Will this latest move by Google see Chrome market share fall?
Google has just released the Chrome 76 update which brings plenty of things to like from a security and privacy perspective, and one real stinker as far as usability and the potential for cyber-shenanigans is concerned. Whether it is enough to give many of the billions of mobile users of the Chrome browser (it has been installed five billion times according to Google Play) an incentive to march towards Mozilla Firefox remains to be seen. One thing's for sure, though; it's undoubtedly annoying the heck out of web developers.
What's good about Chrome 76?
Let's look at the good stuff first, shall we? As I reported July 19 here at Forbes, the privacy loophole that enabled publishers to detect if a user was connecting using incognito mode, and serve them up different content if so, has been closed. This is a good thing for people circumventing metered content paywalls, but it's also useful for privacy as most people don't want their incognito mode sessions tracked.
Then there's the blocking of Adobe Flash by default. Not before time either, as Adobe Flash has been a scourge of secure browsing for many years now. Finally, Google has seen sense and forced users who want or need to have Flash enabled to go and allow it manually, as well as asking for permission before executing Flash on a site-by-site basis. That's another good thing.
Needless to say, yet I'm saying it anyway, the 43 vulnerabilities fixed by the release of this update to Chrome 76 is a good thing, especially as five of those had a high criticality rating, one was allowing alternative browsers to be loaded outside of the security sandbox.
What's not so good about Chrome 76?
The Electronic Frontier Foundation (EFF) had already warned that the plan to limit ad-blockers in Chrome would not help security, and would most likely hinder it, according to a report by Kate O'Flaherty.
Now, with Chrome 76, the "omnibox" is being "simplified" to make the browser more accessible, according to Google. Let's start by saying that calling the address bar an omnibox simplifies nothing, just the opposite.
Now I've got that bugbear of mine out of the way, here's another: Chrome will no longer display "trivial subdomains" and so will remove the "www" from the URL that is displayed. Oh, and for good measure, the "https" bit will be erased as well.
Is obfuscation good, or bad, for Chrome security?
Why is this a problem? Well, it isn't for everyone, that's for sure. However, many developers have different DNS settings for www.site.com and site.com servers to enable ease of development and testing.
I think of the move more in terms of obfuscating the page a user lands on, rather than bringing clarity and making URLs "easier to understand," as Google Chrome security product manager, Emily Schechter, has stated.
Take the example of an attacker who has compromised a small business server to serve up a malicious subdomain, one that could now be hidden from the user who thinks they have landed at the "real" page they were after.
"It's theoretically possible for sure," Mike Thompson, an application security professional, "small e-commerce vendors might fall prey to this scenario." Andy Gill, a penetration tester also known as ZephrFish, says that it doesn't open the abuse door too wide. "What it does do," he continues, "is if a company has misconfigured DNS, it allows an attacker to potentially hijack subdomains and use them for nefarious purposes."
Let's play hide the https
Thompson, however, is more concerned by the fact that Chrome will hide the https part of the URL. Google has made so many changes over the last year or so that he says "it may confuse a lot of users who already don't understand what https is. We've conditioned people to look for the green padlock; it's been removed; we've recommended they look for https, now it's gone as well." Thompson says that he runs awareness campaigns internally at his organization and will now have to rerun them.
"The removal of www doesn't have any improvement from a security perspective" Sean Wright, the OWASP Scotland chapter leader, says "and I agree with Andy, it opens things up to phishing attempts."
It's not all bad news though, as ethical hacker, John Opdenakker, points out "a move to secure by default is great as insecure sites will be flagged in the browser bar anyway." He also mentions that if you don't like it, then you can hack the Chrome settings by disabling "the #omnibox-ui-hide-steady-state-url-scheme-and-subdomains flag." Not that I would recommend readers try this unless they are very sure about what they are doing and how they are doing it.
Will you be moving to Firefox now?
The proof of this particular update pudding will be in the eating, or rather how many users choke on it and make a move to Firefox instead. Obviously, not all five billion mobile platform users will feel sick enough to walk, but the market-dominating position Chrome enjoys is going to start getting chiseled away as more users become privacy and security-savvy sufficient enough to know when "clarity" actually risks chaos...
—
Updated August 3, 2019: Clarification regarding the number of Chrome browser users
