Thread: Google Enables "Site Isolation" Feature for 99% of Chrome DesktopUsers
View Single Post
  #6  
Old July 15th 18, 04:43 PM posted to alt.privacy.anon-server,comp.os.linux.advocacy,comp.os.linux.misc,alt.comp.os.windows-10
Mayayana
external usenet poster
  
Posts: 6,438
Default Google Enables "Site Isolation" Feature for 99% of Chrome Desktop Users
"Wouter Verhelst" wrote

| However, they *do* genuinely care about computer security. This site
| isolation feature of theirs is something that I think is a good idea in
| the face of spectre and meltdown (and friends), and I hope that other
| browsers will follow suit (I suspect firefox will, not so sure about
others)
|

Sounds fine, but it uses more RAM. (+10-13%
according to Google.
https://security.googleblog.com/2018...isolation.html

)

And how much value does it actually have? What's
the real risk of an attacker getting same-process
(or cross-process) exploitable data from a separate
loaded webpage? Especially if you don't keep numerous
windows/tabs open when you enter a credit card
number online.

Then compare that to a typical webpage where
within that one process are connections to numerous,
shady 3rd parties. Acme.com is not usually the problem.
Rather, the problem is likely to be cross-site scripting
or malicious attacks done through buying ads on the
acme.com page you're visiting. That kind of direct attack
is a far greater risk than malware coming through acme.com
that manages to fish your credit card number out of RAM.
(And even more mitigated for those of us using AMD.)
With something like an ad-based attack someone can
read your credit card number from within that page and
process.

Anyone who cares at all about security (not
to mention privacy) should at least be limiting
script as much as possible and blocking ad servers
in their HOSTS file, as well as blocking 3rd-parties
where possible. The fears of spectre, meltdown
and shared memory exploits in general have been
grossly overdone. It's like worrying that someone
walking by your house might use a telescope to read
your bankbook in a mirror on your wall, while you've
left your front door ajar.

Then of course there's the fact that most attacks
are carried out by even more pedestrian methods.
I read the other day that the hacking of Hillary Clinton's
email was accomplished, at least in part, by the kind
of thing that any office worker should know to look
out for: attachments with names like
clinton-campaign.xlsx.com.
Ads