Google last week released the postponed-by-three-weeks Chrome 81, patching 32 vulnerabilities – plus one more on April 15 – and pledging to roll out a tab grouping feature to all users before the next upgrade lands in mid-May.
The California search firm paid at least $25,500 in bug bounties to researchers who reported some of the vulnerabilities. Three were tagged as “High,” the second-most serious in Google’s four-step threat ranking, and one – patched with build 81.0.4044.113 on Wednesday – was pegged “Critical,” the rare top-most rating. The latter, as well as two of the High trio, were submitted by engineers at Qihoo 360, a Chinese security software developer.
Chrome updates in the background, so most users can finish the refresh by relaunching the browser. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. Those who are new to Chrome can download version 81 for Windows, macOS and Linux here._
Google updates Chrome every six to eight weeks. It last upgraded the browser on Feb. 4.
Note: Google suspended Chrome releases in mid-March because of the COVID-19 pandemic and related disruptions, notably orders from companies, including Google, that sent home many employees to work remotely. Chrome 81 was originally slated to launch March 16 but was postponed three weeks. That pause, said Google, necessitated skipping version 82 and resuming upgrade numbering with Chrome 83, now set to release on May 19.
Tabs now form groups
The most prominent addition to Chrome 81, Tab Groups, is likely still invisible to most users. It was to Computerworld staffers running the browser.
Tab Groups, which has been under construction for months, essentially does what it says: Users organize tabs in the bar atop the browser by lumping together several, each lump designated by color and name, adding new tabs and removing existing ones.
The feature was to debut in February’s Chrome 80, and may have in a small number of instances worldwide. It wasn’t on Computerworld‘s numerous copies running under Windows 10 and macOS. Now, Google said, Tab Groups will roll out in Chrome 81, although it may not be immediately available by default.
This will be rolled out widely to Mac, Windows, and Linux users throughout Chrome 81,” Google said in these release notes, under the section title of “Introduction of tab groups for remaining users.”
The impatient can manually engage Tab Groups by entering chrome://flags in the address bar, searching for Tab Groups, changing the setting at the right to Enabled, and relaunching the browser.
Tab Groups is easy to use: Right-clicking tabs now offers menu items to assign tabs to new or existing groups, or remove tabs from those groups. Other actions let users name each group and/or select a color, which boxes the name and borders the tabs of that group; ungroup the tabs; or close all tabs in the group.
Chrome 81’s tab functionality will be most useful to those who regularly wrangle a large number of tabs each session. Segregating tabs into collections brings some organization to what otherwise would likely be a randomized mess. Tab Groups’ simplicity is its best characteristic, since it’s more likely the feature will be adopted into browser workflow.
But it’s hardly a compelling reason to stick with Chrome or take it up, as some have argued. It lacks at least one crucial tool – a way to save groups, either singly or collectively, for later recall – and can be mimicked, even surpassed, by add-ons, such as Simple Tab Groups for Mozilla’s Firefox. (Firefox had a tab grouping feature at one point – known as Panorama – but Mozilla scrubbed it from the browser in 2016 because it was used by so few.)
Browser rollbacks are now a thing
Many bits of Chrome 81 that are notable are not because they’re there but because they aren’t. If that’s confusing, join the club.
Google had planned for several things to happen in Chrome 81, in particular protocols that were to be dropped or skills it was to surrender or security moves it was supposed to take. A number of them, though, were canceled, at least for this version, presumably to reappear in a future upgrade.
FTP’s back! Although Google said months ago that it would remove support for FTP (File Transfer Protocol) – an early Internet system for file transfer – in Chrome 81, and apparently did, it soon restored support. In an April 9 message on the Chromium bug tracker, a Google engineer wrote, “In light of the current crisis, we are going to ‘undeprecate’ FTP on the Chrome stable channel, i.e. FTP will start working again.” FTP will be put on the chopping block “once people are in a better position to deal with potential outages and migrations.”
TLS 1.0 and 1.1 not departing this mortal coil yet. As Computerworld noted previously, browser makers, Google included, issued reprieves for TLS (Transport Layer Security) 1.0 and 1.1, encryption protocols that were to be dropped in March.
Support for TLS 1.0 and TLS 1.1 will now be removed from Chrome 84, the upgrade scheduled to launch July 14.
SameSite enforcement put off. With Chrome 80, the version Google began distributing in early February, the browser was to begin enforcing SameSite, the standard pushed by Google, Microsoft and Mozilla designed to give web developers a way to control which cookies can be sent by a browser and under what conditions. Cookies distributed from a third-party source – not by the site the user was at, in other words – had to be correctly set and accessed only over secure connections.
The SameSite enforcement was to roll out slowly, as most Chrome changes do, beginning around mid-February when small numbers of users would see their browsers take action. Enforcement was to expand to more Chrome users over time.
Now, that has all been reversed.
In an April 3 post to the Chromium blog (three days before Chrome 81 released), Justin Schuh, the director of Chrome engineering, said that “in light of the extraordinary global circumstances due to COVID-19, we are temporarily rolling back the enforcement of SameSite cookie labeling, starting today.”
Schuh said Google didn’t want to chance destabilizing “essential services” rendered through the websites of banks, grocery stores, government agencies and healthcare organizations. Google will resume enforcement down the road, perhaps over the summer, Schuh added.
Google this week released Chrome 80, beginning a promised process of locking down cookies and at the same time patching 56 vulnerabilities.
The California company paid at least $48,000 in bug bounties to researchers who reported some of the vulnerabilities. Ten were tagged as “High,” the second-most serious in Google’s four-step threat ranking. Half of those 10 were submitted by engineers of Google’s own Project Zero team.
Chrome updates in the background, so most users can simply relaunch the browser to finish the upgrade. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. Those who are new to Chrome can download the latest for Windows, macOS and Linux here.
Google updates Chrome every six to eight weeks. It last upgraded the browser on Dec. 10, 2019.
Enforcement of cookie-control starts now
Last year, Google said it would clamp down on cookies – the small bits of code websites rely on to, among other things, identify individual users – using the SameSite standard. SameSite, which has also been pushed by Mozilla and Microsoft, was designed to give web developers a way to control which cookies can be sent by a browser and under what conditions.
With Chrome 80, Google will begin enforcing SameSite, said Barb Smith, a Google executive, in a Feb. 4 post to the Chromium blog. Cookies distributed from a third-party source – in other words, not by the site the user is at – must be correctly set and accessed only over secure connections.
“Enforcement of the new cookie classification system in Chrome 80 will begin later in February with a small population of users, gradually increasing over time,” Smith wrote. Google frequently rolls out new features and other changes in stages, letting it verify that things worked as expected before expanding the pool of users. The company has set the week of Feb. 17 as the opening switch-on-SameSite salvo.
Also, as of Chrome 80, cookies without a SameSite definition will be considered as first-party only by default; third-party cookies – say, those from an external ad distributor tracking users as they wander the web – won’t be sent.
It’s complicated – for users, even IT admins, if not for developers – as this Google video demonstrates. But the result will likely be an aggressive push by Google, using the club of Chrome’s dominance, to motivate site makers and other cookie distributors to get behind the SameSite standard.
SameSite is not Google’s answer to the increasing anti-tracking positions being staked out by rivals such as Mozilla and Microsoft. Google has emphasized SameSite’s security prowess – preventing cross-site request forgery (CSRF) attacks, for instance – not any privacy benefits.
No more notification nagging? That would be great
Chrome 80 also implemented the quieter notifications that Google pledged last month.
Rather than let sites place pop-ups on the page requesting permission to send notifications, Chrome 80 features an alarm bell icon with a strike-through near the right edge of the address bar. The first time Chrome presents the quiet UI, an in-browser dialog, which can be dismissed, will explain the feature.
Users will be able to engage the new notification UI manually using an option in Settings > Advanced > Privacy and security > Site Settings > Notifications. Toggling the “Use quieter messaging (blocks notification prompts from interrupting you)” switch turns on the pop-up blocker. Google has said it would also automatically enable the quieter UI for some. Those who “repeatedly deny” the notification requests will be auto-enrolled. Google will automatically silence some sites as well.
Not all users will see the less-intrusive notification requests immediately; although Google promised that Chrome 80 would launch the feature, Computerworld‘s copies of the browser did not yet show the new UI.
Tab groups supposed to begin to show
Tab groups are also supposed to debut in Chrome 80, but that, too, was not yet enabled by default on Computerworld‘s numerous copies running under Windows 10 and macOS. (The option to turn it on is behind chrome://flags: Search for Tab Groups, change the setting at the right to Enabled, and relaunch the browser.)
Last month, Google said that the feature – which does what it sounds like it does, organizes tabs by lumping together several, each lump designated by color and name – should begin rolling out to users with Chrome 80 but finish that process with March’s Chrome 81.
When it does appear – or after the browser’s owner manually enables it – users can right-click tabs and choose new menu items to create groups, assign tabs to them or remove tabs from those groups.
Other additions to Chrome 80 were enterprise-centric as Google continued to enhance the browser’s in-business skills, even more important of late as Microsoft introduced the Chromium-based Edge last month as an alternative.
Enterprise IT admins can enable or disable each type of synchronized data, ranging from History and Themes to Open Tabs and Passwords (just as individuals can do manually in Settings > Manage Sync.), using the newly-documented SyncTypesListDisabled group policy.
More management in Chrome 80 allows for a full blockade on employees trying to install external add-ons. Administrators can call on the BlockExternalExtensions policy to stop the practice. (Note: this does not block kiosk apps or extensions installed by policy.)