Chrome

Google Is Testing a New Chrome UI (bleepingcomputer.com) 58

Catalin Cimpanu, writing for BleepingComputer: Google engineers have rolled out a new Chrome user interface (UI). Work on the new Refresh UI has been underway since last year, Bleeping Computer has learned. The new UI is in early testing stages, and only available via the Google Chrome Canary distribution, a version of the Chrome browser used as a testing playground. Users who are interested in giving the new UI a spin must install Chrome Canary, and then access chrome://flags, a section that contains various experimental options not included in Chrome's default settings section.
Displays

Are Widescreen Laptops Dumb? (theverge.com) 380

"After years of phones, laptops, tablets, and TV screens converging on 16:9 as the 'right' display shape -- allowing video playback without distracting black bars -- smartphones have disturbed the universality recently by moving to even more elongated formats like 18:9, 19:9, or even 19.5:9 in the iPhone X's case," writes Amelia Holowaty Krales via The Verge. "That's prompted me to consider where else the default widescreen proportions might be a poor fit, and I've realized that laptops are the worst offenders." Krales makes the case for why a 16:9 screen of 13 to 15 inches in size is a poor fit: Practically every interface in Apple's macOS, Microsoft's Windows, and on the web is designed by stacking user controls in a vertical hierarchy. At the top of every MacBook, there's a menu bar. At the bottom, by default, is the Dock for launching your most-used apps. On Windows, you have the taskbar serving a similar purpose -- and though it may be moved around the screen like Apple's Dock, it's most commonly kept as a sliver traversing the bottom of the display. Every window in these operating systems has chrome -- the extra buttons and indicator bars that allow you to close, reshape, or move a window around -- and the components of that chrome are usually attached at the top and bottom. Look at your favorite website (hopefully this one) on the internet, and you'll again see a vertical structure.

As if all that wasn't enough, there's also the matter of tabs. Tabs are a couple of decades old now, and, like much of the rest of the desktop and web environment, they were initially thought up in an age where the predominant computer displays were close to square with a 4:3 aspect ratio. That's to say, most computer screens were the shape of an iPad when many of today's most common interface and design elements were being developed. As much of a chrome minimalist as I try to be, I still can't extricate myself from needing a menu bar in my OS and tab and address bars inside my browser. I'm still learning to live without a bookmarks bar. With all of these horizontal bars invading our vertical space, a 16:9 screen quickly starts to feel cramped, especially at the typical laptop size. You wind up spending more time scrolling through content than engaging with it.
What is your preferred aspect ratio for a laptop? Do you prefer Microsoft and Google's machines that have a squarer 3:2 aspect ratio, or Apple's MacBook Pro that has a 16:10 display?
Chrome

Millions of Chrome Users Have Installed Malware Posing as Ad Blockers (vice.com) 42

Kaleigh Rogers, writing for Motherboard: Andrey Meshkov, the cofounder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google's popular browser Chrome. These extensions were deliberately styled to look like legitimate, well-known ad blockers, but Meshkov wondered why they existed at all, so he downloaded one and took a look at the code. "Basically I downloaded it and checked what requests the extension was making," Meshkov told me over the phone. "Some strange requests caught my attention."

Meshkov discovered that the AdRemover extension for Chrome -- which had over 10 million users -- had code hidden inside an image that was loaded from the remote command server, giving the extension creator the ability to change its functions without updating. This alone is against Google's policy, and after Meshkov wrote about a few examples on AdGuard's blog, many of which had millions of downloads, Chrome removed the extensions from the store. I reached out to Google, and a spokesperson confirmed that these extensions had been removed.

Microsoft

Microsoft Ports Edge Anti-Phishing Technology To Google Chrome (bleepingcomputer.com) 75

An anonymous reader writes: Microsoft has released a Chrome extension named "Windows Defender Browser Protection" that ports Windows Defender's -- and inherently Edge's -- anti-phishing technology to Google Chrome. The extension works by showing bright red-colored pages whenever users are tricked into accessing malicious links. The warnings are eerily similar to the ones that Chrome natively shows via the Safe Browsing API, but are powered by Microsoft's database of malicious links —also known as the SmartScreen API.

Chrome users should be genuinely happy that they can now use both APIs for detecting phishing and malware-hosting URLs. The SmartScreen API isn't as known as Google's more famous Safe Browsing API, but works in the same way, and possibly even better. An NSS Labs benchmark revealed that Edge (with its SmartScreen API) caught 99 percent of all phishing URLs thrown at it during a test last year, while Chrome only detected 87 percent of the malicious links users accessed.

The Internet

Chrome 66 Arrives With Autoplaying Content Blocked By Default (venturebeat.com) 88

An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 66 for Windows, Mac, Linux, and Android. The desktop release includes autoplaying content muted by default, security improvements, and new developer features. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome. In our tests, autoplaying content that is muted still plays automatically. Autoplaying content with sound, whether it has visible controls or not, and whether it is set to play on loop or not, simply does not start playing. Note that this is all encompassing -- even autoplaying content you are expecting or is the main focus of the page does not play. YouTube videos, for example, no longer start playing automatically. And in case that's not enough, or if a page somehow circumvents the autoplaying block, you can still mute whole websites.
Chrome

Google Chrome To Boost User Privacy by Improving Cookies Handling Procedure (bleepingcomputer.com) 37

Catalin Cimpanu, writing for BleepingComputer: Google engineers plan to improve user privacy and security by putting a short lifespan on cookies delivered via HTTP connections. Google hopes that the move will force website developers and advertisers to send cookies via HTTPS, which "provides significant confidentiality protections against [pervasive monitoring] attacks."

Sending cookies via plaintext HTTP is considered both a user privacy and security risk, as these cookies could be intercepted and even modified by an attacker. Banning the sending of cookies via HTTP is not yet an option, so Chrome engineers hope that by limiting a cookie's lifespan, they would prevent huge troves of user data from gathering inside cookies, or advertisers using the same cookie to track users across different sites.

Google

'A Fresh, Clean Look.' Gmail Is About To Get a Makeover (fortune.com) 149

Google says it is working on a big refresh for Gmail on the web. From a report: The upgrade was revealed in a message from Google to administrators of G Suite accounts -- G Suite being the suite of Google services that organizations can use on their own web domains, rather than Google's. The message stated that the changes would be coming to consumer Gmail accounts, as well as G Suite accounts. Google said the refresh would include not only a "fresh, clean look for Gmail on the web," but also easy ways to access other Google services, such as Google Calendar, from the Gmail web app. The company recently started winding down its Chrome apps for all platforms but Google's own Chrome OS. Windows, Mac and Linux users are now being encouraged to instead use Google's web apps, and it's only logical that those interfaces are now getting upgraded to include the functionality that would otherwise be lost. The Verge has screenshots of the new interface.
Mozilla

Firefox Follows Chrome and Blocks the Loading of Most FTP Resources (bleepingcomputer.com) 89

Mozilla says it will follow in the steps of Google Chrome and start blocking the loading of FTP subresources inside HTTP and HTTPS pages. From a report: By FTP subresources, we refer to files loaded via the FTP protocol inside img, script, or iframe tags that have a src="ftp://". FTP links placed inside normal angle bracket links or typed directly in the browser's address bar will continue to work. The reasoning is that FTP is an insecure protocol that doesn't support modern encryption techniques and will inherently break many other built-in browser security and privacy features, such as HSTS, CSP, XSA, or others. Furthermore, many malware distribution campaigns often rely on compromising FTP servers and redirecting or downloading malware on users' computers via FTP subresources. Mozilla engineers say FTP subresource blocking will ship with Firefox 61, currently scheduled for release on June 26.
Chrome

Biometric and App Logins Will Soon Be Pushed Across the Web (vice.com) 161

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.

"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.

Windows

Is Microsoft Trying To Make Windows 10 Mail Worse? (venturebeat.com) 232

Emil Protalinski via VentureBeat argues that "Windows Mail is unusable, and instead of improving it, Microsoft is looking to drive users away": Microsoft started forcing Mail to use Edge for email links in Windows 10 build 17623 last month. This week, the company started including Office 365 ads right at the bottom of the app. But even these poor decisions are just extra nails in the coffin. Windows Mail has difficulty sending and receiving email. No, I'm not exaggerating for effect. If you have an email open and Windows Mail detects that a new email has hit your inbox, you'll get a notification. Standard stuff. If, however, you then click on said notification, Windows Mail will take you to the open email message, rather than the one that you just clicked on. That's half of the time. The other half of the time this happens, Windows Mail will crash altogether. Apparently having one email open and trying to open another one that just came in is overwhelming for Windows Mail. But that's not the end of it.

Windows Mail is also notorious for not sending emails. Multiple times a week, I open an email, hit reply, type out a quick message, hit send, and alt-tab back to Chrome or Word. Any normal email client will send the message despite the app not being the active window. With Windows Mail, countless times I have wondered why I never got heard back to a specific reply, only to discover hours later, and completely by accident, that the message is still a draft. It's not even sitting in my outbox -- it's just a fucking draft. I end up debating whether to send the email hours late, or if it doesn't make sense to send it anymore. That's not a decision I should have to make. There are of course small features I would like to see added to Windows Mail, like being able to set formatted signatures (as opposed to just plain text), but that's hardly a priority. Windows Mail is unusable, which means Windows 10 doesn't come with an email client. That's incredibly sad.

Chrome

Chrome Is Scanning Files on Your Computer, and People Are Freaking Out (vice.com) 213

Some cybersecurity experts and regular users were surprised to learn about a Chrome tool that scans Windows computers for malware. But there's no reason to freak out about it. From a report: Last year, Google announced some upgrades to Chrome, by far the world's most used browser -- and the one security pros often recommend. The company promised to make internet surfing on Windows computers even "cleaner" and "safer" adding what The Verge called "basic antivirus features." What Google did was improve something called Chrome Cleanup Tool for Windows users, using software from cybersecurity and antivirus company ESET.

[...] Last week, Kelly Shortridge, who works at cybersecurity startup SecurityScorecard, noticed that Chrome was scanning files in the Documents folder of her Windows computer. "In the current climate, it really shocked me that Google would so quietly roll out this feature without publicizing more detailed supporting documentation -- even just to preemptively ease speculation," Shortridge told me in an online chat. "Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of 'user-friendly software' that informs the policy for Chrome Cleanup [Tool]." Her tweet got a lot of attention and caused other people in the infosec community -- as well as average users such as me -- to scratch their heads.

Chrome

Google Bans Chrome Extensions That Mine Cryptocurrencies From the Web Store (bleepingcomputer.com) 49

An anonymous reader writes: Google announced that effective today, the Chrome Web Store review staff would stop accepting new extensions on the Web Store that perform cryptocurrency mining. Existing Chrome extensions that perform cryptocurrency mining will be delisted sometime in late June. The decision came after Google saw a rise in extensions that performed hidden in-browser mining (cryptojacking) behind the users' backs, in background processes.

Even if Google has not said it outright, the company has taken this step to protect Chrome's image. Cryptojacking scripts have a huge impact on a computer's responsiveness, and when most users investigate, they see Chrome's processes hogging CPU resources. Very few of these users will be able to track the spike in CPU usage back to an extension. Google has worked incredibly hard to create the image that Chrome is today's fastest browser, and the company isn't going to stand by and watch some extension developers ruin Chrome's brand so that some devs can make a few Monero on the side.

Google

Security Experts See Chromebooks as a Closed Ecosystem That Improves Security (cnet.com) 192

The founder of Rendition Security believes his daughter "is more safe on a Chromebook than a Windows laptop," and he's not the only one. CNET's staff reporter argues that Google's push for simplicity, speed, and security "ended up playing off each other." mspohr shared this article: Heading to my first security conference last year, I expected to see a tricked-out laptop running on a virtual machine with a private network and security USB keys sticking out -- perhaps something out of a scene from "Mr. Robot." That's not what I got. Everywhere I went I'd see small groups of people carrying Chromebooks, and they'd tell me that when heading into unknown territory it was their travel device... "If you want prehardened security, then Chromebooks are it," said Kenneth White, director of the Open Crypto Audit Project. "Not because they're Google, but because Chrome OS was developed for years and it explicitly had web security as a core design principle...." Drewry and Liu focused on four key features for the Chromebook that have been available ever since the first iteration in 2010: sandboxing, verified boots, power washing and quick updates. These provided security features that made it much harder for malware to pass through, while providing a quick fix-it button if it ever did.

That's not to say Chrome OS is impervious to malware. Cybercriminals have figured out loopholes through Chrome's extensions, like when 37,000 devices were hit by the fake version of AdBlock Plus. Malicious Android apps have also been able to sneak through the Play Store. But Chrome OS users mostly avoided massive cyberattack campaigns like getting locked up with ransomware or hijacked to become part of a botnet. Major security flaws for Chrome OS, like ones that would give an attacker complete control, are so rare that Google offers rewards up to $200,000 to anyone who can hack the system.

The article argues that "Fewer software choices mean limited options for hackers. Those are some of the benefits that have led security researchers to warm up to the laptops...

"Chrome OS takes an approach to security that's similar to the one Apple takes with iOS and its closed ecosystem."
The Internet

IETF Approves TLS 1.3 As Internet Standard (bleepingcomputer.com) 84

An anonymous reader writes: The Internet Engineering Task Force (IETF), the organization that approves proposed Internet standards and protocols, has formally approved TLS 1.3 as the next major version of the Transport Layer Security (TLS) protocol. The decision comes after four years of discussions and 28 protocol drafts, with the 28th being selected as the final version. TLS 1.3 is now expected to become the standard method in which a client and server establish an encrypted communications channel across the Internet -- aka HTTPS connections.

The protocol has several advantages over its previous version -- TLS 1.2. The biggest feature is that TLS 1.3 ditches older encryption and hashing algorithms (such as MD5 and SHA-224) for newer and harder to crack alternatives (such as ChaCha20, Poly1305, Ed25519, x25519, and x448). Second, TLS 1.3 is also much faster at negotiating the initial handshake between the client and the server, reducing the connection latency that many companies cited when justifying not supporting HTTPS over HTTP.

Browsers like Chrome, Edge, Firefox, and Pale Moon have already rolled out support for earlier versions of the TLS 1.3 draft, and are now expected to update this support to the official standard.

Google

Google Unveils Acer's Chromebook Tab 10 Ahead of Apple's Education-Focused Event Tomorrow (cnet.com) 41

An anonymous reader shares a report: Maybe Acer knows what Apple is up to tomorrow, maybe not. Regardless the information and communication tech company announced today the world's first Chrome OS tablet made for the education market, the Chromebook Tab 10. Designed for use in K-12 classrooms, the 9.7-inch tablet could potentially add to Google's Chromebook lead in the US education market and take some of the wind out of Apple's education-focused press conference on March 27. [...] Acer's new tablet, which will sell for $329 in April, is built around a 2048x1536-resolution IPS touchscreen with 264 pixels per inch. A durable Wacom EMR stylus comes standard and stores in the tablet's chassis that's only 0.39-inch thick (9.98 mm). Running on a Rockchip OP1 processor, 4GB of memory and 32GB of storage, the Tab 10 fully supports Google Play giving schools access to educational Android apps.
Firefox

Firefox In 2018: We'll Tackle Bad Ads, Breach Alerts, Autoplay Video, Says Mozilla (zdnet.com) 84

An anonymous reader quotes a report from ZDNet: Firefox maker Mozilla has outlined its 2018 roadmap to make the web less intrusive and safer for users. First up, Mozilla says it will proceed and implement last year's experiment with a breach alerts service, which will warn users when their credentials have been leaked or stolen in a data breach. Mozilla aims to roll out the service around October. Breach Alerts is based on security consultant Troy Hunt's data breach site Have I Been Pwned. Firefox will also implement a similar block on autoplay video to the one Chrome 66 will introduce next month, and that Safari already has. However, Dotzler says Firefox's implementation will "provide users with a way to block video auto-play that doesn't break websites". This feature is set to arrive in Firefox 62, which is scheduled for release in May.

After Firefox 62 the browser will gain an optional Chrome-like ad filter and several privacy-enhancing features similar to those that Apple's WebKit developers have been working on for Safari's Intelligent Tracking Prevention. By the third quarter of 2018, Firefox should also be blocking ad-retargeting through cross-domain tracking. It's also going to move all key privacy controls into a single location in the browser, and offer more "fine-grained" tracking protection. Dotzler says Mozilla is in the "early stages" of determining what types of ads Firefox should block by default. Also on the roadmap is a feature that arrived in Firefox 59, released earlier this month. A new Global Permissions feature will help users avoid having to deny every site that requests permission for location, camera, microphone and notifications. Beyond security and privacy, Mozilla plans to build on speed-focused Quantum improvements that came in Firefox 57 with smoother page rendering.

Open Source

Vim Beats Emacs in 'Linux Journal' Reader Survey (linuxjournal.com) 195

The newly-relaunched Linux Journal is conducting its annual "Reader's Choice Awards," and this month announced the winners for Best Text Editor, Best Laptop, and Best Domain Registrar. Vim was chosen as the best editor by 35% of respondents, handily beating GNU Emacs (19%) Sublime Text (10%) and Atom (8%). Readers' Choice winner Vim is an extremely powerful editor with a user interface based on Bill Joy's 40-plus-year-old vi, but with many improved-upon features including extensive customization with key mappings and plugins. Linux Journal reader David Harrison points out another great thing about Vim "is that it's basically everywhere. It's available on every major platform."
For best laptop their readers picked Lenovo (32%), followed by Dell (25%) and System76 (11%). The ThinkPad began life at IBM, but in 2005, it was purchased by Lenovo along with the rest of IBM's PC business. Lenovo evolved the line, and today the company is well known as a geek favorite. Lenovo's ThinkPads are quiet, fast and arguably have one of the best keyboards (fighting words!). Linux Journal readers say Lenovo's Linux support is excellent, leaving many to ponder why the company doesn't ship laptops with Linux installed.
In February readers also voted on the best web browser, choosing Firefox (57%) over Chrome (17%) and Chromium (7%). And they also voted on the best Linux distribution, ultimately selecting Debian (33%), open SUSE (12%), and Fedora (11%).
Software

Amazon Alexa's 'Brief Mode' Makes the Digital Assistant Way Less Chatty (cnet.com) 25

A new update is rolling out to Amazon Echo devices that gives users the option to make Alexa respond with a short, beeping sound rather than her customary "OK." Reddit users reported seeing the new feature this week. CNET reports: You access the Brief Mode in the Amazon Alexa app's Settings Menu under "Alexa Voice Responses." You can also ask your Alexa-enabled device to turn on the Brief Mode. Once the setting is enabled, you can ask Alexa to control devices to which she is connected and she will respond with beeps rather than "OK" to let you know that she received and completed the task. Don't want to completely quiet Alexa down? Amazon also rolled out a "Follow-Up Mode" last week that's designed to let you will let you talk to Alexa more naturally. That mode will let you make successive requests without needing to use Alexa's wake word between each command.
Links

Microsoft Wants To Force Windows 10 Mail Users To Use Edge For Email Links (theverge.com) 172

Microsoft has revealed today that "we will begin testing a change where links clicked on within the Windows Mail app will open in Microsoft Edge." What this means is that if you have Chrome or Firefox set as your default browser in Windows 10, Microsoft will simply ignore that and force you into Edge when you click a link within the Mail app. The Verge reports: "As always, we look forward to feedback from our WIP community," says Microsoft's Dona Sarkar in a blog post today. I'm sure Microsoft will receive a lot of feedback over this unnecessary change, and we can only hope the company doesn't ignore it.
Android

Android Is Now as Safe as the Competition, Google Says (cnet.com) 116

In an interview with CNET, David Kleidermacher, Google's head of security for Android, Google Play and Chrome OS, said Android is now as safe as the competition. From the interview: That's a big claim, considering that Android's main competitor is Apple's iPhone. This bold idea permeates the annual Android Security Report that Google released Thursday. "Android security made a significant leap forward in 2017 and many of our protections now lead the industry," the report says on page one. Echoing the report, Kleidermacher told CNET that Android flaws have become harder for researchers to find and that the software now protects users from malicious software so well the problems that used to leave users exposed to bad actors aren't such a big problem anymore.

Slashdot Top Deals