Archive for the ‘Browsers’ Category

File Under: Browsers, privacy
Feb
21
2012

Google Tricks Internet Explorer into Accepting Tracking Cookies, Microsoft Claims

By

Google was caught last week bypassing default privacy settings in the Safari browser in order to serve up tracking cookies. The company claimed the situation was an accident and limited only to the Safari web browser, but today Microsoft claimed Google is doing much the same thing with Internet Explorer.

In a blog post titled “Google bypassing user privacy settings” Microsoft’s IE Corporate Vice President Dean Hachamovitch states that “When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

Hachamovitch explains that IE’s default configuration blocks third-party cookies unless presented with a “P3P (Platform for Privacy Preferences Project) Compact Policy Statement” indicating that the site will not use the cookie to track the user. Microsoft accuses Google of sending a string of text that tricks the browser into thinking the cookie won’t be used for tracking. “By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked,” Microsoft said.

The text allegedly sent by Google actually reads “This is not a P3P policy” and includes a link to a Google page which says cookies used to secure and authenticate Google users are needed to store user preferences, and that the P3P protocol “was not designed with situations like these in mind.”

Microsoft said it has contacted Google to ask the company to “commit to honoring P3P privacy settings for users of all browsers.” Microsoft also updated the Tracking Protection Lists in IE9 to prevent the tracking described by Hachamovitch in the blog post. Ars has contacted Google to see if the company has any response to the Microsoft allegations, and we’ll update this post if we hear back.

UPDATE: It turns out Facebook and many other sites are using an almost identical scheme to override Internet Explorer’s privacy setting, according to privacy researcher Lorrie Faith Cranor at Carnegie Mellon University. “Companies have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it,” Cranor wrote in a recent blog post.

UPDATE 2: Google has gotten back to us with a lengthy reply, arguing that Microsoft’s reliance on P3P forces outdated practices onto modern websites, and points to a study conducted in 2010 (the Carnegie Mellon research from Cranor and her colleagues) that studied 33,000 sites and found about a third of them were circumventing P3P in Internet Explorer.

“Microsoft uses a ‘self-declaration’ protocol (known as ‘P3P’) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form,” Google Senior VP of Communications and Policy Rachel Whetstone says in a statement e-mailed to Ars. “It is well known—including by Microsoft—that it is impractical to comply with Microsoft’s request while providing modern web functionality.”

Facebook’s “Like” button, the ability to sign into websites using your Google account “and hundreds more modern web services” would be broken by Microsoft’s P3P policy, Google says. “It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality,” Whetstone said. “Today the Microsoft policy is widely non-operational.”

That 2010 research even calls out Microsoft’s own msn.com and live.com for providing invalid P3P policy statements. The research paper further states that “Microsoft’s support website recommends the use of invalid CPs as a work-around for a problem in IE.”

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Tags: , ,
File Under: Browsers
Feb
20
2012

Future Chrome Version May Choose Your Passwords, and Change Them When You’ve Been Hacked

By

Google’s Chrome development team is working on a system to automatically generate passwords, which would help users secure their online identities with passwords that would be diversified across different sites, and are randomized and thus harder to guess. Detailed in developer documentation on the Chromium Project site, the system would detect account sign-up pages and “add a small UI element to the password field” giving the user the option of letting Chrome manage the password for them.

Initial versions of the system would create passwords on an individual basis, at the user’s request. But Google’s development team states that “At some point in the future it might also be possible for us to automatically change all of a user’s passwords when we realize that their account is hijacked.” The developer documentation notes that the feature would make Google “a higher value hijacking target,” than it already is, although “Google is already a high value target so this shouldn’t change much.”

Chrome can already store passwords, a common feature in modern browsers, and it syncs them across computers, with the passwords encrypted in transit and at rest in Google data centers. The idea of auto-generating passwords is not new, either. Password management software such as 1Password and LastPass can already generate passwords and automatically input them into web forms. But these tools cost money and require additional software downloads. Although it’s not clear when it will become available, Google’s scheme would make storing and generating passwords a pre-installed feature of the browser.

Mockup of a potential future version of Chrome which would auto-generate passwords. Image from the Chromium Project.

The first challenge noted by the Chrome development team is detecting sign-up pages, which is accomplished by looking for elements such as “an account name field and two password fields.” Next, the Chrome password generator must come up with a secure password that meets the site’s requirements—many sites require digits, special characters or certain lengths. Because the password generator may choose a password that doesn’t meet the site’s requirements, the user is given a chance to review the suggested password before selecting it.

“If they accept the prompt then we pop up a small box which is prepopulated with what we think is an acceptable random password,” the Chromium development document says. “The reason we don’t just choose a password for them is that many sites have requirements (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters) some of which may be contradictory between sites. So we will choose a default generator that will work on most sites, but users may need to change our password if it doesn’t work.”

The Chromium team is still looking for a “way to authenticate to the browser to enable this feature,” and will have to find a workaround for sites that have autocomplete turned off.

“Any website that has autocomplete turned off will not be able to be protected,” the document states. “Going by current phishing attacks, this means that 40-70% of phishing pages can’t be protected against. Once this feature is rolled out we probably want to see if we can get around this problem. Maybe we can get users to re-authenticate to the browser before logging into such sites.”

How much do you trust Google?

Google is often criticized for invading users’ privacy, as the company makes much of its revenue by serving up personalized ads to users based on their web browsing habits and even the contents of their e-mail. However, the development of technology to generate more secure passwords seems like a good-faith effort to protect users from online attacks, and isn’t so far removed from the already-existing practice of browsers storing passwords.

Google’s password-generator will likely be appealing to many because of the sheer convenience of it. But users will have to decide for themselves just how much of their online activities they want to trust with Google.

In the long run, Chrome developers say the solution should be browser sign-in coupled with the OpenID authentication standard. However, “getting most sites on the Internet to use OpenID will take a while,” the Chrome team states. “In the meantime it would be nice to have a way to achieve the same affect of having the browser control authentication.” Since many people re-use passwords across sites, randomization will go a long way toward better security, making it harder for attackers to steal a user’s entire online identity.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Tags:
File Under: Browsers, JavaScript, Programming
Feb
17
2012

Google’s New ‘Dart’ Language to Get a Starring Role in Chrome

By

Google has released an experimental version of the Chromium web browser with support for the company’s new Dart programming language. Dart, which is Google’s attempt to improve on JavaScript, has thus far not enjoyed much support outside of Google, but the company continues to push forward with its own efforts.

The new development preview version of the Chromium browser, the open source version of Google’s Chrome browser, contains the Dart Virtual Machine. This release, which Google is calling “Dartium,” can be downloaded from the Dart language website. At the moment it’s available only for Mac OS X and Linux. Google says a Windows version is “coming soon.” Keep in mind that this is a preview release and intended for developer testing, not everyday use.

Google originally created Dart to address the shortcomings of JavaScript and ostensibly speed up the development of complex, large-scale web applications.

While there is much programmers might like about Dart, it is, like Microsoft’s VBScript before it, a nonstandard language from a single vendor created without any regard for the existing web standards process. The new Dartium release is the first browser to include a Dart Virtual Machine and, based on the response from other browser makers to the initial release of Dart, likely the only browser that will ever ship with a Dart VM. For its part Google says it plans to incorporate the experimental Dart VM into Chrome proper in the future.

The company also has a plan for all those browsers that aren’t jumping on the Dart bandwagon — a compiler that translates Dart to good old JavaScript. In this scenario Dart ends up somewhat like CoffeeScript, a JavaScript abstraction that makes more sense to some programmers.

For more details on the new Dartium browser and the latest improvements to the Dart VM, be sure to check out the Google Code Blog announcement.

Tags: , ,
File Under: Browsers
Feb
13
2012

Mozilla Building Metro Version of Firefox for Windows 8

By

Mozilla developers are planning to build a dramatically different version of Firefox for Windows 8, a change necessitated by Microsoft’s use of the touch-friendly “Metro” user interface for PCs and tablets.

Mozilla describes its Windows 8 plans as part of a 2012 Strategy & Roadmap document updated yesterday. A technology proof-of-concept demonstrating the feasibility of Firefox in Windows 8 is planned for the second quarter of this year, with timing dependent on the release of Microsoft’s Windows 8 consumer preview and developer documentation. A Metro version may be necessary for Firefox to avoid being shut out of Windows 8 tablets running on ARM, which will have only a limited “traditional” Windows desktop. But Mozilla is apparently planning Firefox builds both for the traditional Windows desktop environment and Metro.

“Windows 8 contains two application environments, ‘Classic’ and ‘Metro,’” Mozilla notes. “Classic is very similar to the Windows 7 environment at this time, it requires a simple evolution of the current Firefox Windows product. Metro is an entirely new environment and requires a new Firefox front end and system integration points.”

Metro Firefox will be a new Gecko-based browser focused on touch interactions, with both full-screen and partial-screen modes, with the possibility of a live tile so that users can see updates on the Start screen. There are several unanswered questions, such as which programming language to use for building the Metro front end. Firefox product manager Asa Dotzler further notes that “This proposal depends on Microsoft providing the same capabilities for Firefox as it does for IE—running at the Medium level integrity process that allows us the full use of the Win32 API and what we need from Metro, or a set of APIs that allow Mozilla to port Gecko to the WinRT. For the purposes of this feature proposal, I’m assuming we’ll get the first and we won’t have to port the bulk of Gecko and instead will use the win32 dlls from within Metro.”

Firefox accounts for about 20 percent of worldwide desktop browser market share, but has lost ground to Google Chrome over the past year. Chrome will presumably have a Metro version for Windows 8 as well, but Google has made no official announcement.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Tags:
File Under: Browsers
Feb
13
2012

Mozilla Experiments With Fancier New Tab Page in Firefox 13

By

The proposed new tab page in Firefox 13

Mozilla is considering a fancier new tab page that will replace the current blank page presented when users create a new tab in Firefox. Like other browsers, Firefox will soon offer users a set of thumbnails on the new tab page with website recommendations based on the most frequently and recently visited pages in Firefox’s history.

If you’d like to see the new page in action you’ll need to download the Aurora channel build of Firefox. (Alternatively you can use the Nightly channel.) The new tab page will be enabled by default in Aurora until Feb. 16 for testing purposes. After that the feature will be hidden away while more work is done. Head over to Firefox Engineer Tim Taubert’s blog for details on how to re-enable the new tab page if you’d like to keep using it after that date.

The new tab page in Firefox looks similar to what you’ll find in Chrome and Opera. Indeed, every web browser’s new tab page is essentially a variation on what Opera pioneered with its “speed dial” page. The basic idea is to provide a quick way to access sites you frequently visit. Mozilla’s take thus far is to pull a mixture of your most frequently and most recently visited sites and display them in a 3-by-3 grid of thumbnails.

The goals for Firefox’s new tab page are ensuring that the page loads instantly, that it isn’t distracting and that it requires zero configuration. The latter explains why, thus far, the new tab features don’t offer much in the way of customization.

There are options to “pin” a site permanently to the grid, delete a site and rearrange the order of the sites. Each site will display a thumbnail once you’ve click on it. Or at least that’s the theory. As the screenshot above demonstrates there are clearly still some bugs in the screenshot feature.

The new tab page may be a little bit of a me-too feature at this point, but for those who have been wanting it, rest assured it’s coming. Firefox 13, which is when the fancier new tab page is slated to arrive is due in June 2012.

Tags:
File Under: Browsers
Feb
9
2012

Chrome 17 Released, Will Preload Autocompleted URLs as You Type

By

Google has just released Chrome version 17, which brings several minor enhancements to the company’s web browser — including a new web address preloading feature and improved protection against malicious downloads.

The new Chrome introduces a “preemptive rendering” feature that will automatically begin loading and rendering a page in the background while the user is typing the address in the omnibox (the combined address and search text entry field in Chrome’s navigation toolbar). The preloading will occur in cases when the top match generated by the omnibox’s autocompletion functionality is a site that the user visits frequently.

When the user hits the enter key and confirms the autocompletion result, the pre-rendered page will display almost instantly. The feature extends Chrome’s existing predictive page loading functionality to autocompletion results. Unlike Chrome’s instant search capability, however, the autocompletion preloading waits until the user hits the enter key before displaying the rendered page.

Google has also added some new security functionality to Chrome. Every time that the user downloads a file, the browser will compare it against a whitelist of known-good files and publishers. If the file isn’t in the whitelist, its URL will be transmitted to Google’s servers, which will perform an automatic analysis and attempt to guess if the file is malicious based on various factors like the trustworthiness of its source. If the file is deemed a potential risk, the user will receive a warning.

Google says that data collected by the browser for the malware detection feature is only used to flag malicious files and isn’t used for any other purpose. The company will retain the IP address of the user and other metadata for a period of two weeks, at which point all of the data except the URL of the file will be purged from Google’s databases.

Users who are concerned about the privacy implications of this functionality can prevent the browser from relaying this information to Google by disabling the phishing and malware protection features in the browser’s preferences. You can refer to the official Chromium blog for additional details about the malware detection feature.

Chrome 17 is available through the browser’s automatic updater and can also be downloaded from Google’s website. More information about the new release is available in the official Google Chrome blog.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Tags: ,
File Under: Browsers
Feb
8
2012

Adobe Confirms: No Flash for Chrome on Android

By

Google issued a beta release of Chrome for Android earlier today. The browser provides support for modern web standards and includes a number of compelling features that aren’t available in the Android’s default browser. One noteworthy Chrome desktop feature that isn’t included in the mobile port, however, is the integrated Flash runtime.

Adobe has issued a statement confirming that Chrome for Android does not support Flash content. The company also indicated that it does not plan to work with Google to add Flash support to the new mobile browser. Adobe will, however, continue supporting Flash in the current default Android browser.

“Today Google introduced Chrome for Android Beta. As we announced last November, Adobe is no longer developing Flash Player for mobile browsers, and thus Chrome for Android Beta does not support Flash content,” wrote Adobe’s Flash Platform product manager Bill Howard.

Adobe struggled for years to make the Flash player plugin viable on mobile devices. Though it was able to make Flash work reasonably well on Android phones, results were mixed on other systems. Due to Apple’s unwillingness to allow the Flash plugin on iOS and the difficulty that Adobe faced bringing the Flash player to new devices, the plugin never achieved the same ubiquity on phones that it has historically enjoyed on the desktop.

These setbacks caused Adobe to abandon its mobile Flash player strategy last year. The company announced that it would phase out development of its mobile Flash player plugin and not support it on new platforms. Adobe instead focused its mobile Flash efforts on developing tools for deploying Flash content as native mobile applications. It also strengthened its commitment to native web standards and acknowledged HTML5 as the way forward for building rich mobile web experiences.

When Google eventually moves to replace the default Android browser with Chrome in future versions of the Android platform, devices that run the operating system will likely no longer be able to play Flash content in the browser.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Tags: ,
File Under: Browsers
Feb
7
2012

Adobe Builds Flash Sandbox for Firefox

By

Flash logoAdobe wants to save Firefox users from falling victim to Flash-based security flaws. Working with Mozilla, Adobe has created a beta version of Flash with a new sandbox technology designed to limit the damage Flash-based attacks can do. Adobe previously added similar sandbox protection to Google’s Chrome browser.

If you’d like to test the new Flash Player Protected Mode for Firefox on Windows 7 or Vista, head over to the Adobe Labs download page. Bear in mind that this is a beta release and may contain some bugs.

The new sandbox feature for Flash in Firefox will provide extra protection against malicious browser exploits launched through the Flash Player. Sandboxing means that even when such attacks succeed, the damage is limited and won’t spill over into the rest of the browser or even the operating system.

The design of the Flash sandbox is similar to what Adobe uses in its Adobe Reader X Protected Mode. “Since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X,” writes Peleus Uhley, senior security researcher for Adobe. Uhley goes on to say that Adobe is hoping to “see similar results with the Flash Player sandbox for Firefox once the final version is released later this year.”

While Adobe has ceased development of mobile Flash, the company continues to develop and improve Flash for the desktop. HTML5′s canvas and video elements — among others — are designed to remove the need for plugins like Flash on the web. However, HTML5 support remains incomplete even in the newest browsers, and Flash will likely remain a necessary part of the web video and animation world for the foreseeable future.

Tags: ,
File Under: Browsers, Security
Feb
7
2012

Google to Strip Chrome of SSL Revocation Checking

By

Google’s Chrome browser will stop relying on a decades-old method for ensuring secure sockets layer certificates are valid after one of the company’s top engineers compared it to seat belts that break when they are needed most.

The browser will stop querying CRL, or certificate revocation lists, and databases that rely on OCSP, or online certificate status protocol, Google researcher Adam Langley said in a blog post published on Sunday. He said the services, which browsers are supposed to query before trusting a credential for an SSL-protected address, don’t make end users safer because Chrome and most other browsers establish the connection even when the services aren’t able to ensure a certificate hasn’t been tampered with.

“So soft-fail revocation checks are like a seat-belt that snaps when you crash,” Langley wrote. “Even though it works 99% of the time, it’s worthless because it only works when you don’t need it.”

SSL critics have long complained that the revocation checks are mostly useless. Attackers who have the ability to spoof the websites and certificates of Gmail and other trusted websites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down. Indeed, Moxie Marlinspike’s SSL Strip hacking tool automatically supplies such messages, effectively bypassing the measure.

“While the benefits of online revocation checking are hard to find, the costs are clear: Online revocation checks are slow and compromise privacy,” Langley added. That’s because the checks add a median time of 300 milliseconds and a mean of almost 1 second to page loads, making many websites reluctant to use SSL. Marlinspike and others have also complained that the services allow certificate authorities to compile logs of user IP addresses and the sites they visit over time.

Chrome will instead rely on its automatic update mechanism to maintain a list of certificates that have been revoked for security reasons. Langley called on certificate authorities to provide a list of revoked certificates that Google bots can automatically fetch. The time frame for the Chrome changes to go into effect are “on the order of months,” a Google spokesman said.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Tags:
File Under: Browsers
Feb
2
2012

Microsoft Touts Plugin-Free Web, Offers Desktop Fallback for Flash

By

Microsoft’s new version of Internet Explorer has barred browser plugins in the Metro environment. But Microsoft has revealed a method that plugin-dependent websites can use to leap over Metro’s walls and reach the green fields of the conventional Windows desktop, where Flash is still allowed to roam free.

The relevance of proprietary browser plugins is declining as standards-based web technologies mature. Native web technologies don’t yet supply complete functional equivalence with the capabilities of plugins, but the open web has the advantage of greater ubiquity.

The ubiquity of native web standards over proprietary plugins is set to get a major boost from Microsoft with the launch of Windows 8 and Internet Explorer 10. As we have previously reported, the next major version of Microsoft’s web browser will not display plugins in the Metro environment, which will be the default shell in Windows 8.

A plugin-dependent website prompting the user for permission to run on the desktop. Image courtesy of Microsoft

Microsoft has published a series of posts in its official IE development blog that discuss the implications of this change and what it means for users and web developers. In a new post published this week, IE program manager lead John Hrvatin highlighted the advantages of plugin-free browsing and emphasized the need for web developers to start supporting users who browse in environments that don’t have plugins enabled.

“The transition to a plug-in free web is happening today. Any site that uses plugins needs to understand what their customers experience when browsing plugin free. Lots of web browsing today happens on devices that simply don’t support plugins,” he wrote. “Metro style IE runs plug-in free to improve battery life as well as security, reliability, and privacy for consumers.”

A growing number of websites that rely on browser plugins already offer a standards-based fallback for users who are browsing on popular plugin-free devices such as as the iPhone or iPad. Microsoft has previously discussed some of the steps it is taking to ensure that those websites serve their plugin-free content to Metro users.

There will still likely be many Flash-heavy websites, however, that can’t accommodate users who are browsing without plugins. In the blog post, Hrvatin explained that such websites can ask the user for permission to jump to the conventional Windows desktop and launch the windowed version of Internet Explorer, which will have full support for plugins.

Web developers can get the browser to display the prompt by including the special requiresActiveX=true property in an X-UA-Compatible meta tag or HTTP header. Hrvatin cautions that this feature is included for transitional purposes and is intended to serve as a last resort. The preferred behavior is still for web developers to display a plugin-free version of their site to users who are browsing in the Metro environment.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Tags: ,
« OLDER POSTS