|
|
Google Enables "Site Isolation" Feature for 99% of Chrome DesktopUsers
On 2018-07-12 05:37 PM, Anonymous wrote:
*(Don't worry, google is concerned for our privacy.) https://www.bleepingcomputer.com/news/security/google-enables-site-isolation-feature-for-99-percent-of-chrome-desktop-users/ To be honest, it seems like a good idea security-wise. -- SilverSlimer Highly recommended: https://kek.gg/u/Tyrm |
Google Enables "Site Isolation" Feature for 99% of Chrome Desktop Users
on 7/13/2018, SilverSlimer supposed :
On 2018-07-12 05:37 PM, Anonymous wrote: *(Don't worry, google is concerned for our privacy.) https://www.bleepingcomputer.com/news/security/google-enables-site-isolation-feature-for-99-percent-of-chrome-desktop-users/ To be honest, it seems like a good idea security-wise. I will never trust google to not be somehow spying on us. Anything produced by google/amazon/facebook that is supposed to be protecting us, even if it is legitimate, is always going to be just a disingenuous sop to mask their underlying goal to assuage us into to trusting them and to get us continue to use their spyware. |
Google Enables "Site Isolation" Feature for 99% of Chrome DesktopUsers
On 14-07-18 16:20, Anonymous wrote:
on 7/13/2018, SilverSlimer supposed : On 2018-07-12 05:37 PM, Anonymous wrote: *(Don't worry, google is concerned for our privacy.) https://www.bleepingcomputer.com/news/security/google-enables-site-isolation-feature-for-99-percent-of-chrome-desktop-users/ To be honest, it seems like a good idea security-wise. *I will never trust google to not be somehow spying on us. That is indeed their business model, yes. Anything produced by google/amazon/facebook that is supposed to be protecting us, even if it is legitimate, is always going to be just a disingenuous sop I don't think that's correct though. Yes, Google's business model is "gather as much data as possible on everyone on this planet". They do not care about your privacy; they'd rather you didn't either (indeed, that is why I don't use many of their products, though I do need the phone). However, they *do* genuinely care about computer security. This site isolation feature of theirs is something that I think is a good idea in the face of spectre and meltdown (and friends), and I hope that other browsers will follow suit (I suspect firefox will, not so sure about others) That doesn't mean I'll use chrome, though :) |
Google Enables "Site Isolation" Feature for 99% of ChromeDesktop Users
Anonymous Wrote in message:
I will never trust google to not be somehow spying on us. Anything produced by google/amazon/facebook that is supposed to be protecting us, even if it is legitimate, is always going to be just a disingenuous sop to mask their underlying goal to assuage us into to trusting them and to get us continue to use their spyware. Warning! Warning! Warning! This post was generated on a device using the Chrome OS. Oh damn, did you open it? Now you're screwed... 8-O -- |
Google Enables "Site Isolation" Feature for 99% of Chrome Desktop Users
Nomen Nescio submitted this idea :
In article SilverSlimer wrote: On 2018-07-12 05:37 PM, Anonymous wrote: *(Don't worry, google is concerned for our privacy.) https://www.bleepingcomputer.com/news/security/google-enables-site-isolation-feature-for-99-percent-of-chrome-desktop-users/ To be honest, it seems like a good idea security-wise. Ditto. I use google products and services, but I do not use them for anything that is not already public record. Like your entire life already! :) |
Google Enables "Site Isolation" Feature for 99% of Chrome Desktop Users
"Wouter Verhelst" wrote
| However, they *do* genuinely care about computer security. This site | isolation feature of theirs is something that I think is a good idea in | the face of spectre and meltdown (and friends), and I hope that other | browsers will follow suit (I suspect firefox will, not so sure about others) | Sounds fine, but it uses more RAM. (+10-13% according to Google. https://security.googleblog.com/2018...isolation.html ) And how much value does it actually have? What's the real risk of an attacker getting same-process (or cross-process) exploitable data from a separate loaded webpage? Especially if you don't keep numerous windows/tabs open when you enter a credit card number online. Then compare that to a typical webpage where within that one process are connections to numerous, shady 3rd parties. Acme.com is not usually the problem. Rather, the problem is likely to be cross-site scripting or malicious attacks done through buying ads on the acme.com page you're visiting. That kind of direct attack is a far greater risk than malware coming through acme.com that manages to fish your credit card number out of RAM. (And even more mitigated for those of us using AMD.) With something like an ad-based attack someone can read your credit card number from within that page and process. Anyone who cares at all about security (not to mention privacy) should at least be limiting script as much as possible and blocking ad servers in their HOSTS file, as well as blocking 3rd-parties where possible. The fears of spectre, meltdown and shared memory exploits in general have been grossly overdone. It's like worrying that someone walking by your house might use a telescope to read your bankbook in a mirror on your wall, while you've left your front door ajar. Then of course there's the fact that most attacks are carried out by even more pedestrian methods. I read the other day that the hacking of Hillary Clinton's email was accomplished, at least in part, by the kind of thing that any office worker should know to look out for: attachments with names like clinton-campaign.xlsx.com. |
Google Enables "Site Isolation" Feature for 99% of Chrome Desktop Users
I read the other day that the hacking of Hillary Clinton's
email was accomplished, at least in part, by the kind of thing that any office worker should know to look out for: attachments with names like clinton-campaign.xlsx.com. You also need to remember that this woman is so full of herself that she is going to automatically click on anything that contains her name. |
Google Enables "Site Isolation" Feature for 99% of Chrome Desktop Users
"Anonymous" wrote
| clinton-campaign.xlsx.com. | | You also need to remember that this woman is so full of herself that | she is going to automatically click on anything that contains her name. Hillary Clinton? I very much doubt that she actually clicked on anything. She has staff for that. And I guess the staff should have had IT people. |
Google Enables "Site Isolation" Feature for 99% of Chrome DesktopUsers
On 15/07/18 18:24, Mayayana wrote:
"Anonymous" wrote | clinton-campaign.xlsx.com. | | You also need to remember that this woman is so full of herself that | she is going to automatically click on anything that contains her name. Hillary Clinton? I very much doubt that she actually clicked on anything. She has staff for that. And I guess the staff should have had IT people. Ah the Clitorall Hinny! What will we do without that chalk scraping on blackboard voice, and her high opinion of Democrat voters? https://vps.templar.co.uk/Cartoons%2...all_hinny.jpeg -- The lifetime of any political organisation is about three years before its been subverted by the people it tried to warn you about. Anon. |
Google Enables "Site Isolation" Feature for 99% of Chrome Desktop Users
The Natural Philosopher brought next idea :
On 15/07/18 18:24, Mayayana wrote: "Anonymous" wrote | clinton-campaign.xlsx.com. | | You also need to remember that this woman is so full of herself that | she is going to automatically click on anything that contains her name. Hillary Clinton? I very much doubt that she actually clicked on anything. She has staff for that. And I guess the staff should have had IT people. Ah the Clitorall Hinny! What will we do without that chalk scraping on blackboard voice, and her high opinion of Democrat voters? https://vps.templar.co.uk/Cartoons%2...all_hinny.jpeg Hillary begins speech: ‘I’m so tired, I can barely stand’ http://www.theamericanmirror.com/hillary-starts-speech-im-so-tired-i-can-barely-stand/ |
Google Enables "Site Isolation" Feature for 99% of Chrome DesktopUsers
On 15-07-18 17:43, Mayayana wrote:
"Wouter Verhelst" wrote | However, they *do* genuinely care about computer security. This site | isolation feature of theirs is something that I think is a good idea in | the face of spectre and meltdown (and friends), and I hope that other | browsers will follow suit (I suspect firefox will, not so sure about others) | Sounds fine, but it uses more RAM. (+10-13% according to Google. https://security.googleblog.com/2018...isolation.html ) There's always some cost to extra features. I think 10 to 13% is a bit much, but not surprisingly so. And how much value does it actually have? What's the real risk of an attacker getting same-process (or cross-process) exploitable data from a separate loaded webpage? Especially if you don't keep numerous windows/tabs open when you enter a credit card number online. Sure, but regular users may not have the background to realize that that isn't necessarily a good idea. Then compare that to a typical webpage where within that one process are connections to numerous, shady 3rd parties. Acme.com is not usually the problem. Rather, the problem is likely to be cross-site scripting or malicious attacks done through buying ads on the acme.com page you're visiting. That kind of direct attack is a far greater risk than malware coming through acme.com that manages to fish your credit card number out of RAM. The fact that there are other attacks that are more likely does not negate the fact that site isolation is a good defense against *this* attack. Are you saying that a browser with defenses against cross-site scripting *and* the site isolation feature is a worse idea than a browser with just the defenses against cross-site scripting, in theory? I agree that there are many holes for cross-site scripting still open, and that getting those plugged would be great; however, plugging those holes is not as easy to do as plugging the meltdown/spectre issues. (And even more mitigated for those of us using AMD.) With something like an ad-based attack someone can read your credit card number from within that page and process. Anyone who cares at all about security (not to mention privacy) should at least be limiting script as much as possible and blocking ad servers in their HOSTS file, as well as blocking 3rd-parties where possible. Well, yes, but that's not something a browser maker can do. The fears of spectre, meltdown and shared memory exploits in general have been grossly overdone. I agree with that, to some extent, but they are not entirely unfounded either. It's like worrying that someone walking by your house might use a telescope to read your bankbook in a mirror on your wall, while you've left your front door ajar. Not quite. A malicious site could just start some javascript code that targets one or more banking sites with a meltdown or spectre-based attack. In more than 99% of cases it won't find any useful data, but that's the thing about malicious code; you don't need a huge success rate for it to be beneficial to the attacker. The site could start a ServiceWorker[1] if it wanted to be able to continue the attack even after the user closed the tab in question. [1] https://developer.mozilla.org/en-US/...ice_Worker_API Then of course there's the fact that most attacks are carried out by even more pedestrian methods. I read the other day that the hacking of Hillary Clinton's email was accomplished, at least in part, by the kind of thing that any office worker should know to look out for: attachments with names like clinton-campaign.xlsx.com. For atargetted attack on a specific subject, you would do it that way, yes. If you just want to get in as many people's bank accounts as possible, you wouldn't. |
| All times are GMT +1. The time now is 07:32 AM. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters