_Protection against Specter attacks for Chrome desktop

Jul

12

2018

versions is active
Google has enabled a security measure for the vast majority of desktop users of its Chrome browser. This is the site isolation feature, which should prevent malicious websites from stealing sensitive information.

Google reports that the feature has now been enabled for 99 percent of Chrome users by default, with the last 1 percent being used to monitor and, if necessary, improve performance. The introduction of the function took place in version 67 of Chrome, which came out at the end of May . In version 66 of the browser, Google performed a limited test of the function among users, made it known at the release of that version. It was already possible for business users to enable site isolation via a flag . That possibility existed since Chrome 63 .

site-isolation-chrome
Illustration of Google
The function must prevent a malicious website from being able to steal sensitive information from another website that has been opened in the browser, according to Google. It is a kind of ‘second line defense’, because the same origin policy basically prevents websites from seeing data from each other. Site isolation goes beyond that, because pages from different websites are placed in separate processes and own sandboxes . This applies, for example, to tabs and iframes. According to Google, the measure means that Chrome uses about ten to thirteen percent more memory.

The company writes that isolating renderer processes per site depends on the operating system to effectively prevent attacks between processes. Before the feature was in Chrome, an iframe from another site was placed in the same process as that of the site where the user was currently present. This could lead to an attacker being able to carry out a successful Specter attack. Such an attack makes it possible to read sensitive data, for example cookies or passwords in the browser.

Google says it will now investigate how site isolation can be integrated into the mobile Android Chrome browser. Whether that happens in the iOS version does not mention the search giant. Google starts an experimental implementation for business users in version 68 of the Android version. The company had already introduced countermeasures in Chrome with the publication of Meltdown and Specter in January, for example by making timers less precise. These measures are now running back, because thanks to site isolation they are no longer necessary.

Viewing:-44

In: A Technology & Gadgets Asked By: [20034 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »