Google flips switch on Chrome's newest defensive technology

Google flips switch on Chrome's newest defensive technology

With 'Site Isolation' in use, the browser should be better protected from Spectra-like attacks designed to steal info such as log-on credentials

Google has switched on a defensive technology in Chrome that will make it much more difficult for Spectra-like attacks to steal information such as log-on credentials.

Called "Site Isolation," the new security technology has a decade-long history. But most recently it's been cited as a shield to guard against threats posed by Spectre, the processor vulnerability sniffed out by Google's own engineers more than year ago.

Google unveiled Site Isolation in late 2017 within Chrome 63, making it an option for enterprise IT staff members, who could customise the defence to shield workers from threats harboured on external sites.

Company administrators could use Windows GPOs - Group Policy Objects - as well as command-line flags prior to wider deployment via group policies.

Later, in Chrome 66, which launched in April, Google opened the field testing to general users, who could enable Site Isolation.

Google made clear that Site Isolation would eventually be made the default in the browser, but the firm first wanted to validate the fixes addressing issues that cropped up earlier testing. Users were able to decline to participate in the trial by changing one of the settings in the options page.

Now, Google has switched on Site Isolation for the vast majority of Chrome users - 99 per cent of them by the search giant's account.

"Many known issues have been resolved since (Chrome 63), making it practical to enable by default for all desktop Chrome users," Charlie Reis, a Google software engineer, wrote in a post to a company blog.

Site Isolation, Reis explained, "Is a large change to Chrome's architecture that limits each renderer process to documents from a single site." With Site Isolation enabled, attackers will be prevented from sharing their content in a Chrome process assigned to a website's content.

"When Site Isolation is enabled, each renderer process contains documents from, at most, one site," Reis continued. "This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using 'out-of-process iframes.'"

That, Reis added, was a major change to how Chrome works, and one that engineers had been pursuing for several years, long before Spectre was uncovered.

Reis' PhD dissertation of almost decade ago was on the subject, and the Chrome team has been working on it for six years.

"This is an extremely impressive achievement," tweeted Eric Lawrence, a former senior software engineer at Google but now a principal program manager at rival Microsoft.

"Google invested many engineer-years in a feature that initially seemed hopelessly out of whack from cost/benefit POV [point-of-view]. And then, suddenly, it wasn't just a nice-to-have DiD [defence-in-depth], but instead an essential defence against a class of attack."

Others chimed in as well.

"The current version defends only against data leakage attacks (e.g. Spectre), but work is under way to protect against attacks from compromised renderers," tweeted Justin Schuh, principle engineer and director on Chrome security.

"We also haven't shipped to Android yet, as we're still working on resource consumption issues."

Resource consumption may not be a Google-mandated "issue" with Site Isolation, but there are trade-offs when using the technology, the company acknowledged.

"There is about a 10-13 per cent total memory overhead in real workloads due to the larger number of processes," Reis said, then added that engineers are continuing to work on reducing that memory hit.

At least the additional memory load estimate is smaller than before. Back when Chrome 63 debuted with Site Isolation, Google admitted that using it would increase in memory usage by up to 20 per cent.

Users will be able to verify that Site Isolation is turned on - that they're not part of the one per cent left out in the cold as part of Google's efforts to "monitor and improve performance" - in Chrome 68 when that launches later this month by typing chrome://process-internals in the address bar (that doesn't work in Chrome 67 or earlier).

Currently, checking requires more work on the user's part: It's spelled out in this document under the "Verify" subheading. Computerworld used the latter to make sure its instances of Chrome had Site Isolation enabled.

Site Isolation is to be included in Chrome 68 for Android, Reis said. More functionality will also be added to the desktop edition of the browser.

"We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes," he wrote. "Stay tuned for an update about these enforcements."

(By Gregg Keizer, Computerworld)

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Googlechrome



Reseller News Platinum Club celebrates leading partners in 2019

Reseller News Platinum Club celebrates leading partners in 2019

The leading players of the New Zealand channel came together to celebrate a year of achievement at the annual Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months.

Reseller News Platinum Club celebrates leading partners in 2019
Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosted its second annual alumnae breakfast for the Women in ICT Awards in New Zealand, designed to showcase the leading female leaders in the industry. Held at The Cordis in Auckland, attendees came together to hear inspiring keynotes and panel discussions, alongside high-level networking among peers. Photos by Gino Demeer.

Reseller News hosts alumnae breakfast for Women in ICT Awards
Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Show Comments