Google Chrome is implementing five new security enhancements in version 4.0 in a bid to boost its stake as a force to reckon with in the browser arena.
Adam Barth, a software engineer working on Google Chrome, revealed the following security features aimed at helping developers secure websites:
Strict-Transport Security
This feature ensures that Chrome uses only a secure connection by using only HTTPS when accessing a website and that all errors will be considered as hard stops. Barth says the Strict-Transport Security feature allows Chrome to defend itself against malicious attacks from people who control the network. It’s already in Google Chrome 4 and in Firefox’s security add-on, NoScript. Some websites like Paypal have already started using this feature.
Cross-Origin Communication with postMessage
The postMessage API is a method wherein gadgets are embedded in web pages with rich interaction capabilities to other page code but with heightened security than before. Other browsers like Firefox, Internet Explorer, Opera and Safari all use this feature.
ClickJacking Protection with X-Frame-Options
X-Frame-Options allow websites to defend themselves against clickjacking, a process attackers use to trick users into clicking a transparent or invisible button which leads them to a malicious website. By including the X-Frame-Options: deny HTTP header, the web developer is able to thwart attackers’ attempts to conceal malicious links.
CSRF Protection via Origin Header
The Origin header, a new HTML5 feature, protects websites from CSRF (cross-site request forgery) attacks. This type of attack involves stealing data from one website by another. The Origin header identifies which website generated the HTTP request. Barth said specifications for the Origin header are still being finalized.
Reflective XSS Protection
This feature helps webmasters ward off XSS (cross-site scripting) attacks. An XSS attack happens when an attacker harvests users’ private data by using malicious scripts. Barth said they added this feature to Google Chrome 4 as protection against one form of XSS called the reflective XSS. What the XSS filter does is check scripts before they are run on a page, preventing an attack. Barth said they are looking into improving the XSS filters in subsequent Google Chrome releases.
Google Chrome was first made available for download as a beta version for Microsoft Windows on September 2, 2008. Its speed, unique interface and features like crash control and incognito surfing quickly won over many users.
Chrome 2.0 was released in May 2009 amidst rave reviews for its stability and increased speed. In September of the same year, an even faster version 3.0 with HTML5 capabilities was made available to the public.
Google 4.0 was released on January 25 after months of gathering user feedback and adding enhancements. The newest Chrome version boasts of such additions as extension support, improved developer tools and HTML5 support, and bookmark sync, among others.
While initial reviews of Google Chrome were mostly positive, researchers soon found certain vulnerabilities in the browser.
{ 0 comments… add one now }