Google has released today Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users.
This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predicitive Phishing protections, a ban on loading HTTPS “mixed content,” support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism.
Let’s go over each of these new features in greater depth, one by one.
Built-in Password Checkup tool
Password Checkup is an online service through which Google takes all your Chrome-synced passwords and checks to see if any have leaked via breaches at other online services.
Until today, Password Checkup was only available as a separate Chrome extension or a section in the Google web dashboard.
Starting with Chrome 79, released today, the Password Checkup utility has been integrated into Chrome itself. To use it, Chrome users must sync their Chrome passwords to a Google account.
Image: ZDNet
Once enabled, the feature will let users know for what websites they’re using passwords that have been previously leaked online, and prompt the user to change them.
In a blog post published today, and shared with ZDNet, Google explained how this process works, in greater detail:
- Whenever Google discovers a username and password exposed by another company’s data breach, we store a strongly hashed and encrypted copy of the data on our servers with a secret key known only to Google.
- When you sign in to a website, Chrome will send a strongly hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy.
- In order to determine if your username and password appears in any breach, we use a technique called private set intersection with blinding that involves multiple layers of encryption. This allows us to compare your encrypted username and password with all of the encrypted breached usernames and passwords, without revealing your username and password, or revealing any information about any other users’ usernames and passwords. In order to make this computation more efficient, Chrome sends a 3-byte SHA256 hash prefix of your username to reduce the scale of the data joined from 4 billion records, down to 250 records while still ensuring your username remains anonymous.
- Only you discover if your username and password have been compromised. If they have been compromised, we strongly encourage you to change your password.
Real-time blacklisting of bad sites
For years, Chrome has featured a security setting known as the Safe Browsing API. Through this tool, Chrome downloads a list of known bad sites once every 30 minutes.
When a user visits a site, Chrome checks the URL against this list of known bad sites, which is stored locally inside all users’ browsers.
However, Google says that in recent months, threat actors have been changing sites and domains at a faster pace, taking advantage of this 30-minute delay.
Starting today, with the release of Chrome 79, Google says Chrome will get a new option in the “Sync and Google services” section that will allow users to enable the scanning of bad sites in real-time.
Image: ZDNet
The downside is that when this feature is enabled, Chrome will be sending the URLs you visit to Google’s (Safe Browsing) servers in real-time — an action that many might consider a privacy risk.
But Google says that users have nothing to fear, as all URLs will be anonymized. The company explains how this will work:
“When you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL anonymously with Google (after dropping any username or password embedded in the URL) to find out if you’re visiting a dangerous site. Our analysis has shown that this results in a 30% increase in protections by warning users on malicious sites that are brand new.”
In our test Chrome 79 install, this feature was enabled by default, a setting that some users or system administrators might want to turn off.
For Chrome enterprise installations, Google has prepared a group policy that will let administrators turn it on or off across an organization, depending on each company’s security policies.
Predictive phishing for everyone
Another cool security feature added in Chrome 79 is the general availability of Predictive Phishing.
Launched in 2017, Predictive Phishing warns users when they might be entering passwords on suspected phishing sites.
Initially, the feature only supported detecting phishing sites when entering Google account credentials, and only when users were using the Sync feature inside Chrome.
With Chrome 79, Predictive Phishing warnings will be available for all usernames and passwords stored inside Chrome’s password database, even if the user is using the Sync feature or not.
Warning for Google’s new predictive phishing protection
Warnings for HTTPS “mixed content”
Chrome 79 is also another great step for HTTPS support in Chrome. With this release, Google will slowly start to block “mixed content” on HTTPS sites.
We won’t go over the details again, but you can read what’s what in our previous coverage, here.
Tab freezing
Looking beyond security features, Chrome 79 is also shipping with a new feature called “tab freezing.”
This new feature works by unloading all tabs that have been inactive for more than five minutes. This frees up CPU and RAM system resources for other tabs or other locally-running apps.
This feature isn’t turned on by default, but you can visit the following URL and enable it if you need it.
chrome://flags/#proactive-tab-freeze
Image: ZDNet
New UI for the Chrome profile section
Chrome 79 also comes with a cosmetic change for the user profile drop-down section.
Google told ZDNet that all the changes implemented have been done so “you always know which profile you’re currently using” and “be sure you are saving your passwords to the right profile.”
“This is a visual update and won’t change your current Sync settings. We’ve also updated the look of the profile menu itself: it now allows for easier switching and clearly shows if you are signed in to Chrome or not,” Google said.
Image: ZDNet
Back-forward button caching
Another new Chrome experimental flag that was added to Chrome 79 is the “Back-forward cache” feature.
What this feature does is to create a special cache for the Back and Forward Chrome buttons. If the user goes back or forward in their browsing history, the page is loaded from this cache, rather than being loaded from scratch.
Chrome engineers created this feature to improve page loading time in Chrome, and users can enable it via:
chrome://flags/#back-forward-cache
Image: ZDNet
But we only touched on the most interesting changes. Users who’d like to learn more about the other new features added or removed from the Chrome 79 release can check out the following links:
Chrome security updates are detailed here.
Chromium open-source browser changes are detailed here.
Chrome developer tools updates are detailed here.
Chrome for Android updates are detailed here.
Chrome for iOS updates are detailed here.
Changes to Chrome V8 JavaScript engine are available here.
Credit: Zdnet
