Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too

A computer screen filled with ones and zeros also contains a Google logo and the word hacked.

Enlarge (credit: Getty Images)

A secretive seller of cyberattack software recently exploited a previously unknown Chrome vulnerability and two other zero-days in campaigns that covertly infected journalists and other targets with sophisticated spyware, security researchers said.

CVE-2022-2294, as the vulnerability is tracked, stems from memory corruption flaws in Web Real-Time Communications, an open source project that provides JavaScript programming interfaces to enable real-time voice, text, and video communications capabilities between web browsers and devices. Google patched the flaw on July 4 after researchers from security firm Avast privately notified the company it was being exploited in watering hole attacks, which infect targeted websites with malware in hopes of then infecting frequent users. Microsoft and Apple have since patched the same WebRTC flaw in their Edge and Safari browsers, respectively.

Avast said on Thursday that it uncovered multiple attack campaigns, each delivering the exploit in its own way to Chrome users in Lebanon, Turkey, Yemen, and Palestine. The watering hole sites were highly selective in choosing which visitors to infect. Once the watering hole sites successfully exploited the vulnerability, they used their access to install DevilsTongue, the name Microsoft gave last year to advanced malware sold by an Israel-based company named Candiru.

Read 8 remaining paragraphs | Comments

#biz-it, #chrome, #edge, #safari, #vulnerability, #webrtc, #zeroday

New data shows only two browsers with more than 1 billion users

Safari on a Mac, displaying the Google Chrome website.

Enlarge / Safari on a Mac, displaying the Google Chrome website. (credit: Samuel Axon)

Apple’s Safari web browser has more than 1 billion users, according to an estimate by Atlas VPN. Only one other browser has more than a billion users, and that’s Google’s Chrome. But at nearly 3.4 billion, Chrome still leaves Safari in the dust.

It’s important to note that these numbers include mobile users, not just desktop users. Likely, Safari’s status as the default browser for both the iPhone and iPad plays a much bigger role than its usage on the Mac.

Still, it’s impressive given that Safari is the only major web browser not available on Android, which is the world’s most popular mobile operating system, or Windows, the most popular desktop OS.

Read 7 remaining paragraphs | Comments

#apple, #browser, #chrome, #google, #google-chrome, #market-share, #safari, #tech, #web-browser

New Chrome security measure aims to curtail an entire class of Web attack

Extreme close-up photograph of finger above Chrome icon on smartphone.

Enlarge (credit: Getty Images)

For more than a decade, the Internet has remained vulnerable to a class of attacks that uses browsers as a beachhead for accessing routers and other sensitive devices on a targeted network. Now, Google is finally doing something about it.

Starting in Chrome version 98, the browser will begin relaying requests when public websites want to access endpoints inside the private network of the person visiting the site. For the time being, requests that fail won’t prevent the connections from happening. Instead, they’ll only be logged. Somewhere around Chrome 101—assuming the results of this trial run don’t indicate major parts of the Internet will be broken—it will be mandatory for public sites to have explicit permission before they can access endpoints behind the browser.

The planned deprecation of this access comes as Google enables a new specification known as private network access, which permits public websites to access internal network resources only after the sites have explicitly requested it and the browser grants the request. PNA communications are sent using the CORS, or Cross-Origin Resource Sharing, protocol. Under the scheme, the public site sends a preflight request in the form of the new header Access-Control-Request-Private-Network: true. For the request to be granted, the browser must respond with the corresponding header Access-Control-Allow-Private-Network: true.

Read 8 remaining paragraphs | Comments

#biz-it, #chrome, #cross-site-requests-forgery, #csrf, #google

Chrome Beta to experiment with a more powerful New Tab page, web highlights, and search changes

Google is launching a new version of its Chrome Beta browser today that’s introducing some fairly notable changes to its user interface and design. The browser will introduce an updated New Tab page, which will now include cards directing you back to past web search activities, instead of only a list of shortcuts to favorite websites. Other changes aim to make it easier to navigate search results and to highlight and share quotes from the web.

The New Tab page’s update will be one of the first changes Chrome beta users may notice.

The idea behind this design change is about getting you back quickly to past web activities without a need dive into your browsing history to remember which sites you had been using for things like recipes or shopping. It can also help you to return quickly to your recent documents list in Google Drive, in a handy bit of cross-promotion for Google services.

Image Credits: Google

The page will now feature what Google is calling “cards,” not just links, which could direct you to things like a recently-visited recipe site where you had been browsing for ideas, a Google doc you need to finish editing, or a retailer’s website where you had left your shopping cart filled with things you may like to purchase at a later date. The latter ties into Google’s larger investment in online shopping, which has already seen the search giant trying to grab more marketshare in the space by making product listings free and partnering with e-commerce platforms like Shopify.

Google is rightly concerned about Amazon’s surging advertising business, which is a large part of the retailer’s “Other” category that grew 87% year-over-year to generate $7.9 billion in the second quarter. Now, it’s capitalizing on Chrome’s New Tab real estate to elevate shopping activity in the hopes of pushing users to complete their transactions.

Another change aims to make it easier to do web research. Google says that often, users searching for something on its platform will navigate to multiple web pages to find their answer. The new version of Chrome will experiment with a different way of connecting users to their search results by adding a row beneath the address bar on Chrome for Android that will show the rest of the results so you can navigate to other web pages without needing to hit the back button.

Image Credits: Google

A new “quote cards” experiment, also coming to Chrome Beta on Android, will allow users to create a stylized image for social sharing that features text found on websites. Taking a screengrab of a website’s text is something that’s already a common activity, and particularly for people who want to share a key point from a news article they’re reading with followers on platforms like Twitter, Facebook, or Instagram. With this new feature, you’ll be able to long press text to highlight it, then tap Share and select a template by tapping on the “Create Card” option from the menu.

All features are a part of the Chrome Beta browser. To enable experiments, you can type chrome://flags into the browser’s address bar or click on the Experiments beaker icon, and then enable the flags. The associated flags for these experiments are #ntp-modules flag (New Tab page), #continuous-search (search results changes), and #webnotes-stylize flag (quote cards).

Experiments don’t necessarily become Chrome features that roll out more broadly. Instead, they offer Google a way to capture large-scale user feedback about its new design ideas, so the features can be tweaked and fine-tuned before a public release.

#android, #android-apps, #apps, #chrome, #chrome-beta, #chrome-on-android, #computing, #freeware, #google-apps, #google-search, #google-chrome, #google-docs, #google-drive, #online-shopping, #operating-systems, #recipes, #search, #search-results, #software, #web-search

EU antitrust regulators launch probe into Google’s FLoC plan

Close-up shot of the Chrome web browser's logo on an Android screen.

Enlarge (credit: Getty Images | NurPhoto )

The European Commission today said it has begun investigating Google for “possible anticompetitive conduct” in the market for online advertising technology.

The EC announcement said the formal antitrust investigation will “assess whether Google has violated EU competition rules by favoring its own online display advertising technology services in the so-called ‘ad tech’ supply chain, to the detriment of competing providers of advertising technology services, advertisers and online publishers.” The EC said it will “examine whether Google is distorting competition by restricting access by third parties to user data for advertising purposes on websites and apps, while reserving such data for its own use.”

Chrome and Android figure into the investigation. The EC said it will investigate “Google’s announced plans to prohibit the placement of third-party ‘cookies’ on Chrome and replace them with the ‘Privacy Sandbox’ set of tools, including the effects on online display advertising and online display advertising intermediation markets.” Google’s Privacy Sandbox is also called FLoC, for Federated Learning of Cohorts.

Read 12 remaining paragraphs | Comments

#android, #antitrust, #chrome, #european-commission, #google, #policy

Chrome’s RSS-powered “Follow” button is like a rebooted Google Reader

Left: Chrome's new "Follow" button. Right: The RSS feed, which looks just like Google discover.

Left: Chrome’s new “Follow” button. Right: The RSS feed, which looks just like Google discover. (credit: Google)

Despite killing Google Reader in 2013, Google keeps flirting with the idea of helping users discover news. The algorithm-powered “Google Discover” and Google News feeds send heaps of traffic to websites based on users’ search histories, but what if people could just tell Google what websites they like? The company’s new Chromium blog post details how Google is “experimenting” with a new RSS-powered “Follow” button in Chrome.

“We’re exploring how to simplify the experience of getting the latest and greatest from your favorite sites directly in Chrome, building on the open RSS web standard,” Google’s post says. “Our vision is to help people build a direct connection with their favorite publishers and creators on the web.” A “follow” button will appear in the Chrome for Android menu when the feature is enabled.

Chrome for Android’s “new tab” page has had a Discover feed for a while. Now, when a user presses the “follow” button, a new “Following” tab will appear on the new tab page. So you’ll get algorithm suggestions on the “For You” tab and a “Following” tab full of your manually added blog posts. The interface of the RSS feed looks just like the Google Discover feed, with big thumbnails, a title, and no article text. For now, the feature is only on Android and will appear on the Chrome Canary (nightly) builds in “the coming weeks.”

Read 3 remaining paragraphs | Comments

#chrome, #google-reader, #rss, #tech

Chrome now uses Duplex to fix your stolen passwords

Google announced a new feature for its Chrome browser today that alerts you when one of your passwords has been compromised and then helps you automatically change your password with the help of… wait for it… Google’s Duplex technology.

This new feature will start to roll out slowly to Chrome users on Android in the U.S. soon (with other countries following later), assuming they use Chrome’s password-syncing feature.

It’s worth noting that this won’t work for every site just yet. As a Google spokesperson told us, “the feature will initially work on a small number of apps and websites, including Twitter, but will expand to additional sites in the future.”

Now you may remember Duplex as the somewhat controversial service that can call businesses for you to make hairdresser appointments or check opening times. Google introduced Duplex at its 2018 I/O developer conference and launched it to a wider audience in 2019. Since then, the team has chipped away at bringing Duplex to more tasks and brought it the web, too. Now it’s coming to Chrome to change your compromised passwords for you.

Image Credits: Google

“Powered by Duplex on the Web, Assistant takes over the tedious parts of web browsing: scrolling, clicking and filling forms, and allows you to focus on what’s important to you. And now we’re expanding these capabilities even further by letting you quickly create a strong password for certain sites and apps when Chrome determines your credentials have been leaked online,” Patrick Nepper, senior product manager for Chrome, explains in today’s announcement.

In practice, once Chrome detects a compromised password, all you have to do is tap the “change password” button and Duplex will walk through the process of changing your password for you. Google says this won’t work for every site just yet, but “even if a site isn’t supported yet, Chrome’s password manager can always help you create strong and unique passwords for your various accounts.”

It’ll be interesting to see how well this works in the real world. Every site manages passwords a little bit differently, so it would be hard to write a set of basic rules that the browser could use to go through this process. And that’s likely why Google is using Duplex here. Since every site is a little bit different, it takes a system that can understand a bit more about the context of a password change page to successfully navigate it.

In addition to adding this feature, Google is also updating its password manager with a new tool for important passwords from third-party password managers, deeper integration between Chrome and Android and automatic password alerts when a password is compromised in a breach.

#android, #assistant, #chrome, #chrome-os, #freeware, #google, #google-i-o-2021, #google-chrome, #operating-systems, #password, #password-manager, #product-manager, #security, #software, #united-states, #web-browsers, #web-browsing

Google reveals a slate of Chromebook docks as it pushes to appeal to enterprise users

Chromebooks have been having banner quarter after banner quarter for the past year. While PC and tablet sales in general have been doing well as people shifted to remote working and learning, Google’s operating system has been leading the charge, in terms of the growth. That’s due in large part to the company’s wins in education.

With an extremely solid foothold in that category, Google is pushing to make a big play in enterprise — a category traditionally dominated by Microsoft (and, to a lesser degree, Apple). Today the company is announcing the launch of a new series of docks as part of the Works With Chromebook certification program it launched last year.

Launch partners including Targus, Belkin, Acer and Hyper. The hope is pretty clear: making the traditionally limited hardware more capable for a work setting. There are two different types of docks — one designed for remote working and the other for office/enterprise. Per Google:

Employees can benefit from two types of docks: larger docks capable of extending up to 3 external displays via HDMI, DP or USB-C, and smaller docks that extend to one external HDMI display for those in need of a more compact, travel-friendly docking solution.

More details are forthcoming from the third parties, which will be releasing the devices “in the coming months.” The Hyper system (pictured at top of the post), for instance, launches in August for $240, which put it around as much as some Chromebooks.

Among the upshots are the fact that these will also be compatible with PCs and Macs, to some degree — an upshot for enterprise buyers.

 

#chrome, #chromebook, #google, #hardware

Chromebook shipments grew 275% in Q1

New numbers from research firm Canalys point to continued growth for PCs in 2020/21, as the pandemic has forced many to rethink how – and where – they work. PC shipments have grown for four straight quarters. All told, the numbers (within which the firm lumps tablets, incidentally) grew 53% year over year.

Chromebooks were the major force in growth, according to the figures. The category jumped 275% y-o-y for Q1 to 12 million units. HP saw a pretty massive chunk of that, with 36.4% of the total market, up from 18.6% percent. Lenovo, Acer, Samsung and Dell rounded out the top five.

Image Credits: Canalys

The category’s growth continues to be driven primarily by the education sector. That’s long been the foothold for devices that have traditionally failed to crack through to mainstream usage. As many classrooms have been forced to go virtual, that category has continued to see impressive growth. And that may now be extending beyond education.

“Chromebooks are well and truly a mainstream computing product now,” Canalys’ Brian Lynch said in a release tied to the news. “While the education sector still accounts for the majority of shipments, their popularity with consumers and traditional commercial customers has reached new heights over the course of the last year.”

Tablets, too, had a solid quarter, after a period of middling sales. Education is a big driver there, as well, along with broader usage. Apple led the category with 38.2% of the market, with Samsung and Lenovo rounding out the top three. On the PC (plus tablets again) side, Lenovo leads the way, followed by Apple and HP.

#chrome, #chrome-os, #chromebooks, #hardware, #tablets

“Chrome Memories”—an early look at Google’s UI update to History

Google seems to be working on a UI revamp for the traditional browser history interface, which it’s calling “Memories.” The new feature is only available in Chrome Canary, and it’s hidden even there behind a developer flag that defaults to “off.”

If you have a copy of Canary installed and want to check out Memories, the first place you need to go is chrome://flags/#memories. Once you’ve enabled the Memories flag, you’ll be prompted to relaunch Canary, after which you can see the actual interface at chrome://memories/.

The new interface is clearly still in an alpha state, with a non-functional hamburger menu on individual entries, broken thumbnails, and so forth. But it’s functional enough to give us a general idea of what it’s all about—basically, replacing History’s simple row-based, item-by-item log view with a card-based interface that groups activities by time blocks. This design also collapses repeated activity on a single page in a short time frame into single entries.

Read 3 remaining paragraphs | Comments

#chrome, #chrome-canary, #chromium, #edge, #tech

“Expert” hackers used 11 zerodays to infect Windows, iOS, and Android users

The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

Enlarge (credit: Getty Images)

A team of advanced hackers exploited no fewer than 11 zeroday vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.

Using novel exploitation and obfuscation techniques, a mastery of a wide range of vulnerability types, and a complex delivery infrastructure, the group exploited four zerodays in February 2020. The hackers’ ability to chain together multiple exploits that compromised fully patched Windows and Android devices led members of Google’s Project Zero and Threat Analysis Group to call the group “highly sophisticated.”

Not over yet

On Thursday, Project Zero researcher Maddie Stone said that, in the eight months that followed the February attacks, the same group exploited seven more previously unknown vulnerabilities, which this time also resided in iOS. As was the case in February, the hackers delivered the exploits through watering-hole attacks, which compromise websites frequented by targets of interest and add code that installs malware on visitors’ devices.

Read 8 remaining paragraphs | Comments

#android, #biz-it, #chrome, #exploits, #google, #ios, #vulnerabilities, #windows, #zerodays

Chrome 89 increases desktop memory efficiency with PartitionAlloc

This week's new Chrome build doesn't look any different, but it introduces plenty of under-the-hood performance and efficiency improvements.

Enlarge / This week’s new Chrome build doesn’t look any different, but it introduces plenty of under-the-hood performance and efficiency improvements. (credit: Jim Salter / Pixabay)

Google Chrome version 89 began rolling out to users in the stable channel on March 2 and should be on most people’s machines by now. The new build offers significant memory savings on 64-bit Windows platforms thanks to increased use of Google’s PartitionAlloc memory allocator. On macOS, Chrome 89 plays catch-up and gets closer to the performance of the flagship Windows builds.

Chrome on Windows

Google says use of RAM in 64-bit Windows is down up to 22 percent in the browser process, 8 percent in the renderer, and 3 percent in the GPU. The company also claims a 9 percent decrease in latency, meaning a more responsive browser. The improvements are largely due to intercepting malloc() calls with PartitionAlloc.

Chrome 89 has also gotten significantly more aggressive about discarding unused RAM. When you scroll resources such as large images off-screen in the foreground tab, Chrome discards the memory those resources used. The change impacts background tabs as well, resulting in a savings of as much as 100MiB per tab.

Read 7 remaining paragraphs | Comments

#android, #android-browser, #apk, #browser, #chrome, #chrome-browser, #google-chrome, #play-store, #tech

Google speeds up its release cycle for Chrome

Google today announced that its Chrome browser is moving to a faster release cycle by shipping a new milestone every four weeks instead of the current six-week cycle (with a bi-weekly security patch). That’s one way to hasten the singularity, I guess, but it’s worth noting that Mozilla also moved to a four-week cycle for Firefox last year.

“As we have improved our testing and release processes for Chrome, and deployed bi-weekly security updates to improve our patch gap, it became clear that we could shorten our release cycle and deliver new features more quickly,” the Chrome team explains in today’s announcement.

Google, however, also acknowledges that not everybody wants to move this quickly — especially in the enterprise. For those users, Google is adding a new Extended Stable option with updates that come every eight weeks. This feature will be available to enterprise admins and Chromium embedders. They will still get security updates on a bi-weekly schedule, but Google notes that “those updates won’t contain new features or all security fixes that the 4 week option will receive.”

The new four-week cycle will start with Chrome 94 in Q3 2021, and at this faster rate, we’ll see Chrome 100 launch into the stable channel by March 29, 2022. I expect there will be cake.

#chrome, #chrome-os, #chromium, #enterprise, #firefox, #freeware, #google, #google-chrome, #microsoft-edge, #operating-systems, #software, #web-browsers

Mozilla beefs up anti-cross-site tracking in Firefox, as Chrome still lags on privacy

Mozilla has further beefed up anti-tracking measures in its Firefox browser. In a blog post yesterday it announced that Firefox 86 has an extra layer of anti-cookie tracking built into the enhanced tracking protection (ETP) strict mode — which it’s calling ‘Total Cookie Protection’.

This “major privacy advance”, as it bills it, prevents cross-site tracking by siloing third party cookies per website.

Mozilla likens this to having a separate cookie jar for each site — so, for e.g., Facebook cookies aren’t stored in the same tub as cookies for that sneaker website where you bought your latest kicks and so on.

The new layer of privacy wrapping “provides comprehensive partitioning of cookies and other site data between websites in Firefox”, explains Mozilla.

Along with another anti-tracking feature it announced last month — targeting so called ‘supercookies’ — aka sneaky trackers that store user IDs in “increasingly obscure” parts of the browser (like Flash storageETags, and HSTS flags), i.e. where it’s difficult for users to delete or block them — the features combine to “prevent websites from being able to ‘tag’ your browser, thereby eliminating the most pervasive cross-site tracking technique”, per Mozilla.

There’s a “limited exception” for cross-site cookies when they are needed for non-tracking purposes — Mozilla gives the example of popular third-party login providers.

“Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience,” it adds.

Tracker blocking has long been an arms race against the adtech industry’s determination to keep surveilling web users — and thumbing its nose at the notion of consent to spy on people’s online business — pouring resource into devising fiendish new techniques to try to keep watching what Internet users are doing. But this battle has stepped up in recent years as browser makers have been taking a tougher pro-privacy/anti-tracker stance.

Mozilla, for example, started making tracker blocking the default back in 2018 — going on make ETP the default in Firefox in 2019, blocking cookies from companies identified as trackers by its partner, Disconnect.

While Apple’s Safari browser added an ‘Intelligent Tracking Prevention’ (ITP) feature in 2017 — applying machine learning to identify trackers and segregate the cross-site scripting data to protect users’ browsing history from third party eyes.

Google has also put the cat among the adtech pigeons by announcing a planned phasing out of support for third party cookies in Chrome — which it said would be coming within two years back in January 2020 — although it’s still working on this ‘privacy sandbox’ project, as it calls it (now under the watchful eye of UK antitrust regulators).

Google has been making privacy strengthening noises since 2019, in response to the rest of the browser market responding to concern about online privacy.

In April last year it rolled back a change that had made it harder for sites to access third-party cookies, citing concerns that sites were able to perform essential functions during the pandemic — though this was resumed in July. But it’s fair to say that the adtech giant remains the laggard when it comes to executing on its claimed plan to beef up privacy.

Given Chrome’s marketshare, that leaves most of the world’s web users exposed to more tracking than they otherwise would be by using a different, more privacy-pro-active browser.

And as Mozilla’s latest anti-cookie tracking feature shows the race to outwit adtech’s allergy to privacy (and consent) also isn’t the sort that has a finish line. So being slow to do privacy protection arguably isn’t very different to not offering much privacy protection at all.

To wit: One worrying development — on the non-cookie based tracking front — is detailed in this new paper by a group of privacy researchers who conducted an analysis of CNAME tracking (aka a DNS-based anti-tracking evasion technique) and found that use of the sneaky anti-tracking evasion method had grown by around a fifth in just under two years.

The technique has been raising mainstream concerns about ‘unblockable’ web tracking since around 2019 — when developers spotted the technique being used in the wild by a French newspaper website. Since then use has been rising, per the research.

In a nutshell the CNAME tracking technique cloaks the tracker by injecting it into the first-party context of the visited website — via the content being embedded through a subdomain of the site which is actually an alias for the tracker domain.

“This scheme works thanks to a DNS delegation. Most often it is a DNS CNAME record,” writes one of the paper authors, privacy and security researcher Lukasz Olejnik, in a blog post about the research. “The tracker technically is hosted in a subdomain of the visited website.

“Employment of such a scheme has certain consequences. It kind of fools the fundamental web security and privacy protections — to think that the user is wilfully browsing the tracker website. When a web browser sees such a scheme, some security and privacy protections are relaxed.”

Don’t be fooled by the use of the word ‘relaxed’ — as Olejnik goes on to emphasize that the CNAME tracking technique has “substantial implications for web security and privacy”. Such as browsers being tricked into treating a tracker as legitimate first-party content of the visited website (which, in turn, unlocks “many benefits”, such as access to first-party cookies — which can then be sent on to remote, third-party servers controlled by the trackers so the surveilling entity can have its wicked way with the personal data).

So the risk is that a chunk of the clever engineering work being done to protect privacy by blocking trackers can be sidelined by getting under the anti-trackers’ radar.

The researchers found one (infamous) tracker provider, Criteo, reverting its tracking scripts to the custom CNAME cloak scheme when it detected the Safari web browser in use — as, presumably, a way to circumvent Apple’s ITP.

There are further concerns over CNAME tracking too: The paper details how, as a consequence of current web architecture, the scheme “unlocks a way for broad cookie leaks”, as Olejnik puts it — explaining how the upshot of the technique being deployed can be “many unrelated, legitimate cookies” being sent to the tracker subdomain.

Olejnik documented this concern in a study back in 2014 — but he writes that the problem has now exploded: “As the tip of the iceberg, we found broad data leaks on 7,377 websites. Some data leaks happen on almost every website using the CNAME scheme (analytics cookies commonly leak). This suggests that this scheme is actively dangerous. It is harmful to web security and privacy.”

The researchers found cookies leaking on 95% of the studies websites.

They also report finding leaks of cookies set by other third-party scripts, suggesting leaked cookies would in those instances allow the CNAME tracker to track users across websites.

In some instances they found that leaked information contained private or sensitive information — such as a user’s full name, location, email address and (in an additional security concern) authentication cookie.

The paper goes on to raise a number of web security concerns, such as when CNAME trackers are served over HTTP not HTTPS, which they found happened often, and could facilitate man-in-the-middle attacks.

Defending against the CNAME cloaking scheme will require some major browsers to adopt new tricks, per the researchers — who note that while Firefox (global marketshare circa 4%) does offer a defence against the technique Chrome does not.

Engineers on the WebKit engine that underpins Apple’s Safari browser have also been working on making enhancements to ITP aimed at counteracting CNAME tracking.

In a blog post last November, IPT engineer John Wilander wrote that as defence against the sneaky technique “ITP now detects third-party CNAME cloaking requests and caps the expiry of any cookies set in the HTTP response to 7 days. This cap is aligned with ITP’s expiry cap on all cookies created through JavaScript.”

The Brave browser also announced changes last fall aimed at combating CNAME cloaking.

“In version 1.25.0, uBlock Origin gained the ability to detect and block CNAME-cloaked requests using Mozilla’s terrific browser.dns API. However, this solution only works in Firefox, as Chromium does not provide the browser.dns API. To some extent, these requests can be blocked using custom DNS servers. However, no browsers have shipped with CNAME-based adblocking protection capabilities available and on by default,” it wrote.

“In Brave 1.17, Brave Shields will now recursively check the canonical name records for any network request that isn’t otherwise blocked using an embedded DNS resolver. If the request has a CNAME record, and the same request under the canonical domain would be blocked, then the request is blocked. This solution is on by default, bringing enhanced privacy protections to millions of users.”

But the browser with the largest marketshare, Chrome, has work to do, per the researchers, who write:

Because Chrome does not support a DNS resolution API for extensions, the [uBlock version 1.25 under Firefox] defense could not be applied to this browser. Consequently, we find that four of the CNAME-based trackers (Oracle Eloqua, Eulerian, Criteo, and Keyade) are blocked by uBlock Origin on Firefox but not on the Chrome version.

#anti-tracking, #chrome, #cookies, #firefox, #mozilla, #privacy, #tracker-blockers

Chromebooks had a banner 2020

2020 was a weird year by any measure. Certainly it was a wild ride for those in the consumer electronics category. Take smartphones — first there were manufacturing delays out of China, followed by an across the board decrease in demand. There are lots of reasons contributing to the latter, but the simplest and most prevalent one is that people just didn’t want to spend money to upgrade their devices.

But the pandemic also changed how — and where — many people work and learn. It was an abrupt shift for many that required tech investments, even in the face of economic uncertainty. After years of stagnating, plateauing and dropping, PC and tablet sales saw a spike. Earlier this month, IDC noted a nearly 20% increase in tablet sales for Q4, owing in part to a backlog in PC availability.

New figures from the firm (first noted by GeekWire) point to some significant gains for Chromebooks during that time period. According to IDC’s PC Tracker, the models comprised 10.8% of the PC market for 2020; that’s up from 6.4% a year prior. The number also pushed past MacOS’s 7.5% for the year.

Even so, Apple still grew as an overall percent of the market, up from 6.7%. Both of those numbers have eaten into Windows’ figures — though Microsoft continues to dominate the market at 80.5% (down from 85.4%).

The figures reflect positive reports from other firms. In January, Canalys noted, “Chromebook vendors enjoyed new heights of success in Q4, as the overall market almost quadrupled in size over the same period a year ago.” Pricing is certainly a factor, along with an overall scramble as schools have gone virtual amid COVID-19 concerns.

#chrome, #chrome-os, #chromebooks, #hardware, #idc, #macos, #windows

Chrome users have faced 3 security concerns over the past 24 hours

Chrome users have faced 3 security concerns over the past 24 hours

(credit: Chrome)

Users of Google’s Chrome browser have faced three security concerns over the past 24 hours in the form of a malicious extension with more than 2 million users, a just-fixed zero-day, and new information about how malware can abuse Chrome’s sync feature to bypass firewalls. Let’s discuss them one by one.

First up, the Great Suspender, an extension with more than 2 million downloads from the Chrome Web Store, has been pulled from Google servers and deleted from users’ computers. The extension has been an almost essential tool for users with small amounts of RAM on their devices. Since Chrome tabs are known to consume large amounts of memory, the Great Suspender temporarily suspends tabs that haven’t been opened recently. That allows Chrome to run smoothly on systems with modest resources.

Characteristically terse

Google’s official reason for the removal is characteristically terse. Messages displayed on devices that had the extension installed say only, “This extension contains malware” along with an indication that it has been removed. A Google spokesman declined to elaborate.

Read 11 remaining paragraphs | Comments

#biz-it, #browsers, #chrome, #exploits, #extensions, #google, #security, #tech, #vulnerabilities, #zerodays

Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices

Stylized illustration of Internet address bar.

Enlarge (credit: Getty Images)

In December, Ars reported that as many as 3 million people had been infected by Chrome and Edge browser extensions that stole personal data and redirected users to ad or phishing sites. Now, the researchers who discovered the scam have revealed the lengths the extension developers took to hide their nefarious deeds.

As previously reported, the 28 extensions available in official Google and Microsoft repositories advertised themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. Behind the scenes, they also collected user’s birth dates, email addresses, and device information and redirected clicks and search results to malicious sites. Google and Microsoft eventually removed the extensions.

Researchers from Prague-based Avast said on Wednesday that the extension developers employed a novel way to hide malicious traffic sent between infected devices and the command and control servers they connected to. Specifically, the extensions funneled commands into the cache-control headers of traffic that was camouflaged to appear as data related to Google analytics, which websites use to measure visitor interactions.

Read 7 remaining paragraphs | Comments

#biz-it, #browsers, #chrome, #edge, #extensions, #tech

Apple launches an iCloud Passwords extension for Chrome users on Windows

Apple has introduced an iCloud Passwords Chrome extension that will make life easier for those who use both Windows computers and other Apple devices, like a Macbook or an iPhone. The new browser extension lets you access the passwords you saved in Safari on your other Apple devices, then use them within Chrome when you’re on a Windows PC.

You can also save any new passwords you create in Chrome to your iCloud keychain, so it’s synced across your Apple devices.

Image Credits: Apple

Apple didn’t formally announce the new feature, but reports of an iCloud Passwords extension had already been referenced in the release notes of the new iCloud for Windows 10 (ver 12), which arrived at the end of January. After the update, a “Passwords” section appeared in the app designated by the iCloud Keychain logo. This directed users to download the new extension, but the link was broken, as the extension was not yet live.

That changed on Sunday, according a report from 9to5Google, which found the new Chrome add-on had been published to the Chrome Web Store late on Sunday evening. Now, when Windows users access the new Passwords section, the dialog box that prompts the download will properly function.

Once installed, Chrome users on Windows will be able to access any passwords they saved or allowed iCloud Keychain to securely generate for them within Safari for macOS or iOS. Meanwhile, as Windows users create new credentials, these, too, will be synced to their iCloud Keychain so they can later be pulled up on Mac, iPhone, and iPad devices, when needed.

This is the first Chrome extension to support iCloud Keychain on Windows, as before Apple had only offered an iCloud Bookmarks tool for older Windows 7 and 8 PCs, which reached over 7 million users.

Image Credits: Apple

Some users who have tried the extension are reporting problems, but it seems that’s related to their PCs not having been first updated to iCloud for Windows 12.0, which is a prerequisite for the new extension to work.

Though Apple typically locks users into its own platforms, it has slowly expanded some of its services to Windows and even Android, where it makes sense. Today, Apple offers its entertainment apps like Apple Music and Apple TV on other platforms, including Android, and has launched Apple TV on its media player rival, Amazon Fire TV, among others. And 9to5Mac notes that Apple appears to be working to bring Music and Podcasts to the Microsoft Store in the future, as well.

#apple, #browser, #chrome, #icloud, #icloud-keychain, #microsoft, #passwords, #safari, #security, #windows

Chrome and Edge want to help with that password problem of yours

Please don't do this.

Enlarge / Please don’t do this. (credit: Getty Images)

If you’re like lots of people, someone has probably nagged you to use a password manager and you still haven’t heeded the advice. Now, Chrome and Edge are coming to the rescue with beefed-up password management built directly into the browsers.

Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down in the password field. Clicking on the candidate selects it as a password and saves it to a password manager built into the browser. People can then have the password pushed to their other devices using the Edge password sync feature.

As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the safest sources of strong passwords. Rather than having to think up a password that’s truly unique and hard to guess, users can instead have a generator do it properly.

Read 8 remaining paragraphs | Comments

#biz-it, #browsers, #chrome, #edge, #password-managers, #passwords, #tech

Up to 3 million devices infected by malware-laced Chrome and Edge add-ons

Close up of address bar on internet browser

Enlarge (credit: Getty Images)

As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday.

In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft.

Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer. In a post, the researchers wrote:

Read 7 remaining paragraphs | Comments

#addons, #biz-it, #browsers, #chrome, #edge, #extensions, #malware, #tech

Google, Intel, Zoom and others launch a new alliance to get enterprises to use more Chrome

A group of industry heavyweights, including Google, Box, Citrix, Dell, Imprivata, Intel, Okta, RingCentral, Slack, VMware and Zoom, today announced the launch of the moderncomputing.com.

The mission for this new alliance is to “drive ‘silicon-to-cloud’ innovation for the benefit of enterprise customers — fueling a differentiated modern computing platform and providing additional choice for integrated business solutions.”

Whoever wrote this mission statement was clearly trying to see how many words they could use without actually saying something.

Here is what the alliance is really about: even though the word Chrome never appears on its homepage and Google’s partners never quite get to mentioning it either, it’s all about helping enterprises adopt Chrome and Chrome OS. “The focus of the alliance is to drive innovation and interoperability in the Google Chrome ecosystem, increasing options for enterprise customers and helping to address some of the biggest tech challenges facing companies today,” a Google spokesperson told me.

I’m not sure why it’s not called the Chrome Enterprise Alliance, but Modern Computing Alliance may just have more of a ring to it. This also explains why Microsoft isn’t part of it, though this is only the initial slate of members and others may follow at some point in the future.

Led by Google, the alliance’s focus is on bringing modern web apps to the enterprise, with a focus on performance, security, identity management and productivity. And all of that, of course, is meant to run well on Chrome and Chrome OS and be interoperable.

“The technology industry is moving towards an open, heterogeneous ecosystem that allows freedom of choice while integrating across the stack. This reality presents both a challenge and an opportunity,” Google’s Chrome OS VP John Solomon writes today.

As enterprises move to the cloud, building better web applications and maybe even Progressive Web Applications that work just as well as native solutions is obviously a noble goal and it’s nice to see these companies work together. Given the pandemic, all of this has taken on a new urgency now, too. The plan is for the alliance to release products — though it’s unclear what form these will take — in the first half of 2021. Hopefully, these will play nicely with any browser. A lot of these ‘alliances’ fizzle out quite quickly, so we’ll keep an eye on what happens here.

Bonus: the industry has a long history of alliance like these. Here’s a fun 1991 story about a CPU alliance between Intel, IBM, MIPS and others.

#chrome, #chrome-os, #citrix, #citrix-systems, #cloud-computing, #computing, #dell, #google, #google-chrome, #ibm, #identity-management, #intel, #microsoft, #mips, #okta, #operating-systems, #os, #ringcentral, #software, #spokesperson, #tc, #vmware, #web-applications, #web-apps, #web-browsers, #zoom

Google fixes two more Chrome zerodays that were under active exploit

The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

Enlarge (credit: Getty Images)

Google has patched two zeroday vulnerabilities in its Chrome browser, the third time in two weeks that the company has fixed a Chrome security flaw that’s under active exploit.

According to a Monday tweet from Ben Hawkes, the head of Google’s Project Zero vulnerability and exploit research arm, CVE-2020-16009, as the first vulnerability is tracked, is a remote code-execution bug in V8, Chrome’s open source JavaScript engine. A second security flaw, CVE-2020-16010, is a heap-based buffer overflow in Chrome for Android. Hawkes said it allows attackers to escape the Android sandbox, suggesting that hackers may have been using it in combination with a separate vulnerability.

Hawkes didn’t provide additional details, such as what desktop versions of Chrome were actively targeted, who the victims were, or how long the attacks had been going on. It also wasn’t clear if the same attack group was responsible for all three exploits. CVE-2020-16009 was in part discovered by a member of Google’s Threat Analysis Group, which focuses on government-backed hacking, suggesting that exploits of that vulnerability may be the work of a nation-state. Project Zero was involved in the discovery of all three of the zerodays.

Read 2 remaining paragraphs | Comments

#biz-it, #browser, #chrome, #exploit, #vulnerability, #zeroday

Google Chrome update brings better tab management, QR codes, plus performance improvements

Google today will begin rolling out several updates to its Chrome web browser, with the goal of increasing user productivity and making the browsing experience faster. Specifically, Google is making Chrome’s tabs and its newer tab groups easier and quicker to use. Under-the-hood, it promises improvements that will deliver up to 10% faster page loads and those that will reduce the impact of having idle background tabs.

Together, the full set of new features address concerns of Chrome power users who tend to have many tabs open at once and work in their browser on a regular basis.

Google this May introduced tab groups, initially in beta. The feature allows users to add their open tabs to a group that they can then name and label, to keep their various projects, tasks, applications, and other online research organized. In this release, tab groups will roll out to all users.

Based on beta user feedback, Google is tweaking how tab groups work, as well.

Chrome will now users to collapse and expand their tab groups, so you can focus on the ones you need to access right now. Google says this was the most popular request it heard from those who were using tab groups, during tests. Also, Google is introducing a new touchscreen interface for tabs designed for laptops being used in tablet mode, coming to Chromebooks first. This will make it easier for users to flip through tabs.

On Android’s version of Chrome, if you start typing a page in the address bar, you’ll see a suggestion to switch to that tab if it’s already open. Android users will also gain simplified URL sharing to make it easier to copy links and share to other devices or send links through other apps.

In addition, they’ll be able to print the page or even generate a QR code to scan or download.

The new QR code feature will make its way to Chrome on the desktop, too, and will be accessible from a new QR code icon in the Chrome address bar.

Google will also begin to roll out what will likely be a very popular new feature in this latest release — the ability to fill out and save PDF forms directly from Chrome. You’ll even be able to re-open these files again and pick up where you left off. This feature, however, will slowly roll out over the next few weeks, Google says.

Meanwhile, the Beta version of the Chrome browser will introduce a feature that lets you hover over a tab to see a thumbnail preview of the page. This could be useful particularly for those times when you have many open tabs from the same domain, like Google Docs. 

To improve the overall experience of using many tabs in Chrome, this release (version M85) will deliver two improvements. The first is Profile Guided Optimization, which is a compiler optimization technique where the most performance-critical parts of the code can run faster, Google explains. It says this will bring up to 10% faster page loads by prioritizing the most common tasks. The improvement will roll out across Mac and Windows with Chrome M85. (The technique was actually first introduced in M53 using Microsoft Visual C++ [MSVC], Chrome’s previous build environment. Now it uses Clang and will reach both Mac and Windows).

In the Chrome Beta channel, Google is also introducing tab throttling which gives more resources to the tabs you’re currently using by taking the resources back from tabs that have been in the background for a long time. This change should bring improvements across loading speed, battery and memory saving.

Chrome has often been criticized for being slow and a resource hog on Mac. While user complaints can be attributed to a variety of problems, ultimately users will blame the software, not the OS it runs upon. That means Google has to make an effort to address the areas it’s able to fix by rolling out optimizations such as these. To what extent the improvements deliver the results Google promises, however, will have to be confirmed by third-party testing after they arrive.

#browser, #chrome, #google, #tc, #web-browser

Google’s “no choice” screen on Android isn’t working, says Ecosia — querying the EU’s approach to antitrust enforcement

Google alternative Ecosia is on a mission to turn search clicks into trees. The Berlin based not-for-profit reached a major milestone earlier this month, having used ad revenue generated by users of its privacy-sensitive search engine to plant more than 100 million trees across 25 countries worldwide — targeted at biodiversity hotspots.

However these good feels have been hit hard by the coronavirus pandemic. Ecosia has seen its monthly revenues slashed by half since COVID-19 arrived in Europe, with turnover falling from €2.6M in February to just €1.4M in June. It’s worried that its promise of planting a tree every 0.8 seconds is at risk.

It has also suffered a knock to regional visibility as a result of boycotting an auction process that Android OS maker Google has been running throughout this year, as a response to a 2018 Commission antitrust decision that found the tech giant had violated EU competition rules in how it operates the smartphone platform — including via conditions placed on phone makers to pre-load its own services (like Google search) as device defaults.

An auction process now determines which rival search engines appear on a search ‘choice screen’ Google began showing to Android users in Europe in the wake of the Commission decision. Currently, Google offers three paid slots via the auction to non-Google search engines. Android users setting up a new device always see Google’s own search engine as one of the four total options.

The tech giant’s rivals have consistently argued this ‘pay to play’ model is no remedy for its anti-competitive behavior with Android, the world’s dominant smartphone OS. Although most (including DuckDuckGo) felt forced to participate in its auction process from the get-go. Forgoing the most prominent route to the Android search market isn’t exactly a luxury most businesses could afford.

Ecosia, a not-for-profit, was the last major hold out. But now it says it’s been forced to end its boycott in a bid to remain competitive in the region. This means it will participate in the next auction round for the Android choice screen — scheduled for the beginning of Q4. If it wins any per country slots it will appear as a search choice option to those Android users in future, though likely not til next year given the length of the auction process.

It remains highly critical of Google’s pay-to-play model, arguing it’s no remedy for the antitrust violations identified by the Commission. It also laments that EU lawmakers are taking a ‘wait and see’ approach to determining whether Google’s ‘remedy’ is actually restoring competition, given all the evidence to the contrary.

“The main reason why we boycotted the auction is because we think it’s highly unfair and anticompetitive,” says Ecosia CEO Christian Kroll, speaking to TechCrunch via video chat. “Not only do we think that fair competition shouldn’t be sold off in an auction but also the way the auction is designed basically makes sure that only the least interesting options can win.

“Since we have a business model where we use most of our revenues to plant trees we basically can’t really win in an auction model. If you’re already a search engine that’s quite well known… then you have a lot of cannibalization effects through this screen. So we’re basically paying for traffic that we would get for free anyway… So it’s just super unfair and anticompetitive.”

Kroll expresses emphatic surprise that the Commission didn’t immediately reject Google’s auction model for the choice screen — saying it seems as if they’ve learned nothing from the EU’s earlier intervention against Microsoft’s tying of its Internet Explorer browser with its dominant desktop OS, Windows. (In that case the saga ended after Microsoft agreed to implement a ballot screen offering a choice of up to 12 browsers, which paved the road for Google to later gain share with its own Chrome browser.)

For a brief initial period last year Google did offer a fee-less choice screen in Europe, pushing this out to existing Android devices — with search rivals selected based on their market popularity per country (which, in some markets, included Ecosia).

However the tech giant said then that it would be “evolving” its implementation over time. And a few months later an auction model was announced as incoming for new Android devices — with that ‘pay-to-play’ approach kicking off at the start of this year.

Search rivals including DuckDuckGo and Qwant immediately cried foul. Yet the response from the Commission has been to kick the can — with regulators offering platitudes that said they would “closely monitor”. They also claimed to be “committed to a full and effective implementation of the decision”.

However the missing adjective in that statement is ‘fast’. Google rivals would argue that for a remedy to be effective it needs to happen really fast, like now — or, for some of them, the risk really is going out of business. After all, the Commission’s Android antitrust decision (which, yes, Google is appealing) already dates back two full years

“I find it very surprising that the European Commission hasn’t rejected [Google’s auction model] from the start because some of the key principles from what made the choice screen successful in the Microsoft case have just been completely disregarded and been turned around by Google to turn the whole concept of a choice screen to their advantage,” says Kroll. “We’re not even calling it the ‘choice screen’ internally, we just call it the ‘auction screen’. And since we’re now stopping to boycott we call it the ‘no choice screen’.”

“It’s Google’s way to give the impression that there’s free choice but there is no free choice,” he adds. “If Google’s objective here would be to create choice for the user then they would present the most interesting options, which are the search engines with the highest marketshares — so definitely us, DuckDuckGo and maybe some other players as well. But that’s not what they’re trying to do.”

Kroll points out that another German search rival to Google, Cliqz, had to pull the plug on its anti-tracking alternative at the start of this year — meaning there’s now one less homegrown anti-tracking rival to Google in play. And while Ecosia feels it has no choice but to participate in Google’s auction game Kroll says it also can’t know whether or not participating will result in Ecosia overpaying Google for leads that then mean it generates less revenue and can’t plant as many trees… Or, well, any trees if the worst were to happen.

(NB: Kroll was speaking to TechCrunch ahead of signing an NDA that Google requires participants of the auction to sign which puts a legal limit on what they can say about the process once they’re involved — which, in turn, is a problematic element that another European search rival, Qwant, has also complained is unfair… )

“We don’t have any choice left, other than to participate,” adds Kroll. “Because we want to have access to the Android platform. So basically Google has successfully bullied everyone to play to its own rules — and it’s a game where Google is not only the referee but also they get a free ticket and they are also players…

“Somehow Google magically convinced the public but I think also the European Commission that they need to generate revenue in an auction because they have so many costs through the Android development and so on. It is of course true that they have costs… but they are also generating massive profit through the deals that they then make with the device makers and those profits are not at all shared.”

Kroll points out that Google shells out a (reported) $12BN per year to be the default search engine in Safari on Apple’s iOS platform — even as it pays nothing to get in front of the vast majority of mobile searchers’ eyeballs via Android (and does the same with Chrome).

“If they would pay the same amount of money for those platform they would soon be bankrupt,” he argues. “So they are getting all this for free and they are also getting other benefits for free — like having the Play Store preinstalled, like having Google Maps preinstalled, YouTube preinstalled and so on — which are all revenue sources. But they’re not sharing any of those revenue. They just try to outsource all of the costs that they have to their competitors, which is I think very unfair.”

While Alphabet, Google’s parent entity, doesn’t break out Google Play revenue specifically from within a generic “advertising” bucket when it reports its financials, data from SensorTower for the first half of 2020 suggests it generated $17.3BN in Play Store revenue alone over this six-month period, up 21% year-over-year. And Play is just one of the moneyspinners Google derives via ‘free’ Android.

Since the Commission’s antitrust 2018 decision against Android Kroll argues that nothing has changed for search competitors like Ecosia which are trying to offer consumers a more interesting value exchange for their clicks.

“What Google is doing very successfully is they’re just playing on time,” he suggests. “Our competitor, Cliqz, already went bankrupt because of that. So the strategy seems to work really well for Google. And we also can’t afford to lose access to those platforms… I really hope that the European Commission will actually do something about this because it has been done successfully in the Microsoft case and we just need exactly the same.”

Kroll also flags DuckDuckGo’s design suggestions for “a fair choice screen” — which we covered here last year but which Google (and the Commission) have so far simply ignored.

He suspects regulators are waiting to see how the market looks in another year or more. But of course by then it may be too late to save more alternative search engines from a Cliqz-style demise, thereby further strengthening Google’s position. Which would obviously be the opposite of an antitrust remedy.

Commissioner Margrethe Vestager already conceded last year that another of her interventions against the tech giant — the Google AdSense antitrust case — is an example of “enforcement that hasn’t succeeded because it has failed to restore competition”. So if she’s not careful her record on failed remedies could dent her high profile reputation for being an antitrust chief who’s at least willing to take on tech giants. Where competition is concerned, it must be all about outcomes — or what are you even doing as claimed law ‘enforcers’?

“I always fear that the point might come when big corporates are more powerful than our public institutions and I’m wondering if this point isn’t already reached,” adds Kroll, positing that it’s not clear whether the EU — as an economic and political project now facing plenty of its own issues — will have enough resilience to be able to enforce its own competition law in the near future. So really his key point is: If not now, when? (Or, well, how?)

It’s certainly true that there’s a growing disconnect between what the Commission is saying around competition policy and digital markets — where it’s alive to the critique that regulatory interventions need to be able to move much faster if they’re to prevent monopoly power irreversibly tipping these markets (it’s currently consulting on whether to give itself greater powers of intervention) — and its hands-off approach to how to remedy market failure. tl;dr there’s no effective enforcement without effective remedies. So dropping the ball after the fact of a decision really defeats the whole operation.

Vestager clearly recognizes there’s a problem in the digital context — telling the EU parliament last year: “We have to consider remedies that are much more far reaching”. (Albeit, still not committing to having much more far reaching remedies.) Yet in parallel she preaches ‘wait and see’ as her overarching philosophy — a policy ‘push-pull’ which seems to be preventing the unit from even entertaining taking on a more agile, active and iterative role in supporting markets towards actual restoration of competition. At least not before a lengthy consultation exercise which further kicks the can,

If EU lawmakers can’t learn the lessons from their own relatively recent digital antitrust history (Microsoft tying IE to Windows) to effectively enforce what is a pretty straightforwardly similar antitrust case (Google tying search & its other services to Android), you have to question why they think they need new antitrust tools to properly tackle digital monopolies now. Given they don’t seem able to effectively wield the tools they’ve already got.

It does rather look increasingly like the current crop of EU regulators have lost conviction — and/or fallen prey to risk aversion — in the face of platform power moves. (To wit: There are whispers the Commission is preparing to wave through Google’s acquisition of Fitbit, on paper-thin promises from Google, despite major concerns raised about privacy and increased data consolidation — which, if true, would again mean the Commission ignoring its own recent history of naively swallowing other similar tech giant claims.)

“My feeling is, what has happened in the Microsoft case… there was just somebody in the Commission crazy enough to say this is what the decision is and you have to do it… And maybe it just takes those kind of guts. That’s then maybe a political question. Is Vestager willing to really pick those battles?” asks Kroll.

“My feeling is if people really understand the situation then they would care but you actually need to do a little bit of explaining that it’s not good to have a dominant player that is in such an important sector like search, and that is basically shutting down the market for everybody else.”

Asked what his message is for the US lawmakers now actively eyeing antitrust concerns around Google — and indeed much of big tech — Kroll says: “I’m a fan of competition and I also admire Google; I think Google is a very clever company but I think there is a point reached where there’s so much concentration of power that it gets dangerous for society… We’ve been suffering quite a lot from all the dominance that Google has in the various sectors. There are just things that Google are doing that are obviously anticompetitive.”

One specific thing he suggests regulators take a close look at is how much money Google pays Apple to be the default search option on Safari. “It’s paying more money than it can actually afford to win the Safari search volume — that I think is very anticompetitive,” he argues. “They already own two-thirds of the market and they basically buy whatever’s left over so that they can just cement their dominance.

“The regulators should have a very close look at that and disallow Google to participate in any of those bids for default positions in other browsers in the future. I think that would even be beneficial for browsers because in the long term there would finally be competition for those spots again. Currently Google’s just winning them because they’re running out of options and there are not many other search providers left to choose from.”

He also argues they need to make Google repair “some of the damage they’ve done” — i.e. as a result of unfairly gaining marketshare — by enforcing what he calls “a really fair choice screen”; non-paid and based on relevance for users. And by doing so on Android and Chrome devices. 

“I think until a year ago if you visited Google.com with your Safari browser or Firefox browser then Google would recommend to install Chrome. And for me that’s a clear abuse of one dominant position to support another part of your company,” he argues. “Google needs to repair that and that needs to happen very quickly — because otherwise other companies might .”

“We’re still doing okay but we have been hit heavily by corona and we have a huge loss in revenue. Other companies might be hit even worse, I don’t know. And we don’t have the same deep pockets that the big players have. So other companies might disappear if nothing’s done soon,” he adds. 

We reached out to Google and the European Commission for comment.

A Google spokesperson pointed us to its FAQ about the auction. In further remarks which they specified could not be directly quoted they claimed an auction is a fair and objective method of determining how to fill available slots, adding that the revenue generated via the auction helps Google continue to invest in developing and maintaining Android.

While a spokeswoman for the Commission told us it has been “discussing” the choice screen mechanism with Google, following what she described as “relevant feedback from the market, in particular in relation to the presentation and mechanics of the choice screen and to the selection mechanism of rival search providers”.

The spokeswoman also reiterated earlier comments, that the Commission is continuing to monitor Google’s choice screen implementation and is “committed to a full and effective implementation of the decision”.

However a source familiar with the matter said EU lawmakers view paid premium placement for a few cents as far superior to what Google was offering rivals before — i.e. no visibility at all — and thus take the view that that something is better than nothing.

#advertising-tech, #alphabet, #android, #antitrust, #apple, #berlin, #big-tech, #chrome, #chrome-os, #cliqz, #competition-law, #duckduckgo, #ecosia, #europe, #european-commission, #european-union, #fitbit, #google, #ios, #margrethe-vestager, #microsoft, #microsoft-windows, #operating-systems, #play-store, #policy, #privacy, #qwant, #safari, #search-engine, #search-engines, #smartphones, #tc, #united-states

Chrome competitor, The Browser Company, quietly raises $5M

A handful of Silicon Valley’s notable figures are backing a software startup looking to challenge Google Chrome’s dominance.

The startup, called The Browser Company, is led by Joshua Miller, who previously served as the Obama White House’s Director of Product and is currently an investor at Thrive Capital, an investment firm founded by Josh Kushner.

The New York startup has raised just north of $5 million in funding, a source familiar tells TechCrunch. The company’s backers include LinkedIn’s Jeff Weiner, Medium’s Ev Williams, Figma’s Dylan Field, Notion’s Akshay Kothari and GitHub’s Jason Warner.

The startup has been pretty vague in public about what exactly they’re working on. They’re building a new browser that seems to reject bare bones simplicity and embrace some of the more flexible interfaces of modern web apps. The browser’s backend is built, in part, on the bones of Chrome, utilizing open source Chromium which allows the upstart product to boast seamless support with broader web standards at launch.

“We love the internet, but it can be overwhelming,” the startup’s site reads. “What if a browser could help us make sense of it all?”

In a phone call, Miller wasn’t much more illuminating on what exactly the eventual release might look like.

“I’m going to be a little cagey just because we do have competitors that have more engineers and more money than we do,” Miller said in response to a question regarding product capabilities.

The Browser Company’s team of six isn’t the only young startup aiming to challenge Chrome’s one-size-fits-all approach to the browser market. For Extra Crunch, I dug into a number of the young browser startups that investors are backing. (Subscription required.)

Google’s Chrome flat-out dominates the browser market. In 2016, Google detailed that they had about 2 billion active installs of the application. Since then, as users of competitors like Firefox and Internet Explorer have dropped off significantly, the product has only cemented its lead.

Google’s efforts to build a version of Chrome suited for billions of people across the globe has led to a safe product that Miller says isn’t very “opinionated” about how people should use it. The Browser Company isn’t aiming to replace Chrome, he says, but is looking to find a subset of Chrome users whose needs it can better meet.

“I think one of the reasons that web browsers have remained somewhat stagnant in terms of their functionality is that the business model is built on top of is one of search ad revenue,” Miller says. “I think of Chrome and Safari as Toyotas or Hondas. They’re reliable, they’re affordable, they’re accessible and they’re simple. We’re trying to build the Tesla of web browsers.”

Miller says The Browser Company is hoping to start bringing on users to beta test the software later this year.

#browsers, #chrome, #google, #google-chrome, #tc

Chrome will soon block resource-draining ads. Here’s how to turn it on now

Stylized, composite image of bitcoins against motherboards.

Enlarge (credit: Getty Images)

Chrome browser users take heart: Google developers are rolling out a feature that neuters abusive ads that covertly leach your CPU resources, bandwidth, and electricity.

The move comes in response to a swarm of sites and ads first noticed in 2017 that surreptitiously use visitors’ computers to mine bitcoin and other cryptocurrencies. As the sites or ads display content, embedded code performs the resource-intensive calculations and deposits the mined currency in a developer-designated wallet. To conceal the scam, the code is often heavily obfuscated. The only signs something is amiss are whirring fans, drained batteries, and for those who pay close attention, increased consumption of network resources.

In a post published on Thursday, Chrome Project Manager Marshall Vale said that while the percentage of abusive ads is extremely low—somewhere around 0.3 percent—they account for 28 percent of CPU usage and 27 percent of network data.

Read 5 remaining paragraphs | Comments

#biz-it, #browsers, #chrome, #cryptocurrencies, #cryptojacking

Google Chrome will finally help you organize your tabs

Google Chrome is rolling out a new feature to help you better manage all your open tabs. The company announced today the launch of “tab groups” for the beta version of its web browser, which will allow you to organize, label, and even color-code your tabs for easy access. The feature will make its way to the stable release of Chrome starting next week.

To use the new feature, you can right-click on a tab and choose “Add tab to group.” You can then select an existing group to move the tab to or create a new one, which you’ll also name and label.

The company had been testing this solution for several months before today’s public release, as some had already spotted. Based on this early research, Google says it found that many people tended to organize their tabs by topic — like a project they’re working on or a set of shopping and review sites, for example.

Others, however, would organize tabs by urgency — labeling them things like “ASAP,” “this week,” or “later.” Google also suggests tab groups can be used to help keep you focused on task progress, by grouping them into areas like “in progress,” “need to follow up,” and “completed.”

And if you prefer a more minimalist look, tab groups also support the use of emoji in their labels,

 

The problem of having too many tabs open is one that’s common to anyone who spends time on the internet, whether for work, school, research, online shopping, or even just browsing for fun. Tabs start to stack up with all those things you need to come back to at some other time — unless, of course, they’re part of your permanent collection of pinned tabs that never get closed.

Despite the prevalence of the “too-many-tabs” problem, Google had yet to introduce a solution for Chrome users. That led to the creation of a cottage industry of tab management tools like OneTab, Workona, Toby, and many others.

Meanwhile, other browser makers tapped into consumer demand for better tab management solutions to make that a selling point for their own Chrome alternatives. For instance, Vivaldi offers automatic tab stacking to keep tab clutter down. And Opera earlier this year introduced a new version of its web browser that lets you organize tabs into various workspaces.

Google isn’t likely too worried about losing its majority market share to its rivals, given its near-complete dominance on the desktop. But Chrome has fallen from a 71.15% share of the desktop browser market in August 2019 to 67.15% as of April 2019, as other browsers made inroads. That could have been just enough of a push to get Google to focus on new features that will keep consumers in its ecosystem.

Tab Groups are available in Google Chrome Beta for preview as of today. The feature will also be available for Chrome on the desktop across Chrome OS, Windows, Mac and Linux when the updated version begins rolling out next week.

However, Google cautions tab groups will be slowly rolled out to ensure Chrome’s stability and performance aren’t impacted. So if you’re itching to use the new tab groups feature sooner, you may want to switch to the beta for the time being.

 

#browser, #chrome, #google, #google-chrome, #tc

Google rolls back SameSite cookie changes to keep essential online services from breaking

Google today announced that it will temporarily roll back the changes it recently made to how its Chrome browser handles cookies in order to ensure that sites that perform essential services like banking, online grocery, government services and healthcare won’t become inaccessible to Chrome users during the current COVID-19 pandemic.

The new SameSite rules, which the company started rolling out to a growing number of Chrome users in recent months, are meant to make it harder for sites to access cookies from third-party sites and hence track a user’s online activity. These new rules are also meant to prevent cross-site request forgery attacks.

Under Google’s new guidance, developers must explicitly allow their cookies to be read by third-party sites, otherwise, the browser will prevent these third-party sites from accessing them.

Because this is a pretty major change, Google gave developers quite a bit of time to adapt their applications to it. Still, not every site is ready yet, so the Chrome team decided to halt the gradual rollout and stop enforcing these new rules for the time being.

“While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time,” writes Google Chrome engineering director Justin Schuh. “As we roll back enforcement, organizations, users and sites should see no disruption.”

A Google spokesperson also told us that the team saw some breakage in sites “that would not normally be considered essential, but with COVID-19 having become more important, we made this decision in an effort to ensure stability during this time.”

The company says it plans to resume its SameSite enforcement over the summer, though the exact timing isn’t yet clear.

#browsers, #chrome, #cookies, #coronavirus, #covid-19, #google, #google-chrome, #privacy, #tc, #web-browsers, #world-wide-web