"Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography," writes Chrome's technical program manager for security, Devon O'Brien.

"Continuing with our strategy for handling this major transition, we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success." As a step down this path, Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115. This hybrid mechanism combines the output of two cryptographic algorithms to create the session key used to encrypt the bulk of the TLS connection:

X25519 — an elliptic curve algorithm widely used for key agreement in TLS today
Kyber-768 — a quantum-resistant Key Encapsulation Method, and NIST's PQC winner for general encryption

In order to identify ecosystem incompatibilities with this change, we are rolling this out to Chrome and to Google servers, over both TCP and QUIC and monitoring for possible compatibility issues. Chrome may also use this updated key agreement when connecting to third-party server operators, such as Cloudflare, as they add support. If you are a developer or administrator experiencing an issue that you believe is caused by this change, please file a bug.
The Register delves into Chrome's reasons for implementing this now: "It's believed that quantum computers that can break modern classical cryptography won't arrive for 5, 10, possibly even 50 years from now, so why is it important to start protecting traffic today?" said O'Brien. "The answer is that certain uses of cryptography are vulnerable to a type of attack called Harvest Now, Decrypt Later, in which data is collected and stored today and later decrypted once cryptanalysis improves." O'Brien says that while symmetric encryption algorithms used to defend data traveling on networks are considered safe from quantum cryptanalysis, the way the keys get negotiated is not. By adding support for a hybrid KEM, Chrome should provide a stronger defense against future quantum attacks...

Rebecca Krauthamer, co-founder and chief product officer at QuSecure, told The Register in an email that while this technology sounds futuristic, it's useful and necessary today... [T]he arrival of capable quantum computers should not be thought of as a specific, looming date, but as something that will arrive without warning. "There was no press release when the team at Bletchley Park cracked the Enigma code, either," she said.

Google announced today that Chrome is now adopting weekly Stable channel updates in an effort to block major exploits quicker. 9to5Google reports: Google's browser gets major "milestone" updates every four (previously six) weeks, like going from version 100 to 101. In the past, Chrome would get a "Stable Refresh" update to "address security and other high impact bugs" in-between milestones every two weeks. This is now changing to occur weekly between milestones, starting with Google Chrome 116 on desktop and mobile, so that security updates get to end users much faster. Since Chromium is an open source project, "anyone can view the source code, submit changes for review, and see the changes made by anyone else, even security bug fixes." [...]

The current patch gap is around 15 days. It was previously 35 days before switching to patch updates every two weeks in 2020. Google expects weekly patch updates to result in security fixes shipping "3.5 days sooner on average, greatly reducing the already small window for n-day attackers to develop and use an exploit against potential victims and making their lives much more difficult." This new schedule will also result in fewer unplanned updates that occur when there are known in-the-wild exploits: "By now shipping stable updates weekly, we expect the number of unplanned updates to decrease since we'll be shipping updates more frequently."

Following two years of testing, The Browser Company's Arc is graduating from its waitlist phase, launching its version 1.0. Arc, the Mac and iOS browser, aims to redefine online interaction by incorporating tools for note-taking, collaboration, webpage personalisation, among others. The Verge adds: We've covered Arc a lot in recent months, both because it's a good browser and because it's a big new idea about how you use the internet. The Browser Company's ultimate plan is to build "the operating system for the internet." Arc isn't just a place to see webpages; it has tools for taking notes, making visual and collaborative easels with others, redesigning webpages to your liking, and more. (Personally, I love Arc's picture-in-picture mode above everything else, especially now that it works with Google Meet calls.) Arc 1.0 doesn't seem to come with any splashy new features. Rather, The Browser Company seems to just feel like it's ready to launch more widely. Arc has been pretty stable for me in recent months, though it does run into some of the same performance issues you'll find with any browser based on the Chromium engine -- you can always open a couple dozen tabs and watch your computer grind to a halt.

An anonymous reader quotes a report from MacRumors: The macOS Sonoma update that is in testing allows Mac owners who opt to use Google Chrome, Microsoft Edge, or another browser to use Apple's Password Manager for filling passwords. Developers and public beta testers running macOS Sonoma can use their iCloud Keychain passwords with non-Safari browsers at this time, autofilling passwords and one-time codes. Third-party browsers can also save new passwords.

Apple has made an iCloud Passwords Chrome extension available for macOS Sonoma users, and it can be downloaded and installed to access Apple passwords on the Chrome browser or any Chromium-based browser. Apple plans to release a similar extension for the Microsoft Edge browser in the near future. Google and other browser developers are also working on implementing support for Passkeys, the password alternative that Apple introduced last year.

An anonymous reader quotes a report from Gizmodo: Microsoft issued a Windows update that broke a Chrome feature, making it harder to change your default browser and annoying Chrome users with popups, Gizmodo has learned. An April Windows update borked a new button in Chrome -- the most popular browser in the world -- that let you change your default browser with a single click, but the worst was reserved for users on the enterprise version of Windows. For weeks, every time an enterprise user opened Chrome, the Windows default settings page would pop up. There was no way to make it stop unless you uninstalled the operating system update. It forced Google to disable the setting, which had made Chrome more convenient.

This petty chapter of the browser wars started in July 2022 when Google quietly rolled out a new button in Chrome for Windows. It would show up near the top of the screen and let you change your default browser in one click without pulling up your system settings. For eight months, it worked great. Then, in April, Microsoft issued Windows update KB5025221, and things got interesting. "Every time I open Chrome the default app settings of Windows will open. I've tried many ways to resolve this without luck," one IT administrator said on a Microsoft forum. A Reddit user noticed that the settings page also popped up any and every time you clicked on a link, but only if Chrome was your default browser. "It doesn't happen if we change the default browser to Edge," the user said. Others made similar complaints on Google support forums, some saying that entire organizations were having the issue. Users quickly realized the culprit was the operating system update.

For people on the regular consumer version of Windows, things weren't quite as bad; the one-click "Make Default" button just stopped working. Gizmodo was able to replicate the problem. In fact, we were able to circumvent the issue just by changing the name of the Chrome app on a Windows desktop. It seems that Microsoft threw up the roadblock specifically for Chrome, the main competitor to its Edge browser. [...] In response, Google had to disable its one-click default button; the issue stopped after it did. In other words, Microsoft seems to have gone out of its way to break a Chrome feature that made life easier for users. Google confirmed the details of this story, but declined to comment further.

"Earlier this week, Google released an emergency security update for the Chrome browser due to a vulnerability that is being actively exploited in the wild," reports Hot Hardware: On Friday, Google highlighted CVE-2023-2033, reported by Clément Lecigne of Google's own Threat Analysis Group (TAG). This vulnerability is a 'type confusion' bug in the JavaScript engine for Chromium browsers useing the V8 Javascript engine. In short, type confusion is a bug that allows memory to be accessed with the wrong type, allowing for the reading or writing of memory out of bounds. The CVE page says that an attacker could create an HTML page that allows the exploitation of heap corruption.

While there is no Common Vulnerability Scoring System (CVSS) score attached to the vulnerability yet, Google is tracking this as a "high" severity issue. This is likely due in part to the fact that "Google is aware that an exploit for CVE-2023-2033 exists in the wild."
The article notes that Chrome updates are generally done automatically, but you can also check for updates by clicking Chrome's three-dots menu in the top-right corner, then "Help" and "About Chrome."

"The fact remains that Google Chrome is the arbiter of web standards," argues FSF campaigns manager Greg Farough (while adding that Firefox, "through ethical distributions like GNU IceCat and Abrowser, can weaken that stranglehold.")

"Google's deprecation of the JPEG-XL image format in February in favor of its own patented AVIF format might not end the web in the grand scheme of things, but it does highlight, once again, the disturbing amount of control it has over the platform generally." Part of Google's official rationale for the deprecation is the following line: "There is not enough interest from the entire ecosystem to continue experimenting with JPEG-XL." Putting aside the problematic aspects of the term "ecosystem," let us remark that it's easy to gauge the response of the "entire ecosystem" when you yourself are by far the largest and most dangerous predator in said "ecosystem." In relation to Google's overwhelming power, the average web user might as well be a microbe. In supposedly gauging what the "ecosystem" wants, all Google is really doing is asking itself what Google wants...

While we can't link to Google's issue tracker directly because of another freedom issue — its use of nonfree JavaScript — we're told that the issue regarding JPEG-XL's removal is the second-most "starred" issue in the history of the Chromium project, the nominally free basis for the Google Chrome browser. Chromium users came out of the woodwork to plead with Google not to make this decision. It made it anyway, not bothering to respond to users' concerns. We're not sure what metric it's using to gauge the interest of the "entire ecosystem," but it seems users have given JPEG-XL a strong show of support. In turn, what users will be given is yet another facet of the web that Google itself controls: the AVIF format.

As the response to JPEG-XL's deprecation has shown, our rallying together and telling Google we want something isn't liable to get it to change its mind. It will keep on wanting what it wants: control; we'll keep on wanting what we want: freedom.

Only, the situation isn't hopeless. At the present moment, not even Google can stop us from creating the web communities that we want to see: pages that don't run huge chunks of malicious, nonfree code on our computers. We have the power to choose what we run or do not run in our browsers. Browsers like GNU IceCat (and extensions like LibreJS and JShelter> ) help with that. Google also can't prevent us from exploring networks beyond the web like Gemini. What our community can do is rally support behind those free browsers that choose to support JPEG-XL and similar formats, letting the big G know that even if we're smaller than it, we won't be bossed around.

An anonymous reader quotes Neowin: Google Project Zero is a security team responsible for discovering security flaws in Google's own products as well as software developed by other vendors. Following discovery, the issues are privately reported to vendors and they are given 90 days to fix the reported problems before they are disclosed publicly.... Now, the security team has reported several flaws in CentOS' kernel.

As detailed in the technical document here, Google Project Zero's security researcher Jann Horn learned that kernel fixes made to stable trees are not backported to many enterprise versions of Linux. To validate this hypothesis, Horn compared the CentOS Stream 9 kernel to the stable linux-5.15.y stable tree.... As expected, it turned out that several kernel fixes have not been made deployed in older, but supported versions of CentOS Stream/RHEL. Horn further noted that for this case, Project Zero is giving a 90-day deadline to release a fix, but in the future, it may allot even stricter deadlines for missing backports....

Red Hat accepted all three bugs reported by Horn and assigned them CVE numbers. However, the company failed to fix these issues in the allotted 90-day timeline, and as such, these vulnerabilities are being made public by Google Project Zero.
Horn is urging better patch scheduling so "an attacker who wants to quickly find a nice memory corruption bug in CentOS/RHEL can't just find such bugs in the delta between upstream stable and your kernel."

Mike Butcher writes via TechCrunch: SidekickWas it the pandemic? Did everyone follow too many ADHD TikTokers? Have smartphones fried our brains? Whatever the case, there is a boom in ADHD tech solutions, from online drug deliveries to web sites and apps. [...] Now there is a Sidekick, who's pitch is that it's a "productivity browser." Today it's launching a host of features geared to ADHD sufferers and the attention distracted more generally. The company claims users with ADHD noticed a "significant improvement" after using the browser. The Chromium-based browser was founded by Dmitry Pushkarev (a Stanford PhD in Molecular Biology, ex-Amazon exec and ADHDer).

So how does it work? To nullify distractions, the browser incorporates AdBlock 2.0; a Focus Mode Timer disables all sounds, badges and notifications for a selected time or indefinitely; a Task Manager organizes your day; and there's a built-in Pomodoro timer; it also claims to run 3x faster than Chrome, which, apparently, is important for ADHD sufferers. Suffice it to say, it has a number of other distraction-killing features; however, I'm not going to list them all here.

CEO and founder Dmitry Pushkarev said, in a statement, "Modern browsers are not designed for work, but for consuming web pages. This gap really hurts hundreds of millions of users. We are convinced that lowering web distraction reduces anxiety and increases the quality of people's work and the quality of their lives." He says the startup plans to make money via corporate subscribers, who will pay to get their ADHD-afflicted workers into a more productive mode.

Google has begun the process of bringing Chrome's full Blink browser engine to iOS against current App Store rules, and now we have our first look at the test browser in action. 9to5Google reports: In the weeks since the project was announced, Google (and Igalia, a major open source consultancy and frequent Chromium contributor) have been hard at work getting a simplified "content_shell" browser up and running in iOS and fixing issues along the way. As part of that bug fixing process, some developers have even shared screenshots of the minimal Blink-based browser running on an iPhone 12. In the images, we can see a few examples of Google Search working as expected, with no glaringly obvious issues in the site's appearance. Above the page contents, you can see a simple blue bar containing the address bar and typical browser controls like back, forward, and refresh.

With a significant bit of effort, we were able to build the prototype browser for ourselves and show other sites including 9to5Google running in Blink for iOS, through the Xcode Simulator. As an extra touch of detail, we now know what the three-dots button next to the address bar is for. It opens a menu with a "Begin tracing" button, to aid performance testing. From these work-in-progress screenshots, it seems clear that the Blink for iOS project is already making significant progress, but it's clearly a prototype not meant to be used like a full web browser. The next biggest step that Google has laid out is to ensure this version of Blink/Chromium for iOS passes all of the many tests that ensure all aspects of a browser are working correctly.

Nvidia is releasing new GPU drivers today that will upscale old blurry web videos on RTX 30- and 40-series cards. The Verge reports: RTX Video Super Resolution is a new AI upscaling technology from Nvidia that works inside Chrome or Edge to improve any video in a browser by sharpening the edges of objects and reducing video artifacts. Nvidia will support videos between 360p and 1440p up to 144Hz in frame rate and upscale all the way up to 4K resolution.

This impressive 4K upscaling has previously only been available on Nvidia's Shield TV, but recent advances to the Chromium engine have allowed Nvidia to bring this to its latest RTX 30- and 40-series cards. As this works on any web video, you could use it to upscale content from Twitch or even streaming apps like Netflix where you typically have to pay extra for 4K streams.

Valentine's Day saw Mozilla releasing version 110.0 of its Firefox browser. OMG Ubuntu highlights some of its new features: Firefox already supports importing bookmarks, history, and passwords from Microsoft Edge, Google Chrome, Chromium, and Safari but once you have the Firefox 110 update you can also import data from Opera, Opera GX, and Vivaldi too — which is handy.

Other changes in Firefox 110 include the ability to clear date, time, and datetime-local input fields using using ctrl + backspace and ctrl + delete on Linux (and Windows) — no, can't say I ever noticed I couldn't do that, either.

Additionally, Mozilla say GPU-accelerated Canvas2D is now enabled by default on Linux, and we can all expect to benefit from a miscellaneous clutch of WebGL performance improvements.

An anonymous reader shares a report: Internet Explorer 11 was never Windows 10's primary browser -- that would be the old, pre-Chromium version of Microsoft Edge. But IE did continue to ship with Windows 10 for compatibility reasons, and IE11 remained installed and accessible in most versions of Windows 10 even after security updates for the browser ended in June of 2022. That ends today, as Microsoft's support documentation says that a Microsoft Edge browser update will fully disable Internet Explorer in most versions of Windows 10, redirecting users to Edge.

Mozilla is planning for the day when Apple will no longer require its competitors to use the WebKit browser engine in iOS. From a report: Mozilla conducted similar experiments that never went anywhere years ago but in October 2022 posted an issue in the GitHub repository housing the code for the iOS version of Firefox that includes a reference to GeckoView, a wrapper for Firefox's Gecko rendering engine. Under the current Apple App Store Guidelines, iOS browser apps must use WebKit. So a Firefox build incorporating Gecko rather than WebKit currently cannot be distributed through the iOS App Store.

As we reported last week, Mozilla is not alone in anticipating an iOS App Store regime that tolerates browser competition. Google has begun work on a Blink-based version of Chrome for iOS. The major browser makers -- Apple, Google, and Mozilla -- each have their own browser rendering engines. Apple's Safari is based on WebKit; Google's Chrome and its open source Chromium foundation is based on Blink (forked from WebKit a decade ago); and Mozilla's Firefox is based on Gecko. Microsoft developed its own Trident rendering engine in the outdated Internet Explorer and a Trident fork called EdgeHTML in legacy versions of Edge but has relied on Blink since rebasing its Edge browser on Chromium code.

Long-time Slashdot reader destinyland writes: Someone made a Chromium fork... for your terminal. The terminal-based browser Carbonyl "adheres to, and is compatible with modern standards," writes MUO, "meaning that pages behave as they should, and you can even watch streaming video, within the Linux terminal!"

But best of all, "Pages connect and render in an instant—seemingly quicker than a desktop GUI browser, and every page we visited was rendered correctly."
From the article: There are a bunch of good reasons to browse the internet from the comfort of your terminal. It could be that eschewing the bloat of X.org and Wayland, a terminal is all you have. Maybe you like SSHing into remote machines and browsing the internet from there.

Perhaps you, like us, just really, really like terminals.

Whatever the reason, your choices of web browsers have, until recently, been limited, and your experience of the world wide web has been a janky, barely-functional one.... We tested Carbonyl in a range of Linux terminals, including the XFCE terminal. GNOME terminal, kitty, and the glorious Cool Retro Terminal. Carbonyl was smooth, fast, and flawless in all of them.

We even connected to our Raspberry Pi via SSH in CRT, and ran Carbonyl remotely, watching Taylor Swift music videos on YouTube. No problem.
And yes, you can use it to play DOOM.

Longtime Slashdot reader Dotnaught writes: "Google's Chromium developers have begun work on an experimental web browser for Apple's iOS using the search giant's Blink engine," reports The Register. "That's unexpected because the current version of Chrome for iOS uses Apple's WebKit rendering engine under the hood. Apple requires every iOS browser to use WebKit and its iOS App Store Review Guidelines state, 'Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript.'"

Google insists this is an experiment and isn't intended for release. But the stripped-down, Blink-based browser could be preparation for European competition rules that look like they will require Apple to stop requiring that other browser makers use its WebKit engine. "This is an experimental prototype that we are developing as part of an open source project with the goal to understand certain aspects of performance on iOS," said a Google spokesperson. "It will not be available to users and we'll continue to abide by Apple's policies."

An anonymous reader shares a report: Google and Microsoft don't always take pains to make sure their products work great together -- Google originally declared Microsoft's Chromium-based Edge browser "not supported" by the Google Drive web apps; Microsoft is always trying to make you use Bing -- but it looks like Google's ChromeOS will start working a bit better with the Microsoft 365 service later this year. Google says ChromeOS will add a "new integration" for Microsoft 365, making it easier to install the app and adding built-in support for OneDrive in ChromeOS' native Files app.

This should allow users to search for and access OneDrive files the same way they get to local files, or files stored in their Google Drive account. The integration will be added in "the coming months," and users in ChromeOS' dev and beta channels will be able to access it before it rolls out to all ChromeOS users later this year. ChromeOS users can currently access OneDrive and other Microsoft 365 services through their web interfaces or Android apps installed via the Google Play Store, but they don't integrate with the built-in ChromeOS Files app the way that Google Drive does. This integration will help close that gap for people who, for example, use Google products at home but Microsoft products at work or vice versa.

Google announced today that moving forward they will be allowing Rust code into the Chromium code-base, the open-source project that ultimately served as the basis for their Chrome web browser. Phoronix reports: Google is working to introduce a production Rust toolchain into their build system for Chromium and will be allowing Rust libraries for use within Chrome/Chromium. The timeframe for getting this all together is expected within the next year following a slow ramp. Google is backing Rust for Chromium to allow for simpler and safer code than "complex C++" overall, particularly around avoiding memory safety bugs. In turn using Rust should help speed-up development and improve overall security of the Chrome web browser. Initially they are focused on supporting interop in a single direction from C++ to Rust and for now will only be supporting third-party libraries for their Rust usage.

2022 was the year that Microsoft retired its Internet Explorer web browser (to concentrate on its Chromium-based Microsoft Edge browser).

Yet Ghacks reports that Internet Explorer "is still haunting some from its grave." Some websites and apps use code to determine the user agent. The user agent informs the site about several parameters, including the used web browser (engine) and operating system. When done correctly, it may reveal the used browser and that may then lead to a custom user experience.

When done incorrectly, it may lead to false identification; this is exactly what is happening on some sites currently regarding Internet Explorer user agent sniffing and the Firefox web browser. Some sites identify Firefox as Internet Explorer because of inaccurate user agent sniffing..
Internet Explorer 11's user agent ends by identifying its release version as rv:11.0, the article points out. So when a Firefox user visits a website using Firefox 110 (or any other version up to Firefox 119), "The site in question checks for rv:11 in the user agent [and] Firefox's rv:110 value is identified wrongly as Internet Explorer."

Instead of risking problems with functionality, compatibility, or other display issues for Firefox versions 110 through 119, Mozilla has "decided to freeze part of Firefox's version." Instead of echoing rv:110, rv:111 and so on up to rv:119, Firefox returns rv:109 instead. The end of the user agent string displays the actual version of Firefox still. Mozilla plans to restore the original user agent of Firefox with the release of Firefox 120. The organization plans to release Firefox 120 on November 21, 2023.

In June GitHub announced they'd retire their customizable text editor Atom on December 15th — so they could focus their development efforts on the IDEs Microsoft Visual Studio Code and GitHub Codespaces. "As new cloud-based tools have emerged and evolved over the years, Atom community involvement has declined significantly," according to a post on GitHub's blog.

So while "GitHub and our community have benefited tremendously from those who have filed issues, created extensions, fixed bugs, and built new features on Atom," this now means that:

- Atom package management will stop working
- No more security updates
- Teletype will no longer work
- Deprecated redirects that supported downloading Electron symbols and headers will no longer work
- Pre-built Atom binaries can continue to be downloaded from the atom repository releases

Fortunately, in 2014 GitHub open sourced the code for Atom. And according to It's FOSS News: A community build for it is already available; however, there seems to be a new version (Pulsar) that aims to bring feature parity with the original Atom and introduce modern features and updated architecture....

The reason why they made a separate fork is because of different goals for the projects. Pulsar wants to modernize everything to present a successor to Atom. Of course, the user interface is much of the same. Considering Pulsar hasn't had a stable release yet, the branding could sometimes seem all over the place. However, the essentials seem to be there with the documentation, packages, and features like the ability to install packages from Git repositories....

As of now, it is too soon to say if Pulsar will become something better than what the Atom community version offers. However, it is something that we can keep an eye on.... You can head to its official download page to get the package required for your system and test it out.
Like Atom, Pulsar is cross-platform support (supporting Linux, macOS, and Windows).