Google has released today version 68 of the Chrome browser. This marks a milestone release for the browser maker, being the first version where Chrome will mark HTTP sites as "Not Secure."
Google announced this radical shift in how it treats HTTP/HTTPS URLs back in May, this year. Back then, it also announced that starting with the next Chrome version, v69, scheduled for release in September, the browser will also remove the "Secure" indicator from HTTPS pages.
Google doesn't plan to show a "Secure" indicator anymore, and will only show a "Not Secure" marker when users are on sites that lack proper security, such as those served via HTTP.
The move is a controversial one and is bound to cause problems for many site owners, who will most likely receive complaints from some of panicked users.
According to Cloudflare telemetry, 542,605 from the top 1 million sites do not use or do not redirect users to an HTTPS version, meaning that a large number of users will probably see a "Not Secure" indicator next to most of the sites they visit after they update to Chrome 68.
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW— Cloudflare (@Cloudflare) July 23, 2018
But while the switch in how Google treats HTTP sites is the big headliner of this release, there are quite a few other cool features included with this release as well.
The biggest of these, at least on the security front, are Chrome's new blocking mechanisms for tactics often employed by online malvertisers.
For example, Chrome now blocks shady iframes (which are embedded on a page) from redirecting the entire parent page to another URL. These changes have been slowly implemented since Chrome 64 and have now been rolled out in full.
The only way an iframe will be allowed to redirect the main page to a new URL is only if the user has directly interacted with the iframe. Since most iframes used in malvertising campaigns are usually placed off-screen, this change should block malicious ads from redirecting users to new sites, while still allowing single-sign-on (SSO) login pages or similar technologies to work as intended.
Second, Chrome now also fully blocks tab-under behavior. Tab-under is when users click on a link, but a shady website opens the URL in another tab and keeps the old tab alive, while also using the old tab to load another URL with a bunch of ads. The tab-under technique is found all over the web and has become a problem in recent years.
Google first announced tab-under blocking last year, and it rolled out a first tab-under blocking mechanism in Chrome 65. Today, Google is making a formal announcement of this feature, which will show warnings like the one below every time it blocks a shady site trying to duplicate its tab and use one to show ads.
Chrome 68 is also another milestone, but on another security front. Chrome 68 represents Phase 2 of Google's larger plan of preventing third-party software (mostly antiviruses) from injecting code into the main Chrome process. As Google explained last November:
Google plans to remove the ability to inject third-party code into Chrome and block this behavior altogether starting with January 2019.
But Chrome 68 is not bugfixes and security features only. This release also comes with your regular improvements to Chrome's underbelly, its API and web standards support.
The biggest of these additions is that Chrome 68 now supports the Payment Handler API. This API is a companion to the Payment Request API that Google added back in Chrome 61. Its role is to simplify the process of making online payments by allowing the browser to take some off this load (and security implications) from a website/web app's hands.
In addition, Google says it specifically modified the "Add to home screen" behavior in order to take into account feedback from the developer community who wanted more control over when and how these popups appear, popups which are often used for Chrome-based mobile apps.
On top of this, there's also the new Page Lifecycle API, also new in Chrome 68. This API will be a crucial feature that most web developers will use in the future.
This new API lets developers adapt their websites' behavior based on the device's "lifecycle," taking into account CPU suspension states, battery levels, browser tab state, foreground/background status, and others. More info on this new API can be found here.
Users interested in finding out what else was included with Chrome 68 can check this blog post from the Chromium team or Chrome 68's full changelog (slow-loading link) . The release notes for Google Chrome Enterprise v68 are available here.
The security-related bugs fixed in Chrome 68 are detailed in a separate blog post, here. This month, the Chrome team fixed 42 security issues.