Chrome

New Chrome Extension Uses Sound To Share URLs Between Devices 73

Posted by samzenpus
from the sound-of-malware dept.
itwbennett writes: Google Tone is an experimental feature that could be used to easily and instantly share browser pages, search results, videos and other pages among devices, according to Google Research. "The initial prototype used an efficient audio transmission scheme that sounded terrible, so we played it beyond the range of human hearing," researcher Alex Kauffmann and software engineer Boris Smus wrote in a post on the Google Research blog.
Encryption

'Logjam' Vulnerability Threatens Encrypted Connections 71

Posted by Soulskill
from the another-day-another-vulnerability dept.
An anonymous reader writes: A team of security researchers has revealed a new encryption vulnerability called 'Logjam,' which is the result of a flaw in the TLS protocol used to create encrypted connections. It affects servers supporting the Diffie-Hellman key exchange, and it's caused by export restrictions mandated by the U.S. government during the Clinton administration. "Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."

Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, "Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." Here is their full technical report (PDF).
Security

Microsoft Is Confident In Security of Edge Browser 133

Posted by timothy
from the way-out-there-man dept.
jones_supa writes: It's no secret that Internet Explorer has always been criticized for its poor security, so with the Edge web browser (previously known as Spartan), Microsoft is trying to tackle this problem more effectively and make sure that users consider it at least as good as Chrome and Firefox. In a blog post, Microsoft details the security enhancements available in Edge, pointing out that most of the changes it made to the new browser make it much more secure than Internet Explorer. There is more protection against trickery, app containers are used as the sandbox mechanism, and protection against memory corruption is better. Old, insecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit.
Google

Superfish Injects Ads In 1 In 25 Google Page Views 91

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes: A new report from Google has found that more than 5% of unique daily IP addresses accessing Google — tens of millions — are interrupted by ad-injection techniques, and that Superfish, responsible for a major controversy with Lenovo in February is the leading adware behind what is clearly now an industry. Amongst the report's recommendations to address the problem is the suggestion that browser makers "harden their environments against side-loading extensions or modifying the browser environment without user consent." Some of the most popular extensions for Chrome and Firefox, including ad-blockers, depend on this functionality.
Portables

Ask Slashdot: Most Chromebook-Like Unofficial ChromeOS Experience? 99

Posted by Soulskill
from the get-your-company-to-pay-for-it-wink-wink dept.
An anonymous reader writes: I am interested in Chromebooks, for the reasons that Google successfully pushes them: my carry-around laptops serve mostly as terminals, rather than CPU-heavy workhorses, and for the most part the whole reason I'm on my computer is to do something that requires a network connection anyhow. My email is Gmail, and without particularly endorsing any one element, I've moved a lot of things to online services like DropBox. (Some offline capabilities are nice, but since actual Chromebooks have been slowly gaining offline stuff, and theoretically will gain a lot more of that, soon, I no longer worry much about a machine being "useless" if the upstream connection happens to be broken or absent. It would just be useless in the same way my conventional desktop machine would be.) I have some decent but not high-end laptops (Core i3, 2GB-4GB of RAM) that I'd enjoy repurposing as Chromebooks without pedigree: they'd fall somewhat short of the high-end Pixel, but at no out-of-pocket expense for me unless I spring for some cheap SSDs, which I might.

So: how would you go about making a Chromebook-like laptop? Yes, I could just install any Linux distro, and then restrain myself from installing most apps other than a browser and a few utilities, but that's not quite the same; ChromeOS is nicely polished, and very pared down; it also seems to do well with low-memory systems (lots of the current models have just 2GB, which brings many Linux distros to a disk-swapping crawl), and starts up nicely quick.

It looks like the most "authentic" thing would be to dive into building Chromium OS (which looks like a fun hobby), but I'd like to find something more like Cr OS — only Cr OS hasn't been updated in quite a while. Perhaps some other browser-centric pared-down Linux would work as well. How would you build a system? And should I go ahead and order some low-end 16GB SSDs, which I now see from online vendors for less than $25?
Chrome

Chrome Passes 25% Market Share, IE and Firefox Slip 240

Posted by timothy
from the none-of-them-are-perfect dept.
An anonymous reader writes: In April 2015, we saw the naming of Microsoft Edge, the release of Chrome 42, and the first full month of Firefox 37 availability. Now we're learning that Google's browser has finally passed the 25 percent market share mark. Hit the link for some probably unnecessarily fine-grained statistics on recent browser trends. Have your browser habits shifted recently? Which browsers do you use most often?
Security

Researcher Bypasses Google Password Alert For Second Time 35

Posted by timothy
from the if-you-watch-everything-you-lose-perspective dept.
Trailrunner7 writes with this excerpt: A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week.

The Password Alert extension is designed to warn users when they're about to enter their Google passwords into a fraudulent site. The extension is meant as a defense against phishing attacks, which remain a serious threat to consumers despite more than a decade of research and warnings about the way the attacks work.

Just a day after Google released the extension, Paul Moore, a security consultant in the U.K., developed a method for bypassing the extension. The technique involved using Javascript to look on a given page for the warning screen that Password Alert shows users. The method Moore developed then simply blocks the screen, according to a report on Ars Technica. In an email, Moore said it took him about two minutes to develop that bypass, which Google fixed in short order.

However, Moore then began looking more closely at the code for the extension, and Chrome itself, and discovered another way to get around the extension. He said this one likely will be more difficult to repair.

"The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you've entered the correct password, Password Alert throws a warning advising the user to change their password," Moore said.
Google

Google Announces "Password Alert" To Protect Against Phishing Attacks 76

Posted by samzenpus
from the protect-ya-neck dept.
HughPickens.com writes: Google has announced Password Alert, a free, open-source Chrome extension that protects your Google Accounts from phishing attacks. Once you've installed it, Password Alert will show a warning if you type your Google password into a site that isn't a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice. Once you've installed and initialized Password Alert, Chrome will remember a "scrambled" version of your Google Account password. It only remembers this information for security purposes and doesn't share it with anyone. If you type your password into a site that isn't a Google sign-in page, an alert will tell you that you're at risk of being phished so you can update your password and protect yourself.
Patents

Microsoft Increases Android Patent Licensing Reach 103

Posted by Soulskill
from the if-you-can't-beat-'em,-bleed-'em dept.
BrianFagioli writes: Microsoft may not be winning in the mobile arena, but they're still making tons of money from those who are. Patent licensing agreements net the company billions each year from device makers like Samsung, Foxconn, and ZTE. Now, Microsoft has added another company to that list: Qisda Corp. They make a number of Android and Chrome-based devices under the Qisda brand and the BenQ brand, and now Microsoft will be making money off those, too.
Security

Chrome 43 Should Help Batten Down HTTPS Sites 70

Posted by timothy
from the yes-yes-we-know dept.
River Tam writes The next version of Chrome, Chrome 43, promises to take out some of the work website owners — such as news publishers — would have to do if they were to enable HTTPS. The feature might be helpful for publishers migrating legacy HTTP web content to HTTPS when that old content can't or is difficult to be modified. The issue crops up when a new HTTPS page includes a resource, like an image, from an HTTP URL. That insecure resource will cause Chrome to flag an 'mixed-content warning' in the form of a yellow triangle over the padlock.
Google

Google To Propose QUIC As IETF Standard 84

Posted by timothy
from the ok-now-do-it-this-way dept.
As reported by TechCrunch, "Google says it plans to propose HTTP2-over-QUIC to the IETF as a new Internet standard in the future," having disclosed a few days ago that about half of the traffic from Chrome browsers is using QUIC already. From the article: The name "QUIC" stands for Quick UDP Internet Connection. UDP's (and QUIC's) counterpart in the protocol world is basically TCP (which in combination with the Internet Protocol (IP) makes up the core communication language of the Internet). UDP is significantly more lightweight than TCP, but in return, it features far fewer error correction services than TCP. ... That's why UDP is great for gaming services. For these services, you want low overhead to reduce latency and if the server didn't receive your latest mouse movement, there's no need to spend a second or two to fix that because the action has already moved on. You wouldn't want to use it to request a website, though, because you couldn't guarantee that all the data would make it. With QUIC, Google aims to combine some of the best features of UDP and TCP with modern security tools.
Chrome

Chrome 42 Launches With Push Notifications 199

Posted by Soulskill
from the douglas-adams-edition dept.
An anonymous reader writes: Google today launched Chrome 42 for Windows, Mac, and Linux with new developer tools. Chrome 42 offers two new APIs (Push API and Notifications API) that together allow sites to send notifications to their users even after the given page is closed. While this can be quite an intrusive feature for a browser, Google promises the users have to first grant explicit permission before they receive such a message.
Google

Google Is Too Slow At Clearing Junkware From the Chrome Extension Store 45

Posted by timothy
from the imperfect-world dept.
Mark Wilson writes Malware is something computer users — and even mobile and tablet owners — are now more aware of than ever. That said, many people do not give a second thought to installing a browser extension to add new features to their most frequently used application. Despite the increased awareness, malware is not something a lot of web users think of in relation to extensions; but they should.

Since the beginning of 2015 — just over three months — Google has already received over 100,000 complaints from Chrome users about 'ad injectors' hidden in extensions. Security researchers have also discovered that a popular extension — Webpage Screenshot — includes code that could be used to send browsing history back to a remote server. Google is taking steps to clean up the extension store to try to prevent things like this happening, but security still needs to be tightened up.
Android

Visual Studio 2015 Can Target Linux; Android Apps Anywhere Chrome Can Run 96

Posted by timothy
from the then-you-win-maybe dept.
jones_supa writes Phoronix has noticed that the Visual Studio 2015 product page mentions that the new IDE can target Linux out of the box. Specifically the page says "Build for iOS, Android, Windows devices, Windows Server or Linux". What this actually means is not completely certain at this point, but it certainly laces nicely with the company opening up the .NET Framework. And speaking of cross-platform software: new submitter mccrew writes Google has released a tool that lets Android apps run on any machine that can run its Chrome browser. Called Arc Welder, the tool acts as a wrapper around Android apps so they can run on Windows, OS X and Linux machines. The software expands the places that Android apps can run and might make it easier for developers to get code working on different machines.
China

Chinese Certificate Authority CNNIC Is Dropped From Google Products 176

Posted by timothy
from the reject-your-reality-and-substitute-our-own dept.
eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.
Google

Google Unveils the Chromebit: an HDMI Chromebook Dongle 50

Posted by Soulskill
from the still-waiting-on-hardware-called-chromedome dept.
An anonymous reader writes: Today Google unveiled a new device: the Chromebit. It's a small compute stick that contains the Rockchip 3288 processor, 2GB RAM, and 16GB of storage — much like a low-end Chromebook. It connects to a TV or monitor through an HDMI port. (It also has a USB port for power and plugging in peripherals.) Google says the Chromebit is their solution for turning any display into a computer, and it will cost under $100. Google also announced a couple of new Chromebooks as well. Haier and Hisense models will cost $150, and an ASUS model with a rotating display will cost $250.
Education

No Film At 11: the Case For the Less-Video-Is-More MOOC 87

Posted by Soulskill
from the better-learning-through-animated-GIFs dept.
theodp writes: In Why My MOOC is Not Built on Video, GWU's Lorena Barba explains why the Practical Numerical Methods with Python course she and colleagues put together has but one video: "Why didn't we have more video? The short answer is budget and time: making good-quality videos is expensive & making simple yet effective educational videos is time consuming, if not necessarily costly. #NumericalMOOC was created on-the-fly, with little budget. But here's my point: expensive, high-production-value videos are not necessary to achieve a quality learning experience." When the cost of producing an MOOC can exceed $100,000 per course, Barba suggests educators pay heed to Donald Bligh's 1971 observation that "dazzling presentations do not necessarily result in learning." So what would Barba do? "We designed the central learning experience [of #NumericalMOOC] around a set of IPython Notebooks," she explains, "and meaningful yet achievable mini-projects for students. I guarantee learning results to any student that fully engages with these!"
Chrome

Chrome OS Receives Extreme Makeover With Material Design and Google Now 112

Posted by samzenpus
from the latest-and-greatest dept.
MojoKid writes Late last week, Google quietly began inviting people to opt into the beta channel for ChromeOS to help the company "shape the future" of the OS. Some betas can be riskier than others, but Google says that opting into this one is just a "little risk", one that will pay off handsomely for those who crave new features. New in this version is Chrome Launcher 2.0, which gives you quick access to a number of common features, including the apps you use most often (examples are Hangouts, Calculator, and Files). Some apps have also received a fresh coat of paint, such as the file manager. Google notes that this is just the start, so there will be more updates rolling out to the beta OS as time goes on. Other key features available in this beta include the ability to extract pass protected Zip archives, as well as a perk for travelers. ChromeOS will now automatically detect your new timezone, and then update the time and date accordingly.
Classic Games (Games)

SuperMario 64 Coming To a Browser Near You! 97

Posted by samzenpus
from the play-time dept.
Billly Gates writes Since Unity has been given a liberal license and free for non commercial developers it has become popular. A computer science student Erik Roystan Ross used the tool to remake SuperMario 64 with a modern Unity 5 engine. There is a video here and if you want to play the link is here. You will need Firefox or Chrome which has HTML 5 for gamepad support if you do not want to use the keyboard. "I currently do not have any plans to develop this any further or to resolve any bugs, unless they're horrendously game-breaking and horrendously simple to fix," says Ross.
Internet Explorer

New Screenshots Detail Spartan Web Browser For Windows 10 Smartphones 62

Posted by timothy
from the evolution-continues dept.
MojoKid writes One of the most anticipated new features in Windows 10 is the Spartan web browser, which will replace the long-serving Internet Explorer. We've seen Spartan in action on the desktop/notebook front, but we're now getting a closer look at Spartan in action on the mobile side thanks to some newly leaked screenshots. Perhaps the biggest change with Spartan is the repositioning of the address bar from the bottom of the screen to the top (which is also in line with other mobile browsers like Safari and Chrome). The refresh button has also been moved from its right-hand position within the address bar to a new location to the left of the address bar. Reading Lists also make an appearance in this latest build of Spartan along with Microsoft's implementation of "Hubs" on Windows 10 for mobile devices.