Menu

Timesdelhi.com

May 24, 2019
Category archive

chromium

What Chrome’s browser changes mean for your privacy and security

in chromium/Delhi/Firefox/Google/Google I/O 2019/google-chrome/India/Internet-Explorer/online advertising/online privacy/Politics/privacy/private browsing/safari/Security/Software/Web browsers/world wide web by

At the risk of sounding too optimistic, 2019 might be the year of the private web browser.

In the beginning, browsers were a cobbled together mess that put a premium on making the contents within look good. Security was an afterthought — Internet Explorer is no better example — and user privacy was seldom considered as newer browsers like Google Chrome and Mozilla Firefox focused on speed and reliability.

Ads kept the internet free for so long but with invasive ad-tracking at its peak and concerns about online privacy — or lack of — privacy is finally getting its day in the sun.

Chrome, which claims close to two-thirds of all global browser market share, is the latest to double down on new security and privacy features after Firefox announced new anti-tracking blockers last month, Microsoft’s Chromium-based Edge promised better granular controls to control your data, and Apple’s Safari browser began preventing advertisers from tracking you from site to site.

At Google’s annual developer conference Tuesday, Google revealed two new privacy-focused addition: better cookie controls that limit advertisers from tracking your activities across websites, and a new anti-fingerprint feature.

In case you didn’t know: cookies are tiny bits of information left on your computer or device to help websites or apps remember who you are. Cookies can keep you logged into a website, but can also be used to track what a user does on a site. Some work across different websites to track you from one website to another, allowing them to build up a profile on where you go and what you visit. Cookie management has long been an on or off option. Switching cookies off mean advertisers will find it more difficult to track you across sites but it also means websites won’t remember your login information, which can be an inconveniences.

Soon, Chrome will prevent cross-site cookies from working across domains without obtaining explicit consent from the user. In other words, that means advertisers won’t be able to see what you do on the various sites you visit without asking to track you.

Cookies that work only on a single domain aren’t affected, so you won’t suddenly get logged out.

There’s an added benefit: by blocking cross-site cookies, it makes it more difficult for hackers to exploiting cross-site vulnerabilities. Through a cross-site request forgery attack, it’s possible in some cases for malicious websites to run commands on a legitimate site that you’re logged into without you knowing. That can be used to steal your data or takeover your accounts.

Going forward, Google said it will only let cross-site cookies travel over HTTPS connections, meaning they cannot be intercepted, modified or stolen by hackers when they’re on their way to your computer.

Cookies are only a small part of how users are tracked across the web. These days it’s just as easy to take the unique fingerprints of your browser to see which sites you’re visiting.

Fingerprinting is a way for websites and advertisers of collecting as much information about your browser as possible, including its plugins and extensions, and your device, such as its make, model, and screen resolution, which creates a unique “fingerprint that’s unique to your device. Because they don’t use cookies, websites can look at your browser fingerprint even when you’re in incognito mode or private browsing.

Google said — without giving much away as to how — it “plans” to aggressively work against fingerprinting, but didn’t give a timeline of when the feature will roll out.

Make no mistake, Google stepping up to the privacy plate, following in the footsteps of Apple, Mozilla and Microsoft. Now that Google’s on board, that’s two-thirds of the internet set to soon benefit.

Microsoft’s Chromium-based Edge browser will get new privacy controls, IE mode and Collections

in Browser/Build 2019/chromium/Delhi/Edgeium/India/Microsoft Edge/Politics/TC by

Microsoft today announced a number of new features for its new Chromium-based Edge browser, which saw its first public release only a few weeks ago. One of these features addresses some worries from business customers, who need compatibility with the old pre-Edge Internet Explorer, in addition to new privacy controls and an interesting new take on bookmarks.

The feature that users will likely care most about here is Collections, which Microsoft describes as a way to address “the information overload customers feel with the web today.” With Collections, users can collect, organize and share content from across the web. This feature will also offer an integration with Microsoft’s Office suite, though the details of how this will work remain unclear.

On the privacy front, Microsoft announced that the new Edge will get three privacy settings: unrestricted, balanced and strict. These settings will influence how third parties will be able to track you across the web.

As far as IE mode goes, this feature shows that Microsoft is still haunted by the legacy of a browser it first launched in 1995 and replaced by the first version of Edge in 2015. Too many businesses still rely on legacy applications that only run on Internet Explorer, so with this IE mode in Edge, users will be able to open legacy sites in what is essentially an IE tab in the new browser.

It still feels weird to say this, but Edge moving to Chromium is probably the most exciting thing to happen to browsers in this space in a long time. Instead of having to focus on trying to make all of the moving parts of the browser engine work, Microsoft now has a chance to put its considerable engineering force to actually develop innovative features for users and, by extension, force its competitors to innovate as well. That vision is slowly coming together now that the company has a stable platform to work from.

For now, this is all Windows 10-only, though. While some expected Microsoft to start releasing the macOS and Linux versions of the new Edge at its Build developer conference today, that did not happen.

Facebook makes its first browser API contribution

in chromium/Delhi/Developer/Facebook/Google/google-chrome/India/Javascript/Politics/programming languages/react/Software/TC/w3c/Web browsers/web standards/web technology by

Facebook today announced that it has made its first major API contribution to Google’s Chrome browser. Together with Google, Facebook’s team created an API proposal to contribute code to the browser, which is a first for the company. The code, like so much of Facebook’s work on web tools and standards, focuses on making the user experience a bit smoother and faster. In this case, that means shortening the time between a click or keystroke and the browser reacting to that.

The first trial for this new system will launch with Chrome 74.

Typically, a browser’s JavaScript engine handles how code is executed and when it will halt for a moment to see if there are any pending input events that it needs to react to. Because even modern JavaScript engines that run on multi-core machines are still essentially single-threaded, the engine can only really do one thing at a time, so the trick is to figure out how to best combine code execution with checking for input events.

“Like many other sites, we deal with this issue by breaking the JavaScript up into smaller blocks. While the page is loading, we run a bit of JavaScript, and then we yield and pass control back to the browser,” the Facebook team explains in today’s announcement. “The browser can then check its input event queue and see whether there is anything it needs to tell the page about. Then the browser can go back to running the JavaScript blocks as they get added.”

Every time the browser goes through that cycle, though, and checks for new events, processes them, a bit of extra time passes. You do this too many times, and loading the page slows down. But if you only check for inputs at slower intervals, the user experience degrades as the browser takes longer to react.

To fix this, Facebook’s engineers created the isInputPending API, which eliminates this tradeoff. The API, which Facebook also brought to the W3C Web Performance Working Group, allows developers to check whether there are any inputs pending while their code is executing.

With this, the code simply checks if there’s something to react to, without having to fully yield control back to the browser and then passing it back to the JavaScript engine.

For now this is just a trial — and since developers have to integrate this into their code, it’s not something that will automatically speed up your browser once Chrome 74 launches. If the trial is successful, though, chances are developers will make use of it (and Facebook surely will do so itself) and that other browser vendors will integrate into through own engines, too.

“The process of bringing isInputPending to Chrome represents a new method of developing web standards at Facebook,” the team says. “We hope to continue driving new APIs and to ramp up our contributions to open source web browsers. Down the road, we could potentially build this API directly into React’s concurrent mode so developers would get the API benefits out of the box. In addition, isInputPending is now part of a larger effort to build scheduling primitives into the web.”

Spy on your smart home with this open source research tool

in chromium/Delhi/Gadgets/India/Internet of Things/IoT/IoT Inspector/Politics/Princeton University/privacy/privacy research/Security/smart devices/smart home devices/traffic analyzer/WireShark by

Researchers at Princeton University have built a web app that lets you (and them) spy on your smart home devices to see what they’re up to.

The open source tool, called IoT Inspector, is available for download here. (Currently it’s Mac OS only, with a wait list for Windows or Linux.)

In a blog about the effort the researchers write that their aim is to offer a simple tool for consumers to analyze the network traffic of their Internet connected gizmos. The basic idea is to help people see whether devices such as smart speakers or wi-fi enabled robot vacuum cleaners are sharing their data with third parties. (Or indeed how much snitching their gadgets are doing.)

Testing the IoT Inspector tool in their lab the researchers say they found a Chromecast device constantly contacting Google’s servers even when not in active use.

A Geeni smart bulb was also found to be constantly communicating with the cloud — sending/receiving traffic via a URL (tuyaus.com) that’s operated by a China-based company with a platform which controls IoT devices.

There are other ways to track devices like this — such as setting up a wireless hotspot to sniff IoT traffic using a packet analyzer like WireShark. But the level of technical expertise required makes them difficult for plenty of consumers.

Whereas the researchers say their web app doesn’t require any special hardware or complicated set-up so it sounds easier than trying to go packet sniffing your devices yourself. (Gizmodo, which got an early look at the tool, describes it as “incredibly easy to install and use”.)

One wrinkle: The web app doesn’t work with Safari; requiring either Firefox or Google Chrome (or a Chromium-based browser) to work.

The main caveat is that the team at Princeton do want to use the gathered data to feed IoT research — so users of the tool will be contributing to efforts to study smart home devices.

The title of their research project is Identifying Privacy, Security, and Performance Risks of Consumer IoT Devices. The listed principle investigators are professor Nick Feamster and PhD student Danny Yuxing Huang at the university’s Computer Science department.

The Princeton team says it intends to study privacy and security risks and network performance risks of IoT devices. But they also note they may share the full dataset with other non-Princeton researchers after a standard research ethics approval process. So users of IoT Inspector will be participating in at least one research project. (Though the tool also lets you delete any collected data — per device or per account.)

“With IoT Inspector, we are the first in the research community to produce an open-source, anonymized dataset of actual IoT network traffic, where the identity of each device is labelled,” the researchers write. “We hope to invite any academic researchers to collaborate with us — e.g., to analyze the data or to improve the data collection — and advance our knowledge on IoT security, privacy, and other related fields (e.g., network performance).”

They have produced an extensive FAQ which anyone thinking about running the tool should definitely read before getting involved with a piece of software that’s explicitly designed to spy on your network traffic. (tl;dr, they’re using ARP-spoofing to intercept traffic data — a technique they warn may slow your network, in addition to the risk of their software being buggy.)

The dataset that’s being harvesting by the traffic analyzer tool is anonymized and the researchers specify they’re not gathering any public-facing IP addresses or locations. But there are still some privacy risks — such as if you have smart home devices you’ve named using your real name. So, again, do read the FAQ carefully if you want to participate.

For each IoT device on a network the tool collects multiple data-points and sends them back to servers at Princeton University — including DNS requests and responses; destination IP addresses and ports; hashed MAC addresses; aggregated traffic statistics; TLS client handshakes; and device manufacturers.

The tool has been designed not to track computers, tablets and smartphones by default, given the study focus on smart home gizmos. Users can also manually exclude individual smart devices from being tracked if they’re able to power them down during set up or by specifying their MAC address.

Up to 50 smart devices can be tracked on the network where IoT Inspector is running. Anyone with more than 50 devices is asked to contact the researchers to ask for an increase to that limit.

The project team has produced a video showing how to install the app on Mac:

Here’s the first official preview of Microsoft’s Chromium-based Edge browser

in bookmark/chrome os/chromium/Delhi/EDGE/freeware/Google/google-chrome/India/Microsoft/Microsoft Edge/microsoft windows/Netflix/operating systems/Politics/Software/TC/video services/Web browsers by

Microsoft today launched the first official version of its Edge browser with the Chromium engine for Windows 10. You can now download the first developer and canary builds here. The canary builds will get daily updates and the developer builds will see weekly updates. Over time, you’ll also be able to opt in to the beta channel and, eventually, the stable channel.

The company first announced this project last December and the news obviously created quite a stir, given that Microsoft was abandoning its own browser engine development in favor of using an open-source engine — and one that is still very much under the control of Google. With that, we’re now down to two major browser engines: Google’s Chromium and Mozilla’s Gecko.

I used the most recent builds for the last week or so. Maybe the most remarkable thing about using Microsoft’s new Chromium-based Edge browser is how unremarkable it feels. It’s a browser and it (with the exceptions of a few bugs you’d expect to see in a first release) works just like you’d expect it to. That’s a good thing, in that if you’re a Windows user, you could easily use the new Edge as your default browser and would be just fine. On the other hand — at least at this stage of the project — there’s also very little that differentiates Edge with Chromium from Google’s own Chrome browser.

That will change over time, though, with more integrations into the Windows ecosystem. For now, this is very much a first preview and meant to give web and extensions developers a platform for testing their sites and tools.

There are a few points of integration with Microsoft’s other services available already, though. Right now, when you install the Edge preview builds, you get the option to choose your new tab layout. The choices are a very simple new tab layout that only presents a search bar and a few bookmarks and a variation with a pretty picture in the background, similar to what you’d see on Bing. There is, however, also another option that highlights recent news from Microsoft News, with the option to personalize what you see on that page.

Microsoft also says that it plans to improve tab management and other UI features as it looks at how it can differentiate its browser from the rest.

In this first preview, some of the syncing features are also already in place, but there are a few holes here. So while bookmarks sync, extensions, your browsing history, settings, open tabs, addresses and passwords do not. That’ll come in some of the next builds, though.

Right now, the only search engine that’s available is Bing. That, too, will obviously change in upcoming builds.

Microsoft tells me that it prioritized getting a full end-to-end browser code base to users and setting up the engineering systems that will allow it to both push regular updates outside of the Windows update cycle and to pull in telemetry data from its users.

Most of the bugs I encountered where minor. Netflix, though, regularly gave me trouble. While all other video services I tried worked just fine, the Netflix homepage often stuttered and became unresponsive for a few seconds.

That was the exception, though. In using the new Edge as my default browser for almost a week, I rarely ran into similar issues and a lot of things ‘just work’ already. You can read PDFs in the browser, just like you’d expect. Two-factor authentication with a Yubikey to get into Gmail works without an issue. Even complex web apps run quickly and without any issues. The extensions I regularly use, including LastPass, worked seamlessly, no matter whether I installed them from the Google store or Microsoft’s library.

I also ran a few benchmarks and unsurprisingly, Edge and the latest version of Chrome tend to score virtually the same results. It’s a bit too early in the development process to really focus on benchmarks, but the results are encouraging.

With this release, we’re also getting our first official look at using extensions in the new Edge. Unsurprisingly, Microsoft will offer its own extension store, but with the flip of a switch in the settings, you’ll also be able to install and use extensions from third-party marketplaces, meaning the Chrome Web Store. Extension developers who want to add their tools to the Microsoft marketplace can basically take their existing Chrome extensions and use those

Microsoft’s promise, of course, is that it will also bring the new Edge to Windows 7 and Windows 8, as well as the Mac. For now, though, this first version is only available on 64-bit versions of Windows 10. Those are in the works, but Microsoft says they simply aren’t quite as far along as the Windows 10 edition. This first release is also English-only, with localized versions coming soon, though.

While anybody can obviously download this release and give it a try, Microsoft stressed that if you’re not a tech enthusiast, it really isn’t for you. This first release is very much meant for a technical audience. In a few months, though, Microsoft will surely start launching more fully-featured beta versions and by that time, the browser will likely be ready for a wider audience. Still, though, if you want to give it a try, nobody is stopping you today, no matter your technical expertise.

Go to Top