Google this week launched Chrome 79, touting the browser’s warnings when a site password may have been divulged and patching 51 vulnerabilities.
The California company paid $80,000 in bug bounties to researchers who reported some of the vulnerabilities. Two were ranked “Critical,” Google’s top-most rating, and eight were tagged “High,” the next level down in the four-step ordering. One report of a critical vulnerability was submitted by engineers at Tencent Keen Security Lab, a subsidiary of People’s Republic of China-based Tencent; Google awarded the researchers $20,000. The other bug alert? That one came from inside the house, reported by Sergei Glazunov of Google Project Zero.
Chrome updates in the background, so most users can just relaunch the browser to finish the upgrade to the latest version. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. Those who are new to Chrome can download the latest for Windows, macOS and Linux here.
Google updates Chrome every six to eight weeks. It last upgraded the browser Oct. 22.
Your password is kaput!
Google baked the functionality of its web-based Password Checker into Chrome 79 so that when the feature is enabled, the browser will alert its user if an entered password has been revealed by a prior data breach.
The online service, which examined the username-password combinations stored in Chrome’s password manager and reported back the authentication pairings that have been exposed in publicly-known data breaches, went live in early October. (The web service remains available.)
With Password Checker, Chrome will pop up a warning when a username + password combination has been exposed by a hack. Just as when Computerworld spot-tested the checker two months ago, an alert did not always appear when it was supposed to. One site whose password had been reported in a breach failed to display a warning, while other sites – some relying on the same username + password – did offer an on-screen warning.
The alert contains a Check passwords button that, when tapped, opens the status of all saved passwords, showing those that have been disclosed and giving the user a way to change the password.
Not everyone will have the new password notifier immediately, Google said. “We’re gradually rolling this out for everyone signed into Chrome as a part of our Safe Browsing protections,” wrote AbdelKarim Mardini, a senior product manager, in a Dec. 10 post to a company blog.
(To check whether it’s available to you, open Settings and click on People > Sync and Google services. If it’s available, it will be under the Other Google services section as Warn you if passwords are exposed in a data breach. Slide the toggle to the right if necessary, to enable the feature.)
Also new to Chrome 79 are changes to the browser’s long-in-place anti-phishing safeguards.
Safe Browsing, a Google-crafted technology, warns when a user steers toward a site that may contain malicious content. (The term is also applied to the API Google makes available to other browser builders; for instance, Mozilla relies on the Safe Browsing API to warn Firefox users about dangerous websites.)
The list of potentially-malevolent sites refreshes every 30 minutes, Google said. But that’s often not frequently enough. “Some phishing sites slip through that 30-minute window, either by quickly switching domains or by hiding from our crawlers,” wrote Google’s Mardini. Now Google will compare impending destination URLs against its list in real time. To start, Mardini added, the real-time lookups will be enabled for everyone with Chrome’s Make searches and browsing better enabled. (That option’s toggle can be found at Settings > Advanced > Synch and Google services > Other Google services.)
Chrome 79 also alters a 2017 function that warned users when they entered their Google Account (that’s what one uses to, for example, sync copies of Chrome or access Gmail) at a suspected phishing site.
(The feature stems from the concern that users can be tricked into divulging their Google Account credentials by a sophisticated – or unsophisticated, for that matter – phishing email with a link to a fraudulent site. Such emails often claim to be from Google, telling the user they need to log in to, say, retrieve a special offer or maintain their account.)
Prior to Chrome 79, only users who have signed into Chrome and enabled synchronization were alerted. “Now, we’ll be protecting your Google Account password when you sign in to Chrome, even if Sync is not enabled,” said Mardini. Atop that, the feature also warns if any password saved to Chrome is entered at a site thought to host phishing attacks.
Odds, ends and enterprise
Other debuts in Chrome 79 will affect users generally, and in some cases, enterprise users most of all.
A long-in-the-making feature that allows users to search Google Drive content from the Chrome address bar finally wrapped up and is being switched on in stages this month. (Google began testing this Chrome-Google Drive integration for G Suite Business, Enterprise, and Enterprise for Education subscribers in March.)
This will start rolling out to G Suite users starting Dec. 16, when Google will enable such searching by default. G Suite administrators can control the feature from their consoles.
(Users likely hope Google actually follows through on the Drive integration this time; at the launch of Chrome 78 in late October, the company said the feature would be “rolling out in the coming weeks.” Not in Chrome 78, though.)
Chrome 79 also includes a warning when users connect to a site that encrypts traffic with the outdated TLS (Transport Layer Security) 1.0 and 1.1. That warning will be switched on starting Jan. 13, 2020, Google has said. Two Chrome versions later (Chrome 81), Google will begin blocking connections to sites that rely on TLS 1.0 or 1.1 with a full-page warning.
Chrome’s next upgrade, to version 80, is slated for release on Feb. 4, 2020.