What's in the latest Chrome update?
Google on Tuesday updated Chrome to version 74, an update that patched 39 security vulnerabilities and added support for websites that want to honor users' requests to limit stomach-churning motion effects.
The search company paid out $26,837 in bug bounties to 17 researchers who reported some of the vulnerabilities quashed in Chrome 74. Five of the flaws were ranked "High," the second-most-serious category in Google's four-step rating system.
Because Chrome updates in the background, most users only need to relaunch the browser to complete the upgrade. To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a "Relaunch" button. New to Chrome? Download the latest in versions for Windows, macOS and Linux from here.
Google updates Chrome every six to seven weeks. It last upgraded the browser on March 12.
The world's spinning'
With a rapid release tempo, browser development changes can seem minute, even microscopic, from one version to the next. This upgrade is like that. The public-facing feature touted by Google is one that many won't notice. But those who do will appreciate it.
Chrome 74 now supports the prefers-reduced-motion media query by websites, an effort by site designers and developers to honor operating systems' options to minimize unnecessary motion and animation. For example, macOS has a "Reduce motion" setting in the Display section of the Accessibility pane of System Preferences. If that was checked and Chrome 74 was directed to a site that uses the prefers-reduced-motion query, the browser would follow the site's instructions - assuming they exist - to provide a motion-dampened alternative.
Some are affected by what's called "visually induced motion sickness" - with symptoms mimicking traditional motion sickness, including dizziness and nausea - which is triggered by on-screen stimuli. The jumpy button that attracts the attention of most could make others ill.
Chrome 74 joined some of its rivals, including Apple's Safari and Mozilla's Firefox, in supporting the motion reduction. Microsoft's browsers - Internet Explorer and Edge - and Opera Software's namesake, Opera, do not.
Where's dark mode, man?
When the Mac version of Chrome went dark (mode) in version 73 six weeks ago, Google said the fashionable feature would reach Windows at some unspecified future date.
A slew of users assumed it would be in Chrome 74 and started asking questions when they couldn't find it. "I've gone back and forth, rebooted, did anything I could to make dark mode work with Windows 10 and it does not," wrote lilalien Tuesday in a thread on the Chrome Help forum. Others chimed in with similar reports and questions, and a few got really hot over the issue. "What a joke this is - just get on with it already," ranted one.
Google's answer came courtesy of a Chrome community manager in the same thread. "I can confirm that we are rolling out this feature to a small number of Chrome M74 users now, and that it will become more widely available in the near future," wrote Craig._His explanation was no real surprise, as Google often enables new features in stages. The practice is meant to give the company a chance to fix problems before everyone is afflicted.
Elsewhere, users posted workarounds to force Chrome to follow Windows' lead and use dark mode:
Right-click the Chrome shortcut icon on the desktop and select Properties
In the Target field, add this to the end of the text: -force-dark-mode
Click the OK button
If Chrome is currently open, relaunch it.
Enterprise only
Some of the changes to Chrome were solely for organizations that have adopted the browser.
Among the enterprise-only enhancements was the debut of baked-in Legacy Browser Support (LBS), a feature that (before Chrome 74) was available using a separate add-on from Google. LBS has now been integrated into the browser, making the extension unnecessary. And as a bonus, Google launched it an edition early; in March the company said it was shooting for in-browser LBS for Chrome 75.
Once configured by IT, LBS automatically opens Internet Explorer 11 (IE11) when links clicked within Chrome lead to websites, web services or web apps requiring Microsoft's browser, or more likely, IE's ActiveX controls or Java, neither of which Google's browser supports.
More information about LBS, including setting policies to manage the browser switching, can be found on Google's website.
Chrome's next upgrade, version 75, should reach users on or about June 4.
Chrome 73
Google last week issued Chrome 73, an update that added support for desktop "Progressive Web Apps" on Macs and consolidated settings - both old and new - that let users opt out of Google's services.
Chrome 73 also patched 60 vulnerabilities; security researchers who reported nine of them were paid a total of $13,500 in bug bounties. Other flaws' rewards had not yet been calculated by Google.
Chrome updates in the background, so most users can just relaunch the browser to install the latest iteration. To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download process before presenting a "Relaunch" button. Those new to Chrome can download version 73 in versions for Windows, macOS and Linux from this Google website.
Google updates Chrome every six to seven weeks. It last upgraded the browser Jan. 29.
PWA for Macs
Google added support for desktop "Progressive Web Apps," or PWAs, for the Mac in this version, after Chrome 70 and Chrome 67 did the same for Windows and Chrome OS, respectively.
PWAs are web-based apps which have the look and feel of native-to-the-OS applications. Rather than run inside a Chrome frame, for example, they appear within the operating system's standard windowing.
Google has pitched PWAs rather than Chrome-only apps - the latter were long available in Google's e-store - since mid-2016 when the search giant announced it would phase out the apps.
Shifty settings
Google also said changes to Chrome's settings that would shift some options to a new, more visible, section were "rolling out."
The setting, labeled "Sync and Google Services," will appear under the top People section and include a host of options, including "all of the settings related to data collected by Google in Chrome Browser," according to Google's release notes written for enterprises. "Many of these settings were previously in the Privacy section."
Computerworld's check of numerous instances of Chrome on both Windows 10 and macOS showed that the change had not been implemented after the upgrade to version 73. That's not unusual: Google often deploys a new feature in stages, a practice meant to give the company a chance to fix any problems before all users suffer.
New tools will also be made available to those who sign into a Google account for syncing browsers, including an enhanced spellchecker and more detailed reporting for safe browsing, the technology Google uses to warn users of potentially malicious sites.
Google did not give a reason why it reorganized the sync and services settings, but it may have been a response to the kerfuffle last year over Chrome 69. In that version, signing into any Google service automatically also signed the user into Chrome. Many objected, citing privacy issues; signing in here and having Chrome automatically log in there was unacceptable to them because they believed that once signed into Chrome, data escaped their control and headed toward Mountain View's servers.
In the upgrade to Chrome 70, Google added an option for disabling the automatic sign-in.
For enterprise only
As is now standard, some of the changes to Chrome are only for businesses and other organizations that have adopted the browser.
Along with several new group polices that IT administrators can set for employees' browsers, version 73 now displays an item on the More Tools menu telling users that Chrome is being managed. Clicking "Managed by your organization" takes users to information about Chrome management. (Previously, users had to type about:policy in the address bar to see if the browser was being maintained by IT.)
Elsewhere in Chrome, version 73 added a dark mode for macOS; when the latter is set to the darker shade, Chrome follows suit. Google said dark mode support would be added to Chrome on Windows at some later date.
Chrome's next upgrade, version 74, should reach users on or about April 26.
Chrome 72
Google this week released Chrome 72, a refresh that includes no new notable user-facing features but does take a first step toward ending support for older web encryption protocols.
Chrome 72 also patches 58 vulnerabilities reported by security researchers, who were paid a total of $50,500 in bug bounties.
Chrome updates in the background, so most users can just relaunch the browser to install the latest iteration. To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download process before presenting a "Relaunch" button. Those new to Chrome can download version 72 in versions for Windows, macOS and Linux from this Google website.
Google updates Chrome every six to seven weeks. It last upgraded the browser Dec. 4.
Dump TLS 1.0 and 1.1, Step 1
Last year, all of the major browser makers announced that their wares would drop support for the TLS (Transport Layer Security) 1.0 and 1.1 encryption protocols by early 2020.
TLS was the successor to the still-better-known SSL (Secure Socket Layer) encryption protocol; SSL and TLS secured data communications between browser and the destination server so that criminals could not read the traffic, and by doing so, spy on users or steal valuable information. Both TLS 1.0 and 1.1 - the former turned 20 this month - have been rendered obsolete by successors, TLS 1.2 and 1.3. All four browsers now support TLS 1.2, and Chrome and Firefox also support the enhanced TLS 1.3.
Most websites support TLS 1.2; almost 95%, according to Qualys' latest survey._
Each browser maker set its own schedule for de-supporting TLS 1.0 and 1.1 last year. Google at the time said that Chrome 72 would start the process, and Chrome 81 would pull the plug. In a document spelling out changes to Chrome 72, Google said, "Removal is expected in Chrome 81 (early 2020)," confirming the plan remains on schedule. As of Chrome 81, the browser will not connect to websites supporting just TLS 1.0 and 1.1.
In Chrome 72, a warning displays in the Developer Tools view when the browser has been pointed at sites that only support TLS 1.0 and 1.1.
Strips out other stuff, too
Chrome 72 also drops other bits from the browser.
One is "HTTP-based Public Key Pinning," aka HPKP, which Google explained was "intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain."
HPKP is a security measure meant to combat fraudulent certificate usage by criminals. But Google said it had dangerous side effects and, by the way, was little used. "Although it provides security against certificate misissuance, it also creates risks of denial of service and hostile pinning," Google argued.
Chrome began the process of getting out from under the FTP protocol, too, with version 72.
FTP, which stands for "File Transfer Protocol," is a legacy protocol from the earliest days of the Internet, used for exactly its defined purpose: Moving files.
But it's ancient. Noting that "when even the Linux kernel is migrating off FTP, it's really time for us to move on," Google said it's time to remove support for the little-used protocol. A first step, Google decided, was to download non-directory listings, such as an image hosted at an FTP link, rather than rendering them within the browser itself. Chrome 72 debuted that behavior.
Google has not publicly disclosed when all support for FTP within Chrome will be yanked.
Chrome's next upgrade, version 73, will reach users on or about March 12.
Chrome 71
Google this week boosted Chrome to version 71, the last refresh of 2018 and one that includes punitive measures against sites spewing what the search giant described as "abusive experiences."
Chrome 71 also patched 43 security vulnerabilities reported by outside researchers, who were paid $59,000 in finders' fees.
Chrome updates in the background, so users can typically just relaunch the browser to install the latest. To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download process before presenting a "Relaunch" button. New-to-Chrome users can download it from this Google site for Windows, macOS or Linux.
The Mountain View, Calif. company updates Chrome every six to seven weeks. It last upgraded the browser on Oct. 16.
Slapping some sites with total ad embargo
A month ago, Google ran an ad-raid drill, telling Chrome users, "Starting in December 2018, Chrome 71 will remove all ads on the small number of sites with persistent abusive experiences." (Google defines abusive experiences here.)
Removing all ads could, of course, easily put an advertising-dependent website on the poor farm. That's the point. Through Chrome - which dominates the Web - Google has been shaping online to its taste, often using the browser as a bludgeon to punish sites or practices it feels are hostile to customers or noxious to itself.
Auto-play policies, meet Web Audio
Chrome 71 started the process of synchronizing the already-in-place auto-play rules in Chrome - which generally, though not always, block ads from blaring sound from a PC's speakers as soon as a site renders - with the Web Audio API (application programming interface).
According to Google, the sync has not yet been enabled, but is tucked behind one of the option flags which can be set in the UI at chrome://flags.
At its most basic, the API can be used by site and app developers to add audio to their creations. Currently, only Chrome - via the Chromium open-source project, which feeds code to the production browser - supports Web Audio.
Chrome, like rival browsers, has been hammering against sites' auto-playing audio because of user complaints that the blaring is annoying at best. Most of the auto-play instances have been initiated by advertisements, another reason people have become increasing fed up with the Web and its underpinnings. The move to make Web Audio follow Chrome's standard auto-play practices can be seen as simply an expansion of a long-running battle.
Third-party code blocking delayed again for enterprise users
Google also patched 43 vulnerabilities in version 71, including 13 marked "High," the second-most serious ranking in its four-step system. The company cut checks totaling $59,000 to researchers who reported 28 of the bugs.
In the enterprise edition of Chrome, a well-publicized decision this summer that the browser would soon block all third-party code injections has been put on indefinite hold. Billed as a stance on security and stability, the anti-injection mandate was, Google said in October, to go into effect by default with Chrome 71. Not so.
"Due to an issue with anti-virus file scanning, we're delaying this change until we have a solution that better covers customers' needs," Google said in the v. 71 enterprise version release notes.
This move has been postponed more than once; it was to roll out for enterprise customers in Chrome 68 (July), then in Chrome 69 (September).
Chrome's next upgrade, version 72, will reach users on or about Jan. 29, 2019.
Chrome 70
Google this week upgraded Chrome to version 70, following through on a promise made to disable automatic sign-in after users and privacy advocates complained about changes in the prior edition.
Chrome also sported patches for 23 security vulnerabilities as Google paid researchers $22,000 in bug bounties.
Chrome updates in the background, so in most cases users can simply relaunch the browser to install the latest version. To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download-and-upgrade process before presenting a "Relaunch" button. New-to-Chrome users can download it from this Google site.
The Mountain View, Calif. company updates Chrome every six to seven weeks. It last upgraded the browser on September 4.
Auto log-on backtrack
As of Chrome 69, signing into any Google service automatically also signed the user into Chrome. For example, logging into one's Gmail account also logged into one's Google account when Chrome opened. (That was the case whether a user had accessed Gmail using Chrome or another browser, like Firefox.)
Because logging into a Google account allowed syncing of data — including bookmarks and passwords — between machines, and because some users did not want their data transiting Google's servers — ever — they strongly objected to the new model.
When the blowback blew, Google said it would add an option to disable the automatic sign-in to Chrome 70. But it did not retreat from the position that such would be on by default.
Chrome 70 did insert the option into Settings panel, called up when the user clicks the vertical ellipsis at the upper right and chooses "Settings" from the menu. After clicking the "Advanced" button on the Settings panel, the user can toggle the slider under "Privacy and security" marked with the phrase "Allow Chrome sign-in." A relaunch of Chrome will be necessary.
With the slider toggled to the off position — moved to the left — the user can sign into a Google service, like Gmail, without also signing into Chrome.
PWA and more anti-HTTP warnings
On Chrome running in Windows, Google added support for desktop "Progressive Web Apps," or PWAs, following the same move on Chrome OS with that operating system's version 67.
PWAs are, as the name implies, web-based apps which have the look and feel of native-to-the-OS applications. Rather than run inside a Chrome frame, for example, they appear within the operating system's standard windowing. In Windows 10, a PWA operates like any other application, including installing to the Start menu.
Google has pitched PWAs rather than Chrome-only apps — long available in its e-store — since it announced two years ago that it would drop them from the browser and point them toward Chrome OS-only.
Google will add PWA support to the macOS and Linux editions of Chrome with version 72; that should ship around the middle of January.
Also new to Chrome 70 was another step in Google's longtime effort to secure the user by forcing site owners to abandon HTTP and institute HTTPS instead. As per Google's plan, Chrome 70 tags any HTTP site with an insecure icon — a small red triangle — and the text "Not secure" in the address bar as soon as the user interacts with any input field, such as a password field or one that requires credit card information.
More add-on lock-down
Earlier this month, Google made note of new ways it would lock down Chrome extensions — for years, the search giant has pointed to extensions as potential security nightmares — that included requiring developers to adopt two-factor authentication on their accounts (so criminals would have a tougher time hijacking those accounts, then feeding malicious add-ons to the Chrome Web Store) and giving users a way to limit the permissions an extension had been granted.
"Beginning in Chrome 70, users will have the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page," wrote James Wagner, product manager for Chrome extensions, in an October 1 post to a company blog. "While host permissions have enabled thousands of powerful and creative extension use cases, they have also led to a broad range of misuse because they allow extensions to automatically read and change data on websites."
A right-click on an add-on's icon will bring up new options to, for instance, restrict the already-agreed permissions to just that page.
Computerworld tested the add-on management enhancement on both Windows and macOS, but neither version of Chrome 70 showed evidence of the new options. That wasn't surprising: Google often enables a Chrome feature only after a week or more has passed, perhaps to make sure the updated browser is in most users' hands.
Patches and certs
Google also patched 23 security vulnerabilities in version 70, including six marked "High," the second-most serious ranking in its four-step system. The company cut checks worth $22,000 to researchers for reporting 15 of the bugs.
In another security-related move, Chrome 70 made the last move in a series that Google (and other browser makers) instituted against Symantec-granted SSL (Secure Socket Layer) certificates. Any certificate issued by Symantec should trigger a "Not secure" warning in the browser's address bar, essentially telling the user not to trust that the website is legit.
This was to be the final step in a process outlined more than a year ago, after Google and Mozilla — the maker of Firefox — charged Symantec and its partners with improperly issuing certificates, violating rules set by the CA/Browser Forum, a standards groups whose members include browser makers and certificate authorities. Google and others declared that Symantec's problems were endemic, and that the accumulated incidents were proof that it was untrustworthy in a critical way: that a website was what it claimed to be, not a fake set on stealing users' money or credentials or data.
Mozilla last week announced it was delaying a similar move on the part of Firefox, saying that "well over 1% of the top 1-million websites are still using a Symantec certificate that will be distrusted." That, Mozilla decided, was too many for it to proceed.)
Computerworld used a list of sites that, as of late September, were still using a Symantec-issued certificate, and after spot-checking, found very few that had not switched in time for Chrome 70. Some took it to the wire, though, getting a new certificate just days ago.
(One example of a site that missed the memo: digg.com.)
Chrome's next upgrade, version 71, is set to release December 4.
Chrome 69
A decade after Google launched the first iteration of Chrome, the company on September 4 updated the browser to version 69, touting a freshened user interface (UI), an enhanced password manager and a more informative address bar.
Google also patched 40 security vulnerabilities in the browser and paid bug bounties to researchers who reported the flaws.
Chrome updates in the background, so users can usually just relaunch the browser to install the latest version. To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download-and-upgrade process before presenting a "Relaunch" button. New-to-Chrome users can download it from this Google site.
The Mountain View, Calif. company updates Chrome every six or seven weeks. It last upgraded the browser on July 24.
10 years after
Chrome debuted Sept. 2, 2008, putting an end to years of speculation that the search company would go head-to-head with Internet Explorer (Microsoft), Firefox (Mozilla) and Safari (Apple). Ten years later, after mercilessly pummeling the competition, Chrome is the browser pick for two-thirds of the world's population that went online from a personal computer.
Saying that "our 10th birthday update is bigger than normal," Google ticked off the top-of-list changes in version 69.
"Our newest update includes a refreshed design that lets you navigate the web faster (and) a completely revamped password manager," Rahul Roy-Chowdhury, the executive who leads the Chrome and Chrome OS teams, wrote in a post to a company blog. "And Chrome's search box (the 'Omnibox') gives you more information directly as you type, saving you even more time."
First UI changes in two years
Chrome's UI changes, the first in two years, focus on the top-of-window elements, such as the browser's tabs. Those have changed from their earlier trapezoids for rectangles with slightly-rounded upper corners, and the active tab has been brightened to make it stand out more than before.
Chrome 69's address bar - some at Google still call it by its oldest name, "Omnibox" - has also been rounded, replacing its flat left end with a curve. Even the icons in the new tab page representing frequently-visited sites have been altered; they're much smaller and enclosed within small circles.
The overall effect is to steer Chrome toward a simpler, even more minimalist design that generally can't overpower a page's contents.
Passwords, please
Another improvement to Chrome 69 trumpeted by Google is its enhanced password manager.
"When it's time to create a new password, Chrome will now generate one for you (so you're not using your puppy's name for all of your passwords anymore)," said Ellie Powers and Chris Beckmann, two Chrome project managers, in a post to a Google blog. The password manager will automatically fill in the username and password - whether the latter is generated by Chrome or by the user - with a single click in the site's sign-on form.
Password creation has been long available from third-party password management apps such as LastPass - and the browser add-ons those apps rely on - but not within browsers themselves. Apple's Safari, for instance, has this capability, thanks to ties to the operating system's credential manager, but Microsoft's Edge and Mozilla's Firefox do not.
Score one for the Omnibox
"(The Omnibox) will now show you answers directly in the address bar without having to open a new tab," said Powers and Beckmann.
The new functionality offers answers to some questions - what does heute mean in English, for instance, or the current weather in Boston - within the address bar, or Omnibox, itself, saving the time it would take to generate a search results list or display an answer on the browser page.
It was hit or miss in Computerworld's testing, with some systems demonstrating the feature, others not (perhaps because the feature has not yet been enabled on all copies of Chrome 69), and in-Omnibox answers not provided for all questions. Although Chrome's Omnibox gave up the score of the Seattle Mariners' most recent game - 5-2 over the Orioles - it could not do the same for the minor league Bees of Salt Lake City.
The Omnibox will also sniff out an open tab and switch to it if the search string matches part of the URL; alternately, the user can open the site in a new tab. (Computerworld wasn't able to verify this feature on either a Mac or a Windows 10 system.)
But wait, there's more!
Google also patched 40 security vulnerabilities in version 69, including seven marked as "High," the second-most serious ranking in the company's four-level system. The Mountain View, Calif. company cut checks totalling $31,500 to researchers for reporting 16 of the bugs.
In another security move, Google also removed the "Secure" label from the address bar when displaying sites using HTTPS encryption, as it had promised to do. With the next release, Chrome will mark all HTTP pages with "Not secure" when users enter any data.
Chrome's next upgrade, version 70, will reach users the week of Oct. 14-20.
Chrome 68
Google on July 24 released Chrome 68 for Windows, macOS and Linux, patching 42 security flaws, adding new APIs for developers and marking sites relying on HTTP as "Not Secure."
Chrome updates in the background, so users can usually just relaunch the browser to install the latest version. To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download-and-upgrade process before presenting a "Relaunch" button. New-to-Chrome users can download it from this Google site.
The Mountain View, Calif. company updates Chrome every six or seven weeks. It last upgraded the browser on May 27.
Turns on 'Not Secure' warning
The biggest change to Chrome with the debut of version 68 was the new warning labels set into the address bar. While sites whose traffic is encrypted - marked by the HTTPS at the beginning of the URL - will be marked as "Secure," those transmitting data via the unencrypted HTTP will be tagged as "Not Secure."
This campaign of Google's to call out HTTP websites as unsafe began four years ago, with incremental steps toward that goal since. In January 2017, for example, Chrome 56 shamed pages that didn't encrypt password or credit card form fields with the "Not secure" label.
This latest move will not be the last, Google has promised. In early September, with Chrome 69, the browser will remove the "Secure" tag from sites using HTTPS so that encrypted traffic is considered the default. Google's 180-degree turn from browsers' decades-long signage - marking secure HTTPS sites, usually with a padlock icon, to indicate encryption and a digital certificate - to labeling only those pages that are insecure, will wrap up this year. In October, with the launch of Chrome 70, the browser will tag HTTP pages with a red "Not Secure" marker when users enter any kind of data.
As usual, Google adds APIs and plugs security holes
Chrome 68 sports some behind-the-scenes newness as well, which is standard for the browser's updates.
Google highlighted several new APIs (application programming interfaces) in notes to developers, including the Page Lifecycle API and the Payment Handler API.
The former API, Page Lifecycle, offers site and web app developers a way to restore a tab that, for performance reasons, had previously been "frozen" by the browser to conserve resources, including memory and processor load. When the user then returns to the tab, it can be resumed as if nothing had happened.
Payment Handler, on the other hand, lets web-based payment app makers tie into the already-available online checkout infrastructure built into Chrome.
Google also patched 42 security vulnerabilities in version 68, including five marked as "High," the second-most serious ranking in the company's four-step system. Google shelled out $21,500 to researchers for reporting 19 of the bugs, with several bounties still to be decided.
Chrome's next upgrade, version 69, will start reaching users the week of Sept. 2-8.
Chrome 66
Google on April 17 released Chrome 66 for Windows, macOS and Linux, patching 62 vulnerabilities, banning older site certificates issued by security giant Symantec, and refusing to run auto-play content unless the volume was muted.
Chrome updates in the background, so users only need relaunch the browser to install the latest version. (To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download-and-upgrade process before presenting a "Relaunch" button.) Those new to Chrome can download it from this Google site.
The Mountain View, Calif. company updates Chrome every six or seven weeks. It last upgraded the browser on March 6.
While some Chrome upgrades, like version 65, are almost entirely about under-the-hood changes, others feature oh-so-obvious new functionality. Still other upgrades boast a mix-a-lot blend of the two. Chrome 66 is definitely in that third camp.
The most visible Chrome 66 enhancement is the arrival of Google's long-discussed ban on auto-play content that dared blare sound from the speakers. Chrome's blockade of such content was first announced last year, when version 64 was to debut the feature. But the mandate did not go live in January, as expected, nor in March with Chrome 65. The ban has finally been made the default in Chrome 66.
Some exceptions apply: If the user clicks or taps (desktop or mobile, respectively), "somewhere on the site during the browsing session," the audio will play. On personal computers, Google tracks behavior and "if the user has frequently played media on the site, according to the Media Engagement Index" (MEI), audio will play. The MEI, according to a Google explanatory document, "provide[s] a metric reflecting the engagement of a given user with regards to media playback on a given origin." The goal, said Google, is to let websites with high MEI scores bypass the no-sound-in-autoplay-content rule. Users can peruse their MSI status by typing chrome://media-engagement into Chrome's address bar.
Chrome 66 also sports some under-the-covers newness, including a trial of "Site Isolation" in preparation for a broader launch later. Site Isolation, which was revealed in December, is a new security technology meant to mitigate risks posed by Spectre, the processor vulnerability sniffed out by Google's own engineers earlier in 2017.
The optional defense - users must manually switch it on - will eventually be made the default in Chrome. But first Google wants to test it on a limited pool of users after addressing earlier issues when it was enabled. Users can decline to participate in the trials by typing chrome://flags/#site-isolation-trial-opt-out in the address bar and then changing "Default" to "Opt-out (not recommended)."
Another big background alteration in Chrome 66 is the move to mark as untrustworthy older digital certificates from Symantec. With its newest version, Chrome labels Symantec-issued certificates generated before June 1, 2016, as insecure. Websites that failed to replace those certificates may be affected as the browser spews messages, some explicit, others subtler, telling users that the connection between them and the destination is insecure, and thus potentially dangerous.
Later this year, Chrome 70 - now set to roll out during the week of Oct. 14-20 - will distrust every Symantec certificate, no matter when it was issued.
The dispute between Google and Symantec over certificates, and Chrome's ban, goes back to 2015, when several browser makers, Google included, accused Symantec and its partners of improperly issuing certificates. Google, for one, concluded that Symantec's problems were endemic.
Google also patched more than 60 security vulnerabilities in version 66, including two marked as "Critical," the most serious ranking in the company's four-step system, and six tagged as "High." The two critical vulnerabilities were reported by researcher Ned Williamson, on March 28 and 30; Google's fast patching was almost certainly due to their seriousness.
Google shelled out $34,000 for reporting 19 of the bugs, with several bounties, including Williamson's, still to be decided.
Chrome's next upgrade, version 67, should start reaching users May 29.
Chrome 65
Google on March 6 released Chrome 65 for Windows, macOS and Linux, with fixes for 45 vulnerabilities, and security and developer improvements and enhancements that users won't see, or even notice.
Chrome updates in the background, so users only need relaunch the browser to install the latest version. (To manually update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download-and-upgrade process before presenting a "Relaunch" button.) Those new to Chrome can download it from this Google site.
The Mountain View, Calif. company updates Chrome every six to seven weeks. It last upgraded the browser on Jan. 24.
Some upgrades, like Chrome 64, boast obvious-to-the-end-user modifications that alter the browser's performance, signal adoption of web standards or debut new functionality. (The user interface, or UI, of Chrome has changed little since the browser's 2008 launch.) Other versions - and Chrome 65 is firmly in this camp - make virtually no splash because changes are exclusively behind the scenes, or nearly so.
Tops on that background list is support for the Web Authentication API "enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users." Both Microsoft (for Edge) and Mozilla (Firefox) have also committed to the standard. Support for the API was left disabled in Chrome 65; it can be enabled from the page that results from typing chrome://flags in the address bar.
Other improvements include the introduction of CSS Paint API and Server Timing API. The former lets web developers craft images programmatically, eliminating the need to insert actual images - and thus load a resource from a server - as, say, background. The latter introduces new functionality that site designers and administrators can use to pass performance information on the server, from the server, to the browser.
In other areas, however, Chrome was twiddling thumbs. Last year, Google announced that Chrome 64 would not allow any auto-play content unless the audio was muzzled. Some exceptions were to apply: If the user clicked or tapped (desktop Chrome or mobile Chrome, respectively), "somewhere on the site during the browsing session," the audio would still play. But the mandate did not go live in January with Chrome 64, as expected. Nor has it been activated in Chrome 65. Instead, Google has delayed enforcement to the middle of April, when Chrome 66 will appear.
But sites that have long relied on auto-play content - the sports website espn.com, for one - have been preparing for the Chrome ruling by muting the audio on video clips (the video still cranks up as soon as the user navigates to a story).
Google also patched nearly four dozen security vulnerabilities in version 65, including nine marked as "High," the second-most-serious ranking in the company's four-step system. Google paid researchers $34,500 for reporting 19 of the 45 bugs, with one additional report's bounty still to be decided.
Chrome's next upgrade, to version 66, should start reaching users on April 17.
Chrome 64
Google on Jan. 24 released Chrome 64 for Windows, macOS and Linux, boosting the browser's defenses against the microprocessor flaws that blitzed through the news earlier this month.
The upgrade also beefed up Chrome's pop-up blocker, put a stop to hucksters hijacking the browsing session by automatically steering to an unwanted website, and implemented a promised option to let users mute auto-playing audio on a site-by-site basis. And Google's security team patched 53 new vulnerabilities in the browser.
Chrome updates in the background, so most users can simply relaunch the browser to get the latest version. To manually manage an update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right. The ensuing page either shows the browser has been updated or displays the download-upgrade process before presenting a "Relaunch" button. Those new to Chrome can download it from this Google site.
The Mountain View, Calif. company updates Chrome every six to seven weeks; the last time it upgraded the browser, to version 63, was Dec. 5, or seven weeks ago.
Earlier this month, Google promised to bolster defenses against the Spectre vulnerabilities its Project Zero team had uncovered in most modern processors. The firm followed through with Chrome 64, which boasts a refresh of Google's V8 JavaScript engine. Tweaks to V8 have been added to make it much tougher for hackers to pull off a successful Spectre attack.
Other browser makers beat Google to the punch on Spectre, but the difference appeared to be moot: Active attacks leveraging the vulnerabilities have not appeared, or if they have, been detected.
Chrome 64 included patches for more than four dozen other, more run-of-the-mill vulnerabilities, with Google paying out at least $22,000 in bounties to the researchers who reported the bugs. Google listed some of those bugs here.
Google also continued its war on unwanted and intrusive content by improving Chrome 64's built-in pop-up blocker so that it can handle more kinds of abuses. Devious behavior - including disguising links to third-party websites as an audio/video play control, or as a close-window button - will be spotted by Chrome 64, which will then refuse to open the new tab or window that the criminals had pre-programmed.
Likewise, Chrome 64 sniffs out hidden-to-the-human-eye page elements that auto-open a tab or create a new browser window, then drag the unsuspecting user to a rogue destination. "Usually one of them is an ad or something that you didn't want," Pete LePage, a Google developer advocate, asserted in a post to a company blog. "Starting in Chrome 64, these types of navigations will be blocked, and Chrome will show some native UI [user interface] to the user - allowing them to follow the redirect if they want."
A more noticeable change to Chrome was the adoption of a long-promised option that lets users manually mute auto-play audio on a site-by-site basis.
In September 2017, Google announced that starting with December's Chrome 63, users would be able to select a site-specific muting option from the Page Info bubble (called up by clicking on the "i" within a circle at the far left of the URL in the address bar). Changing the option to "Always block on this site" from "Allow" would silence all auto-play audio on that domain.
Google missed the Chrome 63 timeline but managed to bake it into Chrome 64 instead.
However, a more draconian auto-play policy has yet to be put into place. Last year, Google announced that Chrome 64 would not allow any auto-play content unless it muzzled the audio. Some exceptions were to apply: If the user clicked or tapped (desktop Chrome or mobile Chrome, respectively), "somewhere on the site during the browsing session," the audio would still play.
The new keep-it-down-over-there mandate did not go live with Chrome 64, as expected. Instead, Google pushed off the rule's introduction to the middle of April, when Chrome 66 is scheduled to show up.
Google's next browser upgrade, Chrome 65, should reach users the week of March 4-10, according to its release calendar.
Chrome 63
Google this week issued Chrome 63 for Windows, macOS and Linux, adding important security enhancements for enterprises to stress the importance the company now puts on the commercial market.
"Starting with [this] release, Site Isolation is now available ... [which] renders content for each open website in a separate process, isolated from other websites. This can mean even stronger security boundaries between websites than Chrome's existing sandboxing technology," wrote Matt Blumberg, product manager for Chrome, in a post to a company blog.
Chrome updates in the background, so most users can simply relaunch the browser to get the latest version. To manually manage an update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right. The ensuing page either shows the browser has been updated or displays the download-upgrade process before presenting a "Relaunch" button. New to Chrome? It can be downloaded from this Google site.
The Mountain View, Calif. company updates Chrome every six to seven weeks; the last time it upgraded the browser, to version 63, was Oct. 17, or seven weeks before its Wednesday refresh.
Although Chrome 63 includes improvements aimed at all users - such as a speedier V8 JavaScript engine - Google chose to trumpet a number suitable only for corporate customers.
The most prominent is the Site Isolation Blumberg discussed. When enabled, the feature and its underlying technologies render each open website in a separate, dedicated process, isolating that site - and more importantly, its contents - from other sites. A major step up from the already-in-Chrome by-tab process assignments, site isolation will prevent remote code that does execute within Chrome's renderer sandbox from manipulating other sites, and the code within them.
The new quarantine is more rigid than Chrome's current sandboxing. According to Google, while Chrome now "makes an effort to place pages from different websites in different renderer processes when possible," that doesn't always happen. Site Isolation guarantees that each site is separated from all others.
It also comes at a price: Google acknowledged that turning on Site Isolation will increase Chrome's memory usage up to 20%, a tough penalty when users already bemoan the browser's voracious appetite.
Site Isolation can be enabled for all sites, or just a select few - a company's intranet, for example - or other internal websites that contain the most sensitive information and are thus the most valuable to hackers, like customer data.
Windows GPOs - Group Policy Objects - can be set by administrators and then pushed to those workers running Chrome. Command-line flags can also be used on individual machines or for IT testing prior to wider deployment via group policies. Instructions are available here.
Google isn't the only browser maker trumpeting isolationist technologies. Chrome may have led the way to multiple processes - it debuted in 2008 with that in place - and historically been the most difficult of the major browsers to crack and hack, but Microsoft has expended time and money on its Edge, too. The latest move by Microsoft - Application Guard, baked into Windows 10 - isolates Edge in a bare bones virtual machine; it cannot be duplicated by Google.
Also on the Chrome 63 change list: GPOs that the IT staff can set to bar Chrome extensions by the privileges they demand. For example, the new policies could be used to ensure users don't install any add-on that can capture audio through a device's microphone or access the company's printers. The upgrade also turns on TLS (Transport Layer Security) 1.3, a more robust encryption standard, when Chrome is steered to gmail.com. Blumberg promised that TLS 1.3 support would expand "to the broader web" in 2018.
Blumberg also issued one of Google's periodic advance warnings about future moves meant for Chrome, telling users that come version 68 - slated to ship the week of July 22-28, 2018 - Google will start blocking third-party software from injecting code into Chrome on Windows. Antivirus (AV) applications in particular use code-injection, a now-disparaged technique because of stability issues and vulnerability to hackers' attacks, to monitor browsers for possible infection.
With version 68, only software that, if banned from injecting code into Chrome, crashes the browser will be allowed to run so that Chrome can launch and display a message advising the user to remove the culprit. When Chrome 72 launches in early 2019, all code injection will be stymied. However, recognizing that enterprises may be wedded to such software, and unable to abandon those programs or find substitutes, Google plans to introduce GPOs that "offer admins extended support for critical apps" requiring code injection.
Included in Chrome 63 are patches for 37 security flaws, one of which was rated "Critical," Google's most-serious, and rare, ranking. That bug's finder was awarded $10,500 for his report, with more than $36,000 in bounties paid to security researchers for the remaining vulnerabilities.
The next upgrade, Chrome 64, should reach users the week of Jan. 21-27, 2018, according to Google's release calendar.
Chrome 62
Google this week released Chrome 62 for Windows, macOS and Linux, setting the stage for a new warning when users enter data on an unencrypted website and patching nearly three dozen security vulnerabilities.
Chrome updates in the background, so most users can simply relaunch the browser to get the latest version. (To manually manage an update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right. The ensuing page either shows the browser has been updated or displays the download-upgrade process before presenting a "Relaunch" button.) New to Chrome? It can be downloaded from this Google site.
The Mountain View, Calif. company updates Chrome every six to seven weeks; the last time it upgraded the browser, to version 61, was Sept. 6, or just under six weeks before its Tuesday refresh.
Version 62, like most of Chrome's upgrades, hands over few if any obvious-at-a-glance changes. An exception this time: Chrome 62 is now ready to alert users that a site is insecure if it a) isn't encrypted with a digital certificate and b) the user starts to fill out any form field on the page. Also set to receive warnings are all pages viewed in Chrome's "Incognito" mode, the browser's no-tracks session. In those scenarios, users will see the text "Not Secure" at the far left of the address bar.
The feature is "now ready" because as of Friday, Google had not switched on the alert. That wasn't a surprise: Google typically tests a new feature with a small fraction of the total Chrome user base before remotely enabling the feature for all users. Assuming that feedback and Google's own telemetry point to zero problems, it will flip a flag and the warnings will appear.
Those who want to see the warning immediately should enter chrome://flags in the address bar, search for and find the entry "Mark non-secure origins as non-secure," and change the entry in the drop-down list from "Default" to "Warn on HTTP while in incognito mode or after editing forms."
The Not Secure warning is the latest step in an extended process that Google has aggressively implemented - mainly using Chrome, but with other services in its stable, too, like Gmail - to pressure all sites to encrypt their traffic. Chrome already sounded the alarm when an unencrypted site accepted passwords or credit card information; 62 is the next in the planned progression.
Eventually, Chrome will show the Not Secure notice on every HTTP page.
Also on the Chrome 62 change list are support for OpenType variable fonts, which compact multiple font sizes and styles in a single package, giving site designers more flexibility in crafting attractive pages; and support for an expanded Network Information API (application programming interface) that provides connection performance metrics from the browser, a useful tool for web app developers creating software suitable for a variety of speeds.
Included in Chrome 62 are patches for 35 security vulnerabilities, a fifth of which were rated "High," Google's second-most-serious ranking. The firm paid out just over $40,000 in bug bounties to security researchers for reporting the vulnerabilities.
The next upgrade, Chrome 63, should reach users the week of Dec. 3-9, according to Google's release calendar.
Chrome 61
Google on Wednesday released Chrome 61 for Windows, macOS and Linux, adding several new behind-the-scenes features -- including one that lets web apps access USB peripherals -- and patching 22 security vulnerabilities.
Chrome updates in the background, so most users need only relaunch the browser to get the latest version. (To manually manage an update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right. The ensuing page either shows the browser has been updated or displays the download-upgrade process before presenting a "Relaunch" button.) New to Chrome? It can be downloaded from this Google site.
The Mountain View, Calif. company updates Chrome every six to seven weeks; the last time it upgraded the browser, to version 60, was July 25, or just over six weeks ago.
Version 61, like many if not most of Chrome's upgrades, deals users few if any changes they'll notice at a glance. Instead, this month's update offers new under-the-hood functionality aimed at site and app developers.
Near the top of that change list is the WebUSB API (application programming interface), which is intended to give web app and site developers access to unusual USB devices.
"Most hardware peripherals such as keyboards, mice, printers, and gamepads are supported by high-level web platform APIs," Pete LePage, a developer advocate at Google, noted in a post about Chrome 61. "But, using specialized educational, scientific, industrial or other USB devices in the browser has been hard, often requiring specialized drivers."
And Chrome 61 added native support for JavaScript modules so developers can properly call up discrete and reusable chunks of script code from within the browser without performing a build step. Chrome's support - like that already baked into Apple's Safari browser - allows for fetching dependent modules in parallel, and guarantees that the script executes in the right order. Mozilla and Microsoft plan to natively support JavaScript modules in their Firefox and Edge browsers down the road.
Additionally, Chrome will now automatically drop out of full-screen mode if a JavaScript dialog box opens; scammers often use such dialogs, and a forced shift to full-screen, to prevent the user from discarding their bogus claims of PC infections.
Also included in Chrome 61 are patches for 22 security vulnerabilities, a quarter of which were rated "High," Google's second-most-serious ranking. The firm also paid out $23,500 in bug bounties - and will pay more once it decides how much to fork over for one of the flaws - to security researchers for reporting the vulnerabilities.
Although it didn't tie it to the release of Chrome 61, Google also recently made it possible for users to install browser previews alongside the stable, production-grade version on a Windows personal computer. The Beta and Dev channel builds can be downloaded from here.
The next edition, Chrome 62, should reach users the week of Oct. 15-21, according to Google's release calendar.
Chrome 60
Google on Tuesday released Chrome 60 for Windows, macOS and Linux, adding support for the Touch Bar on the newest MacBook Pro laptops and a new online payment API, and patching 40 security vulnerabilities.
Chrome updates in the background, so most users need only relaunch the browser to get the latest version. (To manually manage an update, select "About Google Chrome" from the Help menu under the vertical ellipsis at the upper right. The ensuing page either shows the browser is already up to date or displays the updating process before presenting a "Relaunch" button.)
The Mountain View, Calif. company updates Chrome every six or seven weeks; the last time it upgraded the browser, to version 59, was June 5, or just over seven weeks ago.
Much of Chrome 60's new features and functional changes are under the hood, aimed exclusively at website and app developers. One exception: Support for the MacBook Pro Touch Bar.
In October 2016, and on the top-end 13- and 15-in. models, Apple replaced the static row of function keys at the top of the MacBook Pro keyboard with an OLED (organic light-emitting diode) display whose contents change depending on the