Chrome 80 Arrives With Mixed Content Autoupgraded To HTTPS, Cookie Changes, and Contact Picker API (venturebeat.com) 63
An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 80 for Windows, Mac, Linux, Android, and iOS. The release includes autoupgrading mixed content to HTTPS, SameSite cookie changes, quieter permission UI for notifications, and more developer features. This release thus beefs up security for the world's most popular browser and begins cracking down on cross-site cookies. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers often have to stay on top of everything available -- as well as what has been deprecated or removed. Among other things, Chrome 80 has started deprecating FTP support by disabling it by default for non-enterprise clients.
Does Chrome still install System Services? (Score:5, Interesting)
Re: (Score:1)
Now the new browser is an ad delivery service that feels "better".
Re: (Score:3)
All Google programs do. They use those to apply updates without pestering users for restarts like Firefox does. Mind you they are scheduled / on demand run services and don't run continuously in the background.
Re: (Score:2)
Yes but they don't give Chrome more power than the user, that's nonsense.
Chrome installs 3 services to assist with updates. Naturally the Chrome browser itself runs at a very low privilege level for security reasons, so it can't update itself. The services assist with downloading the update, installing it and relaunching Chrome. They do so with the same permission level as the user, no more, because they install to the user's home directory.
By the way, Firefox has the exact same thing but worse - it install
Re: (Score:2)
No FTP Support? (Score:2)
I think there are still a good minority of sites that still have FTP sites to download applications.
Now I don't see any good reason for them to do that in 2020, but they are still around.
However, I remember back in the old days Using Mosaic to FTP into public sites. As there were more public sites running FTP servers then web servers.
Re: (Score:3)
FTP is short for the FILE TRANSFER Protocol. If you want to TRANSFER FILES, what else would you use?
FTP isn't a really great protocol, though
Re: (Score:1)
FTP isn't a really great
Neither is Chrome these days, either. Personally, if I will have to decide which of the two to dump, I'm not sure it will be FTP.
P.S. I'm growing seriously tired by Chrome's courageous moves Apple-style.
Re: (Score:2)
FTP isn't a really great protocol, though
Depends upon what you are trying to do. I copy over tons of files from a windows system to a linux system on a weekly basis. Now I can enable windows file sharing on the linux box and copy that way but it takes quite a bit longer than if I open a simple FTP connection and copy the files. For comparisons using windows file share I am transferring about 500Mbs, using FTP the transfer speed is about 800Mbs.
And yes, I know FTP isn't secure. I do have SFTP also installed, but it is an isolated network and
Re: (Score:2)
Bah,
Just telnet into the location and use zmodem to transfer.
Re: (Score:2)
Ftp on the other hand has no file size limit and auto corrects for ascii files (for the most part).
But yes, on old systems I've dropped back to the old rz/sz and found it still works. I've never really timed it though to see the throughput.
Re: (Score:1)
I hope they allow at least to register the protocol through a addon so it can be redirected to an outside app.
IMHO, they should instead to raise a warning before change from http to ftp and later open the link... if the security (an maintainance cost I guess... ) is REALLY the reason and not just a excuse.
Mixed content.. oh no... (Score:5, Insightful)
Just more examples of Google doing shit and substituting their own judgment for the explicit intent of site operators because they can.
There are already CSP header values: block-all-mixed-content and upgrade-insecure-requests. There are already browser options to control mixed content.
Most site operators can easily implement policy they want browsers to enforce without having their decisions overridden because Google thinks it knows better than everyone else.
The behavior is especially problematic given the fact there are no assurances the SAME content would even be available via https. The safer "because security" approach with least surprise would simply be "block-all-mixed-content".
Re:Mixed content.. oh no... (Score:4, Insightful)
Many consider ability to access legitimate resources to be part of security. That is, locking someone out of an access that should be granted is bad like not locking them out of and access they should not have is bad. Chrome is trying really hard to fail.
If they really wanted security, they wouldn't have neutered the API for dynamic content blocking. Of course, that might be used to block unwanted ads...
It was a nice browser before they started deciding that we mere users should trust the Goog to know best and not worry our pretty little heads about it.
Rumor has it the next version will have a driver for a robot arm connected through USB so it can actually pat the user on the head.
Re: (Score:3)
If they really wanted security, they wouldn't have neutered the API for dynamic content blocking.
This should be repeated.
Re: (Score:2)
We have existing standards to deal with this. Google has decided unilaterally to return us to the bad old days when websites had to deal with multiple non-compliant special snowflakes.
Just try obtaining a valid (not self-signed) cert for "localhost". We'll wait...
Most of the world really has better things to do than jumping through flaming hoops to please the Goog.
Many of those old sites you talk about are still useful. That's why they still exist. They don't need to be encrypted, nothing in them is secret.
Re: (Score:2)
Encryption protects their own ads all the way to the user and back again.
Re: (Score:2)
And good. It's a potential leak path for user information. The ability to block ads has never depended on it being unencrypted so this is as much of a net win for the privacy conscious as it is for those who don't care and those whose tinfoil hats need re-tuning.
Re: (Score:2)
"Most site operators can easily "
I don't think you can finish that sentence honestly. Especially with the words you chose. "Easy" means you have to be aware of the problem, know your platform well enough to find the solution, and have a desire to do so.
If you don't know your technology you can cut off content, especially if you have a client with more secure ssl/tls settings than you have.
Re: (Score:2)
Just more examples of Google doing shit and substituting their own judgment for the explicit intent of site operators because they can.
And thank God. If there's one thing we have learnt in the past 15 years is that site operators do not have the interests of users in mind at all.
Now excuse me I've just been asked by a client to add another 5 tracking scripts to this website because it didn't load slowly enough.
In all seriousness, Google forcing things despite how onesided and abusive it has been has given website creates a very much needed kick in the nads.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Blocking mixed content is a security enhancement that should have happened years ago. Upgrading insecure requests is just an attempt to fix broken sites automatically.
It's not up to the site operators to decide how secure MY browser is going to be. I run uBlock too, I get to decide what content is acceptable, not them.
Re: (Score:2)
And yet, there can be perfectly reasonably reasons for mixed content. Ads have long switched over to secure modes.
But other content may be "insecure" simply because the site owner wants them t
Re: (Score:2)
Re: (Score:2)
There are a lot of site operators, and a lot of them DO NOT know what is best, quite the opposite. I am sure that some are very smart, but some others are downright bad. Upgrading mixed content makes sense, when you load an HTTPS page, you expect it to be HTTPS. If it is not, entirely, you are being given a false sense of security. Everything should be encrypted. There is no excuse not to do it. Only people who dont care about peoples privacy would think encryption is bad.
Word salad? (Score:2)
Assuming this actually means something, can I have a burger and fries with it?
HTTPS, mixed content, and upgrading defined (Score:3)
Three definitions help you understand what this alleged word salad means.
Now if a restaurant's websit
You misspelled "Internet Explorer". (Score:3)
Cause let's be real: That's what Chrome is. The Internet Explorer of today.
Aka a "be evil" corporation's murder weapon in the act of monopolism.
Although its popularity is a US-centric thing.
Re: (Score:2)
Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers often have to stay on top of everything available -- as well as what has been deprecated or removed
has already been written before, only it was about Internet Explorer then.
Re: (Score:1)
What are these other browsers? There's Firefox, and...what exactly?
Firefox has its own problems, namely that the Mozilla Foundation got big and has tons of money. Now it has lots of fun things to do with that money. The web browser project has become an unwanted chore.
Re:You misspelled "Internet Explorer". (Score:5, Informative)
How quickly people forget what Internet Explorer was like.
It was the polar opposite of Chrome. Riddled with security flaws, where as Chrome consistently comes out best for the number of critical CVEs/year and at contests like pwn2own.
Internet Explorer was full of proprietary technologies, and the codebase itself was closed source. It didn't support the standards of the day properly and it added proprietary extensions. In comparison Chrome is highly standards complaint and experimental extensions are always open from the very start and submitted as standards once proven.
It's also worth noting that Chrome is actually best-in-class for this. Apple adds proprietary extensions too, e.g. their new advertising ping-back API. Apple also breaks the web far more than Chrome does, e.g. their recent privacy enhancements around 3rd party cookies that Chrome is only adopting after both Safari and Firefox did, and in a more compatible way that gives sites time to change.
So let's be real here, the closest modern browser to Internet Explorer is probably Safari and even that's nothing like it.
Re: (Score:2)
To be fair, the biggest problem with IE was that its layout engine was lousy and some containers would overlap, and a few margins would be a few pixels too wide. Most sites "worked" in IE, but they just looked ugly (a fate worse than death for your typical web designer).
Google is one of the companies that has been pushing for outrageous amounts of Javascript and application-centric design, and when Chrome showed up, that's when I started encountering lots of web pages that refused to load at all and all I
Re: (Score:3)
Uh, what? Do you have a source to back up that claim?
"everything that has been removed" (Score:2)
HTML5 is a standard they said. Your fears that it will not be a standard due to not being a stable interface are unfounded they said. "Living standard" is not an oxymoron and only means additions they said.
BULlSHIT, I say. ...!
Pointlessly adding shit so nobody can keep up always was the point! To kill Opera, IE, Safari, Firefox,
Re: (Score:2)
Re: (Score:2)
Does Chrome still install System Services? (Score:1)
Re: (Score:2)
Will never trust Chrome (Score:1)
Cookie changes? (Score:2)
No thanks, I don't want a cookie cutter browser.
Should not be auto upgraded to SSL (Score:1)