by the NSA, which is a high-school quality calumny) which you've since walked back by stating that CT is good for security.

      First I walk back nothing. When I said NSA I didn't really mean NSA specifically I meant "government" in general. Stating an opinion about CT is obviously a separate matter from opinion about or cause of any possible reason for removal of HPKP.

      Second yes it is a conspiracy theory of mine that may well be misplaced or wrong. After the Snowden drip, increasing coziness of Alphabet with government and fact every damn secure everything platform always manages to eventually get subverted either through sale to a bigger fish or internal policy changes I suspect there is a good chance of it ringing true.

      The thing that really gets me is the sheer pointlessness of this behavior. The feature already exists, people are already using it. They knew from day one that HPKP would always be a NICHE feature used by only a few security cautious people and paranoid fools. It was never intended at any point for mass consumption. So why on earth remove it? What good does that do anyone? What is the incentive for that? I have yet to hear a reason that passes sniff test. I think the answer is more likely than not to be pressure from government. CT is simply NOT a replacement for HPKP. Simply put governments don't care about "getting caught".

    4. Re:NSA objects to HPKP, Google relents by Carewolf · · Score: 1

      Certificate transparency = distributed HPKP

      HPKP allows the operator to declare this certificate or bust to regular users. Certificate transparency offers no such capability.

      Certificate transparency only provides "transparency". It doesn't allow operators to set declarative limits on what is acceptable.

      Pretty sure CT includes an option for websites to require their certifice must be a transparent, which means it would be detected if it was false, though not necessarily in real time.

  11. Google and Microsoft: In the spyware business? by Futurepower(R) · · Score: 1

    Yes, on Windows 7. Most of our computers aren't running Windows 10.

    Many articles say Microsoft and Windows cannot be trusted. Two of those articles: Windows 10 is possibly the worst spyware ever made.

    And: 7 ways Windows 10 pushes ads at you...

    So, it seems to me that Google and Microsoft are, more and more, poorly managed. They are in the abuse business, not in any real business.

    Several years ago, I talked with a mid-level Google manager who said that Google had more money than it knew how to manage. Also, that it was difficult for Google employees to know what was happening inside the company.

    And Linux: We have 2 computers running Linux. Mostly they don't get used. It is too difficult to deal with all the poorly-documented variations. This story about Linux makes me laugh: Why is the Number of Linux Distros Declining? Linux had 285 variations when that article was published!

  12. Re:Professor Fritzen Posten by Joce640k · · Score: 1

    OK, well...

    According to this Chrome has supported these things since version 7, that's eight years ago...

    https://caniuse.com/#search=de...

    --
    No sig today...
  13. Being more complete is easier for some readers. by Futurepower(R) · · Score: 1

    Why did I say "Google Chrome browser", and not just "Chrome"? I was trying to make my comment easier to read. I didn't want to assume that every Slashdot reader has experience with Chrome.

  14. Progressive Web Apps by dmt0 · · Score: 1

    On the positive side, PWAs will now have access to sensors and there's even less need for native apps.

  15. A better analogy: by Futurepower(R) · · Score: 1

    There is a book filled with poison in a library of 100,000 books. Just open all the books to find that bad book. You have nothing else to do, is that correct?

    Also, the poison may be extremely well-disguised as a typical hamburger.

    Also, if the poison is found, a new version of the book may be released that disguises the poison in a different way.

    The answer? Stay away from those who have demonstrated an intention to harm you.

  16. It's a huge bag of don't want. by blind+biker · · Score: 1

    Where are the features that would make the browser immune to malware? Defend from pop-under, javascript exploits, malware of all ilk. THOSE are the priorities that everybody and their dog cares about. VR, generic sensor API... it's just bloatware we didn't ask for.

    --
    "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
    1. Re:It's a huge bag of don't want. by Merk42 · · Score: 1

      Where are the features that would make the browser immune to malware? Defend from pop-under, javascript exploits, malware of all ilk.

      In the minor, security updates, that happen all the time, aren't major feature versions, and therefore don't get articles made about them.

      THOSE are the priorities that everybody and their dog cares about.

      Sadly, that's not the case.

      VR, generic sensor API... it's just bloatware we didn't ask for.

      Maybe you didn't, but this isn't the browser solely made for blind baker.

    2. Re:It's a huge bag of don't want. by blind+biker · · Score: 1

      but this isn't the browser solely made for blind baker.

      Did you misspell my handle on purpose? Or is blindness contagious via Slashdot posts?

      --
      "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
    3. Re:It's a huge bag of don't want. by Merk42 · · Score: 1

      Just a typo. Though I guess technically correct since the browser isn't solely made for blind baker either.

    4. Re:It's a huge bag of don't want. by thegarbz · · Score: 1

      it's just bloatware we didn't ask for

      So to be clear you want browsers to not implement standards, and not have functionality needed as more and more software moves to a browser based platform? Got it. May I interest you in Lynx? It's immune to those other things you complain about too.

  17. Chrome 67 released for Mac by DontBeAMoran · · Score: 1

    But you need to run OS X 10.10 for some magical reason because the new version of the browser uses... eh, what exactly?

    Why does it need 10.10?

    --
    #DeleteFacebook
    1. Re:Chrome 67 released for Mac by Carewolf · · Score: 1

      But you need to run OS X 10.10 for some magical reason because the new version of the browser uses... eh, what exactly?

      Why does it need 10.10?

      Because that is that is the oldest version still supported by Apple. Getting things to work on OS versions abandoned by their maker is difficult.

      But yes, it is an entirely artificial limitation, but one mainly set by Apple.

  18. Mostly garbage posts below .. by najajomo · · Score: 1

    Mostly garbage posts below, sad seeing slashdot reduced to a hosting platform for trolls.

  19. A system service could possibly do anything, by Futurepower(R) · · Score: 1

    You are indicating that you think you are more knowledgeable than someone else.

    This is the issue: A system service could possibly do anything, including changing what it does at any time. Most people don't want to spend the time to investigate.

    There is NO good reason why a browser should include a system service. If there is a system service, there is no certainty of privacy or control over the entire computer by the owner and user. Somewhat like Google's Android operating system.

  20. Glad I read this. by jtgd · · Score: 1

    Probably the biggest change in Chrome 67 is the addition of the Generic Sensors API. As the name implies, this is an API that exposes data from device sensors to public websites.

    HOLY F'CK! Seriously? The audacity!

    I am glad I read this so I know to uninstall and never look back.

    --
    J