Chrome security setting

[Dave Smolinski]

Hi,

While I will not be at the Geek Meeting on Monday, do to a schedule Echo test, I thought this article is interesting to talk about.  It will make Chrome a little more safer, at the expensive of a little performance hit (maybe none at all).  I enable it and I let you know how it goes.

Last time I went for my Echo test, the doctor asked me how is my bucket list going

------------------------------------

Edge’s Super-Duper Secure Mode moves into Chrome.  We talked about this three years ago in 2021. And I loved the name. How could anyone not love something called “Super-Duper Secure Mode”?? The surprise was that it came from stodgy old Microsoft – the IBM of the PC industry. Back then, Johnathan Norman, who was leading Edge's Vulnerability Research team at the time, explained that an important performance-vs-security trade-off existed because more than half of all past Chrome/Chromium engine 0-days exploited in the wild were issues related to the Just In Time (JIT) compiler. What he and Microsoft were proposing for Edge was that with computers having grown so much more powerful than once upon a time with Just In Time compilation was added for performance, that extra edge in performance today was much less important that having an extra edge in security... and that the most obvious way to increase security was to turn off Just In Time code compilation. Super Duper Secure Mode does just that. The idea proved to be a total success and it eventually went from being an experiment to being incorporated into Edge.

 Sadly, however, in the process, Microsoft stodginess won out, as it was bound to, so “Super Duper Secure Mode” became “Enhanced Security Mode” which is much less fun. So last week, with the release of Chrome 122, the Chrome browser inherited the result of Microsoft’s pioneering. 

If you put the address: chrome://settings/content/v8 into Chrome’s URL bar, you’ll be taken to a page titled: V8 Optimizer: I tried searching at the top level of settings for “V8 Optimizer”, but that didn’t get me there. Security Now! #963 5 This page allows you to flip the default from “Sites can use the V8 optimizer” to “Don’t allow sites to use the V8 optimizer”. My advice to Chrome users would be to give it a try and see whether you notice any difference. My guess is that for most sites, the probably minor difference in performance would be masked by the site’s own performance and network overhead. If that’s not the case, that page also allows for per-site overrides. So you could disable the use of the faster but more risky V8 JIT compiler unless a site really does benefit from having it, in which case that site could be white-listed to use V8. I should note that Chrome 122 has also added some experimental AI features. If you click the three dots in the upper right, and choose “Settings” at the bottom of the drop-down menu. Over on the left about 1.3rd of the way down you’ll find “Experimental AI”. If you flip the switch, which is off by default, to “On”, the box expands to show “Help me write”, “Tab organizer” and “Create themes with AI”: Each of those can be individually enabled. For me they were all initially enabled after I flipped the master switch. Since Firefox is my default browser I needed to fire up Chrome to check this out. So I cannot comment on the effectiveness of these new features for Chrome users.