Google this week upgraded Chrome to version 70, following through on a promise made to disable automatic sign-in after users and privacy advocates complained about changes in the prior edition.
Chrome also sported patches for 23 security vulnerabilities as Google paid researchers $22,000 in bug bounties.
Chrome updates in the background, so in most cases users can simply relaunch the browser to install the latest version. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download-and-upgrade process before presenting a “Relaunch” button. New-to-Chrome users can download it from this Google site.
The Mountain View, Calif. company updates Chrome every six to seven weeks. It last upgraded the browser on September 4.
Auto log-on backtrack
As of Chrome 69, signing into any Google service automatically also signed the user into Chrome. For example, logging into one’s Gmail account also logged into one’s Google account when Chrome opened. (That was the case whether a user had accessed Gmail using Chrome or another browser, like Firefox.)
Because logging into a Google account allowed syncing of data — including bookmarks and passwords — between machines, and because some users did not want their data transiting Google’s servers — ever — they strongly objected to the new model.
When the blowback blew, Google said it would add an option to disable the automatic sign-in to Chrome 70. But it did not retreat from the position that such would be on by default.
Chrome 70 did insert the option into Settings panel, called up when the user clicks the vertical ellipsis at the upper right and chooses “Settings” from the menu. After clicking the “Advanced” button on the Settings panel, the user can toggle the slider under “Privacy and security” marked with the phrase “Allow Chrome sign-in.” A relaunch of Chrome will be necessary.
With the slider toggled to the off position — moved to the left — the user can sign into a Google service, like Gmail, without also signing into Chrome.
PWA and more anti-HTTP warnings
PWAs are, as the name implies, web-based apps which have the look and feel of native-to-the-OS applications. Rather than run inside a Chrome frame, for example, they appear within the operating system’s standard windowing. In Windows 10, a PWA operates like any other application, including installing to the Start menu.
Google has pitched PWAs rather than Chrome-only apps — long available in its e-store — since it announced two years ago that it would drop them from the browser and point them toward Chrome OS-only.
Google will add PWA support to the macOS and Linux editions of Chrome with version 72; that should ship around the middle of January.
Also new to Chrome 70 was another step in Google’s longtime effort to secure the user by forcing site owners to abandon HTTP and institute HTTPS instead. As per Google’s plan, Chrome 70 tags any HTTP site with an insecure icon — a small red triangle — and the text “Not secure” in the address bar as soon as the user interacts with any input field, such as a password field or one that requires credit card information.
More add-on lock-down
Earlier this month, Google made note of new ways it would lock down Chrome extensions — for years, the search giant has pointed to extensions as potential security nightmares — that included requiring developers to adopt two-factor authentication on their accounts (so criminals would have a tougher time hijacking those accounts, then feeding malicious add-ons to the Chrome Web Store) and giving users a way to limit the permissions an extension had been granted.
“Beginning in Chrome 70, users will have the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page,” wrote James Wagner, product manager for Chrome extensions, in an October 1 post to a company blog. “While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse because they allow extensions to automatically read and change data on websites.”
A right-click on an add-on’s icon will bring up new options to, for instance, restrict the already-agreed permissions to just that page.
Computerworld tested the add-on management enhancement on both Windows and macOS, but neither version of Chrome 70 showed evidence of the new options. That wasn’t surprising: Google often enables a Chrome feature only after a week or more has passed, perhaps to make sure the updated browser is in most users’ hands.
Patches and certs
Google also patched 23 security vulnerabilities in version 70, including six marked “High,” the second-most serious ranking in its four-step system. The company cut checks worth $22,000 to researchers for reporting 15 of the bugs.
In another security-related move, Chrome 70 made the last move in a series that Google (and other browser makers) instituted against Symantec-granted SSL (Secure Socket Layer) certificates. Any certificate issued by Symantec should trigger a “Not secure” warning in the browser’s address bar, essentially telling the user not to trust that the website is legit.
This was to be the final step in a process outlined more than a year ago, after Google and Mozilla — the maker of Firefox — charged Symantec and its partners with improperly issuing certificates, violating rules set by the CA/Browser Forum, a standards groups whose members include browser makers and certificate authorities. Google and others declared that Symantec’s problems were endemic, and that the accumulated incidents were proof that it was untrustworthy in a critical way: that a website was what it claimed to be, not a fake set on stealing users’ money or credentials or data.
(Mozilla last week announced it was delaying a similar move on the part of Firefox, saying that “well over 1% of the top 1-million websites are still using a Symantec certificate that will be distrusted.” That, Mozilla decided, was too many for it to proceed.)
Computerworld used a list of sites that, as of late September, were still using a Symantec-issued certificate, and after spot-checking, found very few that had not switched in time for Chrome 70. Some took it to the wire, though, getting a new certificate just days ago.
(One example of a site that missed the memo: digg.com.)
Chrome’s next upgrade, version 71, is set to release December 4.