Google backtracks—a bit—on controversial Chrome sign-in feature

Privacy-conscious users were unhappy at being signed in to browser without consent.

Article intro image

Enlarge (credit: Google Chrome)

Google will partially revert a controversial change made in Chrome 69 that unified signing in to Google's online properties and Chrome itself and which further preserved Google's cookies even when users chose to clear all cookies. Chrome 70, due in mid-October, will retain the unified signing in by default, but it will allow those who want to opt out to do so.

Chrome has long had the ability to sign in with a Google account. Doing this offers a number of useful features; most significantly, signed-in users can enable syncing of their browser data between devices, so tabs open on one machine can be listed and opened on another, passwords saved in the browser can be retrieved online, and so on. This signing in uses a regular Google account, the same as would be used to sign in to Gmail or the Google search engine.

Prior to Chrome 69, signing in to the browser was independent of signing in to a Google online property. You could be signed in to Gmail, for example, but signed out of the browser to ensure that your browsing data never gets synced and stored in the cloud. Chrome 69 unified the two: signing in to Google on the Web would automatically sign you in to the browser, using the same account. Similarly, signing out of a Google property on the Web would sign you out of the browser.

Read 6 remaining paragraphs | Comments

Google wants to get rid of URLs but doesn’t know what to use instead

Their complexity makes them a security hazard; their ubiquity makes replacement nigh impossible.

Article intro image

Enlarge / This is how a Chrome 57 displays https://www.xn--80ak6aa92e.com/. Note the https://www.apple.com in the address bar.

Uniform Resource Locators (URLs), the online addresses that make up such an important part of the Web and browsers we use, are problematic things. Their complex structure is routinely exploited by bad actors who create phishing sites that superficially appear to be legitimate but are in fact malicious. Sometimes the tricks are as simple as creating a long domain name that's too wide to be shown in a mobile browser; other times, such as in the above picture, more nefarious techniques are used.

It's for this reason that a number of Chrome developers want to come up with something new. But what that new thing should be is harder to say.

Browsers are already taking a number of steps to try to tame URLs and make them less prone to malicious use. Chrome's use of "Not Secure" labels instead of showing the protocol name (http or https) replaces a piece of jargon with something that anyone can understand. Most browsers these days use color to highlight the actual domain name (printed in black type) from the rest of the URL (printed in grey type); Apple's Safari goes a step further, with its address bar suppressing the entire URL except for the domain name, revealing the full text only when the address box is clicked. Microsoft's Edge (and before it, Internet Explorer) dropped support for URLs with embedded usernames and passwords, because their legitimate uses were overwhelmed by malicious ones.

Read 3 remaining paragraphs | Comments

As the Web moves toward HTTPS by default, Chrome will remove “secure” indicator

Enlarge (credit: Indigo girl / Flickr)
Back in February, Google announced its plans to label all sites accessed over regular unencrypted HTTP as “not secure,” starting in July. Today, the company described the next change it will make to its browser…

Enlarge (credit: Indigo girl / Flickr)

Back in February, Google announced its plans to label all sites accessed over regular unencrypted HTTP as "not secure," starting in July. Today, the company described the next change it will make to its browser: in September, Google will stop marking HTTPS sites as secure.

Before and after representation of the removed "Secure" label.

Before and after representation of the removed "Secure" label. (credit: Google)

The background to this change is the Web's gradual migration to the use of HTTPS rather than HTTP. With an ever-growing fraction of the Web being served over secure HTTPS—something now easy to do at zero cost thanks to the Let's Encrypt initiative—Google is anticipating a world where HTTPS is the default. In this world, only the occasional unsafe site should have its URL highlighted, not the boring and humdrum secure site.

Type data into the form and the "Not secure" message goes from gray to red.

Type data into the form and the "Not secure" message goes from gray to red. (credit: Google)

Most HTTP sites will get a regular gray "Not secure" label in their address bar. If the page has user input, however, that grey label will become red, indicating the particular risk the page represents: Web forms served up over HTTP could send their contents anywhere, making them risky places to type passwords or credit card numbers.

Read on Ars Technica | Comments

As the Web moves toward HTTPS by default, Chrome will remove “secure” indicator

Enlarge (credit: Indigo girl / Flickr)
Back in February, Google announced its plans to label all sites accessed over regular unencrypted HTTP as “not secure,” starting in July. Today, the company described the next change it will make to its browser…

Enlarge (credit: Indigo girl / Flickr)

Back in February, Google announced its plans to label all sites accessed over regular unencrypted HTTP as “not secure,” starting in July. Today, the company described the next change it will make to its browser: in September, Google will stop marking HTTPS sites as secure.

Before and after representation of the removed "Secure" label.

Before and after representation of the removed “Secure” label. (credit: Google)

The background to this change is the Web’s gradual migration to the use of HTTPS rather than HTTP. With an ever-growing fraction of the Web being served over secure HTTPS—something now easy to do at zero cost thanks to the Let’s Encrypt initiative—Google is anticipating a world where HTTPS is the default. In this world, only the occasional unsafe site should have its URL highlighted, not the boring and humdrum secure site.

Type data into the form and the "Not secure" message goes from gray to red.

Type data into the form and the “Not secure” message goes from gray to red. (credit: Google)

Most HTTP sites will get a regular gray “Not secure” label in their address bar. If the page has user input, however, that gray label will become red, indicating the particular risk the page represents: Web forms served up over HTTP could send their contents anywhere, making them risky places to type passwords or credit card numbers.

Read on Ars Technica | Comments