Greetings,
The first quarter of 2022 was a busy one for Chrome Security, as you can read below. This was all in addition to our evergreen role providing security review, consulting, and support to teams across Chrome. If you'd like to be part of this fantastic team Chrome is hiring for security positions! See goo.gl/chrome/hiring for more details.
We collaborated with the Google Accounts team to launch an integration that will help users opt-in to Chrome’s Enhanced Safe Browsing protection via a similar setting for their Google account.
We’ve almost completed the implementation for the initial version of a redesigned downloads experience, and will soon run an experiment with it on Chrome 102. To stop the spread of malware through macros embedded in Microsoft Office documents, we fully launched the parsing of downloaded Office documents in Chrome 97 to identify whether they contain macros and include this information when contacting Safe Browsing to determine if they’re unsafe.
Two extension-telemetry signals are active on Chrome early channels, feeding client-side data to Safe Browsing to suss out suspicious extensions.
We also completed the launch of a new TfLite-based client-side phishing detection model on desktop platforms in Chrome 97, which showed 2.5x as many warnings as the previous model.
This quarter we launched a major new Certificate Transparency policy that removes Google from the critical path of global HTTPS certificate issuance, made possible in part by expanding our SCT Auditing efforts. This quarter also saw CT enforcement and protections coming to Android, vastly expanding the number of users protected by CT.
In preparation for the upcoming rollout of our own Chrome Root Store, we've also been developing several major policies and processes for interacting with certificate authorities, and the engineering to deliver root certificates to Chrome out-of-band. This enables Chrome to directly validate site certificates, rather than relying on each operating system’s verification.
Following last quarter's investments in better infrastructure for handling lookalike warnings appeals, and this quarter's work on safer rollout mechanisms, we are rolling out a new heuristic to detect additional lookalike domains and prepping for an intern on the project starting in Q2. Our initial implementation of TLS ECH is also now nearly code complete, with only polish work remaining.
We made great progress on our Rust-in-Chromium experiments. Rust would have security, productivity and performance benefits over C++, but we don’t yet know if we can ergonomically mix it with C++ in Chromium. This quarter, we landed a Rust JSON parser, achieving some compile-time safety while wrapping existing C++ APIs. We also landed support for a C++ -> Rust bindings generator called autocxx. In the next quarter we’ll be using that, plus another tool called crubit, to build some ambitious demos.
Work continues on sandboxing the network service across Windows, Android, and Linux/CrOS. We are making good progress on brokering or servicifying the numerous network stack subsystems that do not work within the confines of a sandbox. On Windows, we also successfully landed CFG and investigated sandbox improvements. On Mac, we experimented with Apéritif, but hit roll-out issues on older macOS versions
We’re on track for a new attempt at preflight warnings for Private Network Access requests in Chrome 102. IoT developers reported that Web Transport was insufficient as the only workaround to the PNA secure context restriction, so we’re looking at a permission-based alternative and are seeking feedback on it. The initial attempt was rolled back due to various bugs, in particular one affecting partially-cached range requests.
We created a specification for anonymous iframe and are nearing code completion. Origin Trial is expected for Chrome 106. This resolves a common difficulty: embedding arbitrary 3rd party iframes inside a crossOriginIsolated page.
We have made progress towards a decision on a new COOP policy (restrict-properties), to solve the crossOriginIsolation + popups integration.
On continued progress towards safer defaults, we shipped warnings for document.domain usage without opt-in, to prepare for eventual deprecation. And Chrome 103 saw us block sandboxed iframe from opening external applications.
In Web Platform memory safety news, we implemented a C++ dangling pointer detector. We are now working on fixing all the occurrences, and refactoring Chrome for using safer memory ownership patterns.
In Q1, the Security Architecture team continued several projects to improve Site Isolation and related defenses, including implementation work for <webview> tag Site Isolation, Site Isolation for sandboxed iframes, and the first steps towards ORB as a replacement for CORB. We worked on other security fixes for a series of use-after-free bugs involving RenderFrameHost, as well as safer ways to handle renderer process termination. We also made progress on SiteInstanceGroups, stricter enforcements for extensions and citadel checks, and Origin-Agent-Cluster by default.
Until next time,
Andrew
On behalf of Chrome Security