Changes In Google’s New Chrome 69 Are Worrisome To Security Experts
By: Jim Stickley and Tina Davis
October 9, 2018
Google Chrome, the wildly popular browser and search engine, recently hit a roadblock – of sorts. In September of this year, Chrome 69, a completely redesigned UI (user interface) browser, was launched. Along with the many improvements including graphics redesign, is a new built-in random password generator and patches for 40 security issues. Although changes improving the look and ease of using Chrome may be debatable, cybersecurity professionals have much to say about the changes that aren’t so obvious. Some security pro’s take exception to two major changes in Chrome 69: a change in their sign-in feature that affects privacy, and also removing the “www” or “m” (for mobile) from URL addresses.
With Google’s sign-in change, prior to Chrome 69, simply signing-in to Gmail meant that is the only part of Google you were signed into. You had to sign in separately for the browser, photos or any of the other parts of it. With the new browser renovation, signing-in to Gmail means you’re also signing into the overall browser without your consent. That enables Google to automatically sync your browsing data and store it in its cloud. Since there is no way to separate the two, tons of browsing data including cookies are permanently stored on Google’s servers. Choosing to delete your browsing history and cookies is no longer considered permanent, as the data is already preserved. Google 70, due to release soon, addresses this concern. Google 70 will enable users to separate sign-ins to the web and browser. Also, Google sign-in cookies will be entirely removed when clearing all cookies, and not permanently stored.
As for stripping the “www”... Most everyday users know that including the “www” or “m” (mobile) in a URL is a safety precaution. They’ve been told including the “www” lends credibility to landing on the page you intended…and it certainly does. Going to www.domain.com doesn’t necessarily direct you to same place as “domain.com.” It depends on how the site developers have it set up. So, those letters before the domain are indeed significant.
However, Google has announced with the release of 69, they perceive the subdomains as “trivial” – believing the information they represent is information most people don’t need to be concerned with. That “belief” by Google upsets the apple carts of consumer precautions about hacking that have been held for years. They’ve been told paying close attention to the details of a URL is a great way to avoid landing on a bogus website page built by hackers to fool you into providing valuable personal information. Very often, something as small as a hacker transposing two letters in a URL’s spelling can mean the difference between being safe and being hacked. So, many believe, messing with a URL’s perceived safety features is a major issue that can cause users to end up on an incorrect web page. Google has yet to publicly comment on this latest change and if Google 70 will address it. Stay tuned.
In the meantime, you can disable this new feature of Chrome 69. Open the browser, and type the following into the address bar: “chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains.” A new tab will open and the first option “Omnibox UI Hide Steady-State URL Scheme and Trivial Subdomains” should be disabled. Then click the “RELAUNCH NOW” button.