Google taking new steps to prevent malicious Chrome extensions

Company plans stricter rules for developers, and greater control for users.

Article intro image

Google has announced plans to further restrict Chrome extensions in a bid to crack down on the number of malicious extensions found in the Chrome Web Store.

We've seen a spate of malicious extensions this year; the extensions do things like steal credentials and participate in click fraud schemes. The malicious extensions take advantage of the considerable access to Web pages that extensions have.

Google has already taken some steps to limit malicious extensions. Last year, a stricter multi-process model was applied to extensions to limit the impact of security flaws in the browser, and earlier this year Google deprecated the ability for extensions to offer installation from third-party websites (instead forcing all installations to go via the Chrome Web Store). This feature will be fully removed in Chrome 71 in December.

Read 5 remaining paragraphs | Comments

From July on, Chrome will brand plain old HTTP as “Not secure”

Enlarge (credit: Indigo girl)
As more and more websites offer access over encrypted HTTPS, Chrome will soon brand any site served up over plain, unencrypted HTTP as “Not secure.” Chrome 68, due for release in July, will start sticking the “Not secur…

Enlarge (credit: Indigo girl)

As more and more websites offer access over encrypted HTTPS, Chrome will soon brand any site served up over plain, unencrypted HTTP as "Not secure." Chrome 68, due for release in July, will start sticking the "Not secure" label in the address bar, as a counterpart to the "Secure" label and padlock icon that HTTPS sites get.

This is a continuation of a change made in January of last year where Chrome would brand HTTP sites with password forms as being "Not secure."

Google says that 81 of the top 100 sites on the Web default to HTTPS and that 68 percent of Chrome traffic on Android and Windows uses HTTPS. As such, non-secure HTTP is becoming the exception, not the rule, justifying the explicit call-out. While HTTPS once required expensive certificates, projects such as Let's Encrypt have made it easy to add HTTPS to just about any site at zero cost.

Read on Ars Technica | Comments

Firefox’s faster, slicker, slimmer Quantum edition now out

Firefox is fast now. (credit: Mozilla)
Mozilla is working on a major overhaul of its Firefox browser, and, with the general release of Firefox 57 today, has reached a major milestone. The version of the browser coming out today has a sleek new inter…

Firefox is fast now. (credit: Mozilla)

Mozilla is working on a major overhaul of its Firefox browser, and, with the general release of Firefox 57 today, has reached a major milestone. The version of the browser coming out today has a sleek new interface and, under the hood, major performance enhancements, with Mozilla claiming that it's as much as twice as fast as it was a year ago. Not only should it be faster to load and render pages, but its user interface should remain quick and responsive even under heavy load with hundreds of tabs.

Collectively, the performance work being done to modernize Firefox is called Project Quantum. We took a closer look at Quantum back when Firefox 57 hit the developer channel in September, but the short version is, Mozilla is rebuilding core parts of the browser, such as how it handles CSS stylesheets, how it draws pages on-screen, and how it uses the GPU.

This work is being motivated by a few things. First, the Web has changed since many parts of Firefox were initially designed and developed; pages are more dynamic in structure and applications are richer and more graphically intensive. JavaScript is also more complex and difficult to debug. Second, computers now have many cores and simultaneous threads, giving them much greater scope to work in parallel. And security remains a pressing concern, prompting the use of new techniques to protect against exploitation. Some of the rebuilt portions are even using Mozilla's new Rust programming language, which is designed to offer improved security compared to C++.

Read 1 remaining paragraphs | Comments

OpenOffice, after years of neglect, could shut down

As LibreOffice soars, OpenOffice management considers retiring the project.

The latest version of OpenOffice.

OpenOffice, once the premier open source alternative to Microsoft Office, could be shut down because there aren't enough developers to update the office suite. Project leaders are particularly worried about their ability to fix security problems.

An e-mail thread titled, "What would OpenOffice retirement involve?" was started yesterday by Dennis Hamilton, vice president of Apache OpenOffice, a volunteer position that reports to the Apache Software Foundation (ASF) board.

"It is my considered opinion that there is no ready supply of developers who have the capacity, capability, and will to supplement the roughly half-dozen volunteers holding the project together," Hamilton wrote.

Read 22 remaining paragraphs | Comments