Security Certificates
Some of us, ahem, have had the devils own job of getting our organisations to renew them, mine got sorted yesterday afternoon, I had to resort to the whistleblowing process.
Chrome the 66th is upon us and has added some features that Google previewed in months past. One is the September 2017 decision to stop trusting Symantec’s digital certificates, ending a long dispute over the way the security vendor managed its partners’ PKI activities before June 2016. Chrome 66 will warn visitors to sites …
Oh, I just stopped using them.
I don't see why any reputable security company would want to be associated with renewing certificates with the name of someone guilty of complete ineptitude with regards security certificates.
RapidSSL have been bugging me for weeks, but I have no intention to renew with them.
"Oh, I just stopped using them. ... RapidSSL have been bugging me for weeks, but I have no intention to renew with them."
I see you don't realise that this isn't who you think it is any longer, these are brands that were sold to Digicert, a seperate company. I also assume you also don't know that SSL certificates are mostly smoke and mirrors.
Government of Saudi Arabia, NCDC
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)
China Internet Network Information Center (CNNIC)
There's 3 bastions of free speech and openess for you to think about.
They can issue certificates for any domain they care and MiM you whenever they want.
Not if you have any kind of certificate pinning. Welcome to several years ago.
And I don't care that they were sold to Digicert. Digicert picked them up and they were signed by the same certs, and I'm being forced to renew them earlier because the signing company has had all its certificates removed from browsers. Game over. I don't care who owns them now, before or since, they're dead to me as they required an out-of-band re-signing because of the incompetence of one of their signing parties... and that's just not compatible with my use of SSL.
To be honest, with LetsEncrypt wildcard certificates now valid in the wild, who cares about any of the CA's at all any more?
Because your mainstream options are:
Edge - same shit but with MS
IE - completely awful
Firefox - Has been trying to alienate all of its aficionados for the past 5 years
Opera - same shit but with China
Chrome also has the strongest extension ecosystem with the possible exception of Firefox.
Sure, I use Vivaldi because of the above issues but the scarcity of extensions means I have to return to Chrome every now and then for some tasks.
Google has one of the most compliant data protection policies I know, for the UK/EU at least. iCloud/Apple has literally NEVER issued a data-protection compliant policy. They still have a line that basically says (paraphrasing but the brevity and gist is correct) "we can send all your data anywhere any time we like". How they've got away with it, especially pushing iPads in schools, I can't imagine and with GDPR it's a death-sentence.
But Google have always guaranteed EU- or UK-only data storage and never to move your data out and done it on day one of new legislation every time.
By comparison, you should be berating Apple, not Google.
And Google banned ad-blockers because IT LETS A PIECE OF SOFTWARE READ EVERY PAGE AND SEND IT TO A REMOTE SERVER, including secure pages. But, hey, keep bashing them on their privacy too and use your ultra-safe Safari "we can do what we like, up yours EU law" instead...
But Google have always guaranteed EU- or UK-only data storage and never to move your data out and done it on day one of new legislation every time
That's all gone up in smoke now that the US Congress Critters have decreed that your data wherever in the world it is held is fair game. If the Feds decided that your cat video is really a call to arms for ISIS, they can get it from Google. No ifs, no buts and poof, it is gone to DC.
"That's all gone up in smoke now that the US Congress Critters have decreed that your data wherever in the world it is held is fair game. If the Feds decided that your cat video is really a call to arms for ISIS, they can get it from Google. No ifs, no buts and poof, it is gone to DC"
Not true.
They try. Of course they do. And they decree things. And they have absolutely zero power of enforcement in doing so.
Because compliance with the US law AUTOMATICALLY means deliberate non-compliance with the EU law.
The only exception being carved out (by Microsoft, who like Google have a US and EU subsidiaries that are completely different entitiies) is data on US citizens stored on EU servers (because US data law is so lax that can happen).
But the US can demand, decree, order, cite and write what they like. Nobody at Google (EU) can *allow* even the *potential* for an entity outside EU to access that data (even the US Privacy Shield stuff is a load of nonsense and not really at all EU-compliant, hence is only relevant if you're in a US jurisdiction anyway), or co-operate with such, without being collectively AND personally sued into oblivion.
Same way that the US can decree they own all of the North Pole, or space. They can say what they like. It doesn't mean it's true.
Especially when, if they REALLY wanted the data, they could just file a request to an EU court which is quite capable of granting it legally given due cause. They don't because they know it would be refused.
But the "US can get all your data" is still nonsense and hyperbole.
It's like me being a magistrate and ordering the coffee shop down the road to provide the full names and addresses of every employee of the franchise they are under who live in Outer Mongolia. 1) They are unrelated entities, 2) they don't have access to it, 3) Outer Monogolia would beg to differ about whether you're allowed it or not, even if someone DID want to risk imprisonment.
Literally, someone in Google or Microsoft's EU headquarters can go to jail for ALLOWING a way for anyone at Microsoft (US) access to "personal data" that's stored on or on behalf of EU citizens within the EU. Despite Microsoft probably having less of a business relationship with Microsoft (EU) than they do with Google (US).
Youtube downloader add-on (or video download helper add-ons) are quite 'last decade' now: there are plenty of websites which allow you to do that quickly for Facebook, Twitter, Youtube videos. Even the more obscure ones hosted on Chinese video sites.
Some of the browsers already have a built-in ad blocking feature. You can even enable it on Incognito (private browsing) mode.
Try a fork of Chromium, minus the Google 'innovations'.
Advanced Chrome
http://browser.taokaizen.com/
It's equivalent to what Pale Moon is to Firefox.
Also, Russia's finest: Yandex browser. Based on Chromium, but looks sexier and has some UI tweaks which are useful and sorely missed in official Chrome.
I have some users praising the Brave browser, but I can't comment about it as I never used it.
Firefox - Has been trying to alienate all of its aficionados for the past 5 years
I was halfway switched to Chromum when Firefox 57 came out.
Ui changes - didn't bother me, I was using vimperator and the like for most of that debacle.
plugin/extension changes - don't use many
Really, really slow to start and heavy on resources was what was pushing me off though.
Better now.
>Firefox - Has been trying to alienate all of its aficionados for the past 5 years
I honestly don't know why the OP feels he has to speak for all Firefox users. I wouldn't presume to speak for all Chrome users, though it is one of my fallback browsers.
Vivaldi is more interesting and waaay less hoggy of RAM than Chrome or FF => pretty much always <500MB.
Generally happy enough w FF, not least due to the presence of NoScript. Now, as far as resource usage goes, go take a peek under the covers and you will still see tons of RAM in use by FF, albeit split up under other processes than the main ones (a PR-friendly trick - even if process splitting serves other purposes too - it picked up from Chrome). 2.5G to serve 3 tabs, yay! Yes, I know unused RAM is useless RAM, but that's still over the top.
>But does it still send everything you do back to the Chocolate Factory?
>If it does then why would anyone use it? Or don't you even care?
I don't really care. I rather assume everything I do online is viewable by someone who really cares, but that they almost certainly don't. If Chrome is working within the law(?) I'm OK with that.
This post has been deleted by its author
My experience with Chrome 66 Beta and older Symantec certificates is that it completely blocked you from opening the page - it doesn't just warn you it's insecure. Maybe they changed that for the public release. I had to complain to my web host that their own login page was affected - they did eventually fix it.
According to Google (https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html), Chrome 70 will stop trusting ALL Symantec-issued certificates "including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL"
“[P]ages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do.”
Isn't that what Safari, on macOS at least, has been doing for years — long before the CPU vulnerabilities were known, for each page/tab?
It's not a cure-all, but it does mean that anyone trying to make use of the Spectre flaw can't assume the memory to read is at an easily-deduced address.
It's the same reasoning behind kernel address space layout randomization, or using hash randomization to avoid collision attacks. Making the attack too expensive to use can be an effective counter-measure.
I don't know Spectre stuff very well but from what I understand this isn't about ALSR like the other commenter was saying but about making the Javascript JIT that is included in Google Chrome avoid generating code that could be abused for speculative execution or generate some speculative execution barrier in the vulnerable parts. This is because Javascript gets compiled to assembly for performance instead of being interpreted. Chrome's JIT implementation (called V8) had the possibility to JIT code that could be abused to do timing attacks against some address and figure out either if there was anything mapped there or if some data they predicted would be there.
As for your comment on process isolation. I believe it's because Spectre was never about getting info from other SEPARATE processes. It was about getting info from mapped pages that weren't readable to the current process. Like ring-0 code reading something vs ring-3 code reading something. As long as none of the other pages from that process were mapped into memory of the second process then I don't think Spectre affects things like this. The reason Chrome does process isolation is so that if someone gets code execution in a rendering process or such then it won't be able to read things like cookies or the page contents of sites that weren't from the same origin as that rendering process.
at least the advanced preferences "chrome://settings/content" of Chrome versh 66.0.3359.117 allowed me to block website access to my effin Clipboard. I had seen clipboard mentioned in some WGET caches from 2012, but I thought "surely they dont have permission for all of that?"
. . . and possibly now they don't
(oh, just checked 13 tabs with 19 processes)
Got it:
https://support.google.com/chrome/answer/7623121?hl=en
When you turn on site isolation, Chrome offers more security protections for your browser.
Chrome will load each website in its own process. So, even if a site bypasses the same-origin policy, the extra security will help stop the site from stealing your data from another website. Learn more about site isolation.
On your computer, open Chrome.
In the address bar at the top, enter chrome://flags/#enable-site-per-process and press Enter.
Next to "Strict site isolation," click Enable.
If you don't see "Strict site isolation," update Chrome.
Click Relaunch now.
If you’re an administrator, learn how to manage site isolation for your organization.
Known issues
Memory: Site isolation will increase Chrome's memory use by approximately 10–20%.
Printing: Cross-site iframes will be blank. To print the entire page, save the page to your computer. Then, open and print the saved file.
DevTools: Chrome Developer Tools don't fully support cross-site iframes with site isolation
----------------------------------------------------------------------------
13 processes, 7 tabs, anywhere from 5 to 131.7MBs each process with strict site isolation enabled - some other neat shit in there too if you look lol
what about by-default blocking of ALL auto-play content? I do _NOT_ want AD VIDEOS being streamed, EVAR, on ANY web site. A 'click to view content' replacement graphic is acceptable.
because, you KNOW it's coming!
I didn't see in the article where you can block ANY auto-play content with any kind of setting. Must I load a plug-in for this? Because, flash blocking is easy, javascript blocking is easy, HTML5 video blocking may NOT be so easy, and I _DEFINITELY_ want to do _THAT_!!!
I am rolling out Chrome in an enterprise environment with 5000 Windows clients. In Chrome 66 it seems to be the case that the default settings for site isolation chrome://flags/#site-isolation-trial-opt-out means that we are opted in to a field trial? Does that mean it will essentially be a case of random chance whether or not a particular client is using site isolation at a particular time? Apparently Google have fixed the issues with printing iframes since the beta (although I haven' tested it). So my only concern would be RAM usage, as many have only 4 GB of RAM.