The new ‘Site Isolation’ security feature for the Google Chrome browser has been switched on, and could protect users from log-in credentials theft.
The newly switched-on feature actually has a decade-long history in the making. It has been reported that Google invested those engineer-years, mostly in the last 6 years, and a lot of money in producing a DiD (defence-in-depth) feature, and what is a now essential defence against a prolific class of attack.
What Does the Google Chrome Site Isolation Do?
It has recently been discovered that all modern chips / processors have security vulnerabilities in them that can contribute to the success of ‘data leakage’ attacks. These vulnerabilities, dubbed Spectre and Meltdown (Meltdown only on Intel chips), can be used by hackers to steal passwords or other confidential data from computers and mobile devices through popular web browsers like Chrome, Internet Explorer, Firefox, and Safari for Macs or iOS.
With Site Isolation enabled, each renderer process contains documents from a maximum of one site which means that all navigations to cross-site documents cause a switch in processes, and all cross-site iframes are put into a different process than their parent frame. This ‘isolation’ of the processes provides effective detection against data leakage attacks like Spectre, which means that the vast majority of Chrome users are now theoretically safer from this one kind of attack. It has also been reported that work is underway to protect against attacks from compromised renderers.
It Does Sap Some Memory
One of the trade-offs that Google has had to make to in order to make this feature effective is greater resource consumption. With Site Isolation on, there is a 10-13% total memory overhead in real workloads due to the larger number of processes. Google is reported to be working on trying to reduce the memory burden.
Even 10-13% is good compared to the 20% memory overhead that was being used when Chrome 63 debuted with Site Isolation.
Not Android Yet – But Soon
Site Isolation is scheduled to be included in Chrome 68 for Android but reports indicate that Google is still working on resource consumption issues before that can be rolled out.
SSL Security Added
Google Chrome has also added security warnings for sites that do not have SSL Certificates, which switch websites from HHTP to HTTPS protocol. The warning alerts users to the fact that any information they enter into the set, such as usernames, passwords or email addresses may not be secure. Furthermore Google is gradually moving to penalise sites in its search engine without HTTPS with lower page rankings.
What Does This Mean For Your Business?
The switching on of this feature is, of course, good news for businesses, as it is an additional, free way to strengthen cyber resilience against a popular kind of attack that could have serious consequences. This is of particular importance when businesses are trying to do everything possible to achieve and maintain compliance with GDPR.
Up until now, all businesses have heard is that all modern processors have security flaws in them, and that software patching is the only real answer. Back in May, another 8 flaws, in addition to Spectre and Meltdown, were discovered in processors, dubbed Spectre Next Generation (Spectre NB). At least the switching-on of this Chrome feature is one tangible step in the journey to patch these vulnerabilities before cyber-criminals manage to exploit them all. Hopefully, more, similar features will be introduced across other browsers in the near future.
Globalnet works with businesses throughout London, Essex, Kent and Herts to ensure their data and networks are secure from all threats. Call us on 0203 005 9650 today to find out how we can provide the right protection for you.
Globalnet aims to be an integral part of your success, providing the best business advice, superior IT support and technology to help you reach your goals.