Home / Tech News / The most ambitious browser mitigation yet for Spectre attacks comes to Chrome

The most ambitious browser mitigation yet for Spectre attacks comes to Chrome

(credit: Google ) Google’s Chrome browser is undergoing a major architectural change to enable a protection designed to blunt the threat of attacks related to the Spectre vulnerability in computer processors. If left unchecked by browsers or operating systems, such attacks may allow hackers to pluck passwords or other sensitive data out of computer memory when targets visit malicious sites. Site isolation, as the mitigation is known, segregates code and data from each Internet domain into their own “renderer processes,” which are individual browser tasks that aren’t allowed to interact with each other. As a result, a page located at arstechnica.com that embeds ads from doubleclick.net will load content into two separate renderer processes, one for each domain. The protection, however, comes at a cost. It consumes an additional 10 to 13 percent of total memory. Some of the performance hit can be offset by smaller and shorter-lived renderer processes. Site isolation will also allow Chrome to re-enable more precise timers, which Google and most other browser makers disabled earlier this year to decrease chances of successful attacks. Site isolation has been available in Chrome as an optional mitigation since early this year, but starting with version 67, it’s being enabled by default for 99 percent of users. Google is leaving it off for the other 1 percent so engineers can monitor and improve performance. The protection is also being enabled in the Chrome desktop. For performance reasons, it isn’t available in Chrome for Android for the time being.

See the original article here:
The most ambitious browser mitigation yet for Spectre attacks comes to Chrome

About Tech News Reporter

Check Also

YC-backed RevenueCat helps developers manage their in-app subscriptions

Startup founders don’t usually pitch their ideas by admitting that they’re fixing something “boring,” but it seems to work for RevenueCat ‘s Jacob Eiting. In fact, Eiting alternately described his startup (which is part of the current class at accelerator Y Combinator) as handling “boring work” and solving a “boring problem.” RevenueCat helps developers manage their in-app subscriptions, which Eiting said “is just boring — developers don’t want to do it.” And yet it can be crucial for their business. After all, Eiting and his co-founder Miguel Carranza both worked at brain training app Elevate (where Eiting was CTO and Carranza was director of engineering), and he said shifting Elevate’s business model from one-off purchases to recurring subscriptions “saved the company.” Eiting left Elevate more than a year ago, ultimately deciding to build a startup around “this weird skill I have.” RevenueCat offers an API that developers can use to support in-app subscriptions on iOS and Android, which means they don’t have to worry about all the nuances, bugs and updates in the way each platform handles subscriptions. Eiting said this is the kind of thing that “holds a lot of companies back — maybe not forever, but it’s usually at a time when a company shouldn’t be worrying about this.” The API also allows developers to bring all the data about their subscription business together in one place, across platforms. Ultimately, he wants to turn RevenueCat into a broader “revenue management platform,” allowing developers to try out strategies like offering different prices to different customer segments. More broadly, Eiting suggested that subscriptions offer a way out of the current “race to the bottom in how software is sold” — particularly in mobile app stores, where many of us expect everything to be free or dirt cheap. Obviously, that’s not a great situation for someone hoping to make money by selling software, but Eiting pointed out that it can be bad for the consumer too, because it means the developer has less reason to support and update the app. “Someone who pays for your 99-cent app once, they think they own your time,” he said. “You want to be helpful, you don’t want to let down a paid user, but your incentives aren’t really aligned.” Subscriptions, even if they’re just for 99 cents a month, can re-align those incentives — Eiting has described this as a system of app patronage : “You want this thing to stay working, you need to pony up some money to developers.” He also acknowledged that as more apps shift to this model, there’s a risk of subscription fatigue , which could lead to “maybe not a harsh backlash, but there might be a secondary correction.” But in Eiting’s view, that’s less a problem for individual developers and more for the mobile platforms. Those platforms, he said, should be building better tools for consumers to manage all their subscriptions in one place.

Leave a Reply

Your email address will not be published. Required fields are marked *