Google has taken a significant step towards enhancing Chrome internet security by automatically upgrading insecure HTTP requests to HTTPS requests for 100% of users. A limited rollout of this feature in Google Chrome began in July, but as of October 16th, Google has now rolled it out to all users on the Stable channel. "We enabled HTTPS-Upgrades by default on trunk last week, and are currently rolling out to 100% Stable," reads an update from Google Engineering Program Management Leader Chris Thompson. HTTPS-upgrades is a Google Chrome feature that automatically upgrades all main-frame navigations to HTTPS, the secure version of the HyperText Transfer Protocol while ensuring a quick fallback to HTTP if needed. Historically, browsers often made insecure HTTP requests to sites that were capable of supporting HTTPS. Whether that be due to users clicking on old links or because content on websites has not been upgraded to use the new protocol, connections over the HTTP protocol are not encrypted and can be snooped on to steal credentials or other sensitive data. In each case, users' privacy and security are compromised through unnecessary insecure connections. Existing methods to enforce HTTPS, such as the HSTS preload list or manually curated upgrade lists, have limitations. Maintaining an up-to-date list of HTTPS-supported sites can be challenging and bandwidth-intensive, often leading to outdated information reaching users. Google is fixing security issues with HTTPs-upgrades. With this update, Chrome aims to automatically upgrade in-page HTTP links to HTTPS, implementing a swift fallback mechanism to HTTP if required. The browser may also respect an opt-out header, allowing web servers that serve different content on HTTP and HTTPS to prevent auto-upgrades. This behavior will necessitate modifications to the Fetch specification, particularly concerning the upgrade of main-frame navigation requests and the handling of network errors in upgraded requests. While this automatic upgrade doesn't prevent downgrades, it offers no less security than the current norm. It limits exposure to passive attackers, although active attackers could hinder the upgrade process. Importantly, this change might reduce developers' motivation to rectify HTTP references. Google Chrome's new "IP Protection" will hide users' IP addresses. Google Chrome's organize tabs will automatically reorder tabs. Google fixes another Chrome zero-day bug exploited in attacks. Google rolls out Privacy Sandbox to use Chrome browsing history for ads. Google is enabling Chrome real-time phishing protection for everyone.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000