Google Chrome gets a mind of its own for some security fixes
- Reference: 1726156812
- News link: https://www.theregister.co.uk/2024/09/12/google_chrome_safety_check/
- Source link:
Safety Check [1]debuted in 2020 as a way to check when passwords stored in Chrome have been compromised, to encourage browser updates, and to warn users when websites have been deemed unsafe by Google's [2]Safe Browsing service .
It was expanded in the years since with [3]real-time [4]Safe Browsing checks that cover harmful Chrome extensions.
[5]
As outlined by Chrome product manager Andrew Kamau in a blog post provided to The Register , the Chocolate Factory's browser will now intervene on its own to revoke unneeded permissions and unsubscribe from [6]abusive notifications .
[7]
[8]
"The revamped Safety Check feature will now run automatically in the background on Chrome, taking more proactive steps to keep you safe," explained Kamau. "It will also inform you of actions it takes, including revoking permissions from sites you don't visit anymore, flagging potentially unwanted notifications and more."
Potentially unwanted notifications are determined by [9]low site engagement score and notification frequency above a certain threshold per day.
[10]
Browser notifications deemed deceptive (not just potentially so) will be canceled automatically rather than flagged if Google's Safe Browsing service recognizes the host site as dangerous, according to Kamau. And Safety Check will remind Chrome users to take action if flagged issues remain unaddressed.
Safety Check has been running in the background in Chrome for Desktop at least since [11]late last year , and we're told that doing so on mobile devices periodically doesn't materially affect battery life. What's new to mobile is information about actions taken, reminders of unaddressed security issues, and automatic revocation of permissions for abusive notifications.
[12]Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack
[13]So you paid a ransom demand … and now the decryptor doesn't work
[14]Mind the talent gap: Infosec vacancies abound, but hiring is flat
[15]The future everyone wanted – in-car ads tailored to your journey and passengers
On desktop versions of Chrome, Safety Check will notify users about installed Chrome extensions that present a security risk and then load the extension page and show a summary panel that includes controls for removal.
Chrome users on Pixel devices, and soon other Android hardware, will be able to opt out of unwanted website notifications via an "Unsubscribe" button on the notification drawer. According to Kamau, Pixel users have seen a 30 percent reduction in notification volume as a result of this change.
Kamau also noted how one-time permissions for Chrome on Android and desktop have provided users with more control over the data shared with websites. Google introduced [16]support for one-time permissions in Chrome 116, which debuted in August 2023. One-time permissions ensure that sensitive permissions aren't retained unnecessarily, which makes abuse less likely and improves privacy.
[17]
Other browser makers implement one-time permissions differently. For example, Apple's Safari 16 for desktop makes geolocation a one-time permission by default. In Mozilla's Firefox 115, geolocation, camera, and microphone are all one-time permissions by default. ®
Get our [18]Tech Resources
[1] https://blog.google/products/chrome/more-intuitive-privacy-and-security-controls-chrome/
[2] https://safebrowsing.google.com/
[3] https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
[4] https://support.google.com/chrome/answer/9890866
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZuNkhiu0Mj0NeJ0zC-WyrAAAAEo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://support.google.com/webtools/answer/9799829?sjid=13835643028921739217-NC
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuNkhiu0Mj0NeJ0zC-WyrAAAAEo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuNkhiu0Mj0NeJ0zC-WyrAAAAEo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.chromium.org/developers/design-documents/site-engagement/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZuNkhiu0Mj0NeJ0zC-WyrAAAAEo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://blog.google/products/chrome/google-chrome-december-2023-update/
[12] https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/
[13] https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/
[14] https://www.theregister.com/2024/09/11/mind_the_talent_gap_infosec/
[15] https://www.theregister.com/2024/09/10/ford_patent_ads_pii/
[16] https://developer.chrome.com/blog/one-time-permissions
[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZuNkhiu0Mj0NeJ0zC-WyrAAAAEo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[18] https://whitepapers.theregister.com/
> never found a need for a website to know my location
In my other tab I am watching the fedEx truck navigate my neighborhood so I know when it will come. Yes, I signed-up and logged-in to get this intimate information.
Your browser doesn't need to know your location for that to happen. FedEx knows the destination of your package via the tracking number.
There are very very few cases where that's necessary, and even fewer for camera, microphone, USB and bluetooth which are other permissions that browsers should basically never have, but stuff that Google pushed into the standard and immediately implemented in Chrome. We all know why.
Just because you don't see the benefit, doesn't mean there isn't any. And some (weird) people really do see enough benefit in the services they receive when they give away their info.
So how long until uBlock Origin's access to websites is considered a security threat and automatically removed?
I have a simpler solution - don't give websites permissions. I've never found a need for a website to know my location, access my camera or mic or send me notifications.