This week we discuss “DrupalGeddon2”, Cloudflare’s new DNS offering, a reminder about GRC’s DNS Benchmark, Microsoft’s Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at Google’s Chrome store, another “please change your passwords” after another website breach, a bit of miscellany, a heart-warming SpinRite report, some closing the loop feedback from our terrific listeners, and a closer look at the Swiss encrypted ProtonMail service.
HomePod should have been delayed longer. Elon Musk’s rollercoaster week: Falcon Heavy sends a Tesla to Mars just as Tesla has its worst quarter ever. iPhone boot code leaked online. Chrome will shame insecure websites. YouTube suspends Logan Paul for generally being a horrible human being. Rethinking Facebook and Google. T-Mobile warns of phone hacking scam. Uber settles with Waymo. ESPN’s new streaming service will not show ESPN.
WWDC is tomorrow! What will Apple announce? A Siri Speaker, perhaps? Google will updat Chrome to block annoying ads, but what will count as “annoying?” Where did Microsoft go wrong? One word: Vista. The US Supreme Court decides that patent rights end at sale.
The app launcher was one of three Chrome browser features that appeared to be specifically designed to turn Chrome into a “platform within a platform” on Windows. In addition to the app launcher—which sat in the taskbar and allowed users to fire up Chrome apps just like a normal desktop program, miming Windows Start menu functionality—Google killed Chrome’s notification center in October. That feature was replaced with native web push notifications, a standardized feature that sites can use across all browsers.
Beyond those two features, Google also created a modern UI version of the browser for Windows 8 that essentially put Chrome OS inside Windows. Microsoft’s decision to do away with Windows 8’s ill-advised dual UI for a more traditional desktop in Windows 10 killed Google’s attempt at “Chrome OS for Windows.”
The impact on you at home: If you’re one of the few fans of Chrome’s app launcher, Google may still provide a way for you to launch Chrome apps from the taskbar. Right now, you can create a desktop shortcut for Chrome apps by typing chrome://apps into the Omnibox, right-clicking an app, and then selecting Create shortcuts. The shortcut can then be dragged from the desktop onto the taskbar. We’re confirming with Google that this functionality will remain once the app launcher goes away and will update this story should the company respond.
In a recent blog post, Google announced that it intends to discontinue support for Chrome on Windows XP, Windows Vista, and Mac OS X versions 10.6, 10.7, and 10.8 by April 2016 because “these platforms are no longer actively supported by Microsoft and Apple.” Google did not release a specific date when for when it intends to discontinue support.
While Microsoft intends to support Windows Vista until April 11, 2017, Google’s previous reprieve for Windows XP clarifies its recent decision to discontinue support for Chrome on Windows Vista before that date: the operating system does not have substantial market share.
Google notes that current versions of Chrome “will continue to function on these platforms” after support for Chrome is discontinued, but the company encourages users to upgrade to newer operating systems so that they may continue to use the latest versions of the web browser.
Chrome 42 has graduated to a stable release and is now available to download for Windows, Mac and Linux. In addition to the usual list of security fixes (45 in total) and under-the-hood changes for stability and performance, Google’s latest release includes its new Push API and Notifications API.
Together, these two new APIs allow websites to send notifications to web surfers even after they’ve closed or navigated away from said site. Obviously, there’s a fine line between being useful and obtrusive when dealing with notifications. Fortunately, Google mandates that developers must acquire consent for permission to use the Push API.
Once permission has been granted, developers are free to use Google Cloud Messaging to use a service worker to display said notification.
As an example of how the new APIs could be used, imagine you’ve bid on something on eBay. Afterwards, you navigate away or close the browser window completely. If you are outbid on the item, you could get a notification on your desktop letting you know right away.
A number of the security fixes in Chrome 42 were found by security researchers through Google’s bounty program. Their awards (when applicable) are listed alongside the security fixes on the Chrome Release Blog if you want to check them out.
In the event your browser doesn’t automatically download and install Chrome 42 via the automatic update mechanism, you can snag the Windows version by clicking here (Mac and Linux versions here and here, respectively).
As in years past, the latest patched versions of the most popular web browsers around stood little chance against those competing in the annual Pwn2Own hacking competition. The usual suspects – Apple Safari, Google Chrome, Mozilla Firefox and Microsoft Internet Explorer – all went down during the two-day competition, earning researchers a collective total of $557,500 in prize money.
The event, which took place at the CanSecWest conference in Vancouver, was sponsored by the Hewlett-Packard Zero Day Initiative. During the first day, HP awarded $317,500 to researchers that exploited flaws in Adobe Flash, Adobe Reader, Internet Explorer and Firefox.
eWeek notes that the first reward, paid to a hacker by the name of ilxu1a, was for an out-of-bounds memory vulnerability in Firefox. It took less than a second to execute which earned him a cool $15,000.
Firefox was exploited twice during the event. Daniel Veditz, principal security engineer at Mozilla, said the foundation was on hand during the event to get the bug details from HP. Engineers are already working on a fix back at home, he added, that could be ready as early as today.
Another security researcher, JungHoon Lee, managed to demonstrate exploits against Chrome, IE 11 and Safari. As you can imagine, he walked away with quite a bit of money: $75,000 for the Chrome bug, $65,000 for IE and $50,000 for the Safari vulnerability. He also received two bonuses totaling $35,000.
Google is adding a new warning to Chrome in its continuing efforts to protect users from harmful actors on the web. The new red flag for Google’s browser warns you when you’re about to visit a site that encourages users to download harmful and unwanted software.
Chrome isn’t the only site sending out warnings. Other browsers, such as Firefox, also warn about potentially harmful sites.
Google’s definition of unwanted programs isn’t just about malware, but also tricky programs that try to sneak onto your system. The search giant defines unwanted software as anything with dishonest behavior, such as piggybacking on the installation of another program, apps that are difficult to remove, and software that fails to live up to its advertised functionality. Even software that changes your homepage—a not uncommon occurrence—can qualify as unwanted software from Google’s point of view.
Chrome’s new harmful programs warning
The impact on you at home: Chrome users with the latest updates should start seeing the warnings pop up in Chrome when navigating to a site with harmful software downloads. The new pop-up is similar to warnings you get for sites that are malicious: a large red screen that tells you the site you’re about to visit might try and trick you into installing unwanted software. Users then have the choice to get more details (and presumably carry on aware of the risks) or return “to safety” at the Google homepage.
More than just browsers
In addition to the changes to Chrome, Google is also tackling unwanted software with other parts of its business. Google is working to filter deceptive sites from its search results. The company is also disabling ads that lead to sites offering unwanted software.
That last bit is particularly important, because advertising can often be a weak spot for malware delivery or leading people to questionable sites. In January, a ”malvertising” attack using Google’s AdSense program automatically redirected users to bogus websites selling anti-aging and supposed “brain-enhancing” products.
The new Chrome security warnings join other security features, such as warnings about potentially harmful programs you’re about to download and sites known to deliver malware.
If there’s one thing websites love to do it’s track their users. Now, it looks like some browsers can even be tracked when they’re in private or incognito mode. Sam Greenhalgh of U.K.-based RadicalResearch recently published a blog post with a proof-of-concept called “HSTS Super Cookies.” Greenhalgh shows how a crafty website could still track users online even if they’ve enabled a privacy-cloaking setting.
The key to the exploit is to use HTTP Strict Transport Security (HSTS) for something it wasn’t intended for. HSTS is a modern web feature that allows a website to tell a browser it should only connect to the site over an encrypted connection.
Say, for example, John types SecureSite.com into his browser with HSTS enabled. SecureSite’s servers can then reply to John’s browser that it should only connect to SecureSite over HTTPS. From that point on, all connections to SecureSite from John’s browser will use HTTPS by default.
The problem, according to Greenhalgh, is that for HSTS to work your browser has to store the data about which sites it must connect to over HTTPS. But that data can be manipulated to fingerprint a specific browser. And because HSTS is a security feature most browsers maintain it whether you’re in private or normal mode—meaning that after your browser has been fingerprinted, you can be tracked even if your browser is in incognito mode.
Even under cover of incognito mode, HSTS Super Cookies still make browsers trackable.
When in private browsing or incognito mode (sometimes called as “porn mode”) your browser won’t store data such as cookies and browsing history once the private browsing session has ended—unless it’s tricked into doing so by a Super Cookie.
The story behind the story: Although Greenhalgh’s blog post is gaining traction, people have been talking about the privacy and security trade-offs of HSTS for some time. The Chromium team, which creates the open source browser that Chrome is based on, discussed the issue as early as 2011. In 2012, security firm Leviathan published a blog post raising similar concerns, and Robert “RSnake” Hansen raised the issue on his blog ha.ckers.org in 2010.
Although this issue has been known for some time it’s not clear if any sites are actually using this weakness to track users. Regardless, you can protect yourself on Chrome by erasing your cookies before going into incognito mode. Chrome automatically flushes the HSTS database whenever you delete your cookies. Firefox does something similar, but Greenhalgh says the latest version of Firefox solved this issue by preventing HSTS settings from carrying over to private browsing modes.
Safari is a bigger problem, however, as there is apparently no obvious way to delete the HSTS database on Apple devices like the iPad or iPhone, Greenhalgh says. HSTS flags are also synced with iCloud, making HSTS Super Cookie tracking even more persistent (at least in theory) when using Apple hardware.
HSTS Super Cookies only appear to work if you first visit a site in a non-private mode. Anyone visiting a site for the first time in private mode will not carry over an HSTS super cookie to their regular browsing.
As for Internet Explorer users, the good news is you are completely protected from this type of tracking! Now for the bad news: It’s because IE doesn’t support HSTS at all.
Windows 8 and Internet Explorer, especially version 11, have been growing steadily since their release. But that growth came to a halt in June, and it didn’t pick up in July, with Microsoft’s new operating system in fact declining ever so slightly. But one battle that’s been raging for years has quietly seen a big change: Android’s presence on the Web has passed iOS’s.
The big desktop mover in July was Chrome, which is now up past 20 percent usage share. It gained a substantial 1.03 points, making big gains for two months in a row. Internet Explorer and Firefox both lost out, dropping 0.37 and 0.46 points respectively. Safari and Opera were also slightly down, falling by 0.12 and 0.06 points.
Safari has been on a downward trajectory for the better part of a year, as Android is making its presence felt on the Web. While Android has been consistently outselling iOS, this hasn’t been well reflected in Web data, suggesting perhaps a different usage pattern among Android buyers. But all those sales count for something. Apple’s browser is down 1.24 points. Android Browser is also down, falling 0.81 points, but Chrome is up a whopping 1.36 points, and the cross-platform Opera Mini is also up, gaining 0.8 points. Mobile Internet Explorer reached a new high, too, gaining 0.49 points in July.
The mobile operating system share (not graphed) is closely aligned with these browser numbers. iOS sits at 44.19 percent, compared to Android’s 44.62 percent, marking the firsts time (according to Net Market Share, the provider of the data we use) that Google’s operating system has passed Apple’s. Windows Phone is also at a new high, at 2.49 percent.
Internet Explorer 11’s growth seems to be well and truly at an end. In June it saw a negligible 0.02 point decline, but in July it was a little more pronounced, dropping 0.23 points. Internet Explorer 8, however, was up 0.31 points. While it does look as if every Internet Explorer 10 user who wants to upgrade to 11 has indeed made that switch, the decline likely represents a shift in Windows usage: Internet Explorer 8 is the version that’s preinstalled in Windows 7, and the newest version that’s available in the obsolete, unsupported, and insecure Windows XP…
… and as we can see, Windows 7 ticked upwards in July, and Windows XP refuses to disappear. More alarmingly, Windows 8.1 was very marginally down, dropping 0.05 points, and Windows 8.0 fell 0.01 points. Windows 7 was up 0.67 points, in contrast. Windows XP fell 0.49 points, so still a long way to go before that magnet for malware is off the Internet.