Chrome 90 goes HTTPS by default while Firefox injects substitute scripts to foil tracking tech

Privacy. Are we there yet? No, but there's some progress at least


When version 90 of Google's Chrome browser arrives in mid-April, initial website visits will default to a secure HTTPS connection in the event the user has failed to specify a preferred URI scheme.

Lack of security is currently the norm in Chrome. As Google Chrome software engineers Shweta Panditrao and Mustafa Emre Acer explain in a blog post, when a user types "www.example.com" into Chrome's omnibox, without either an "http://" or "https:// prefix," Chrome chooses "http://." The same is true in other browsers like Brave, Edge, Mozilla, and Safari.

This made sense in the past when most websites had not implemented support for HTTPS. It was only in 2018 that the majority of websites redirected traffic to HTTPS. But these days, most of the web pages loaded rely on secure transport (ranging from about 98 per cent on Chrome to about 77 per cent on Linux). And among the top 100 websites, 97 of them currently default to HTTPS.

incognito

Google fails to neutralize lawsuit that complains Chrome's incognito mode isn't very private at all

READ MORE

Previously, only websites that declared they should be loaded securely with an entry on an HTTP Strict Transport Security (HSTS) preload list – supported in multiple browsers – got HTTPS automatically.

Chrome 90 will make HTTPS the default for first time website visits where no transport has been declared. Beyond the security and privacy benefits, say Panditrao and Acer, this will improve performance since the delay incurred by redirection from an http:// endpoint to an https:// endpoint will no longer happen.

A few exceptions will persist, however. IP addresses, single label domains (eg contoso without TLD like .com), and reserved hostnames like localhost/ will still default to http://.

Private like a fox

In other browser-related news, Mozilla Firefox 87 debuted on Tuesday with a privacy feature called SmartBlock.

Borrowing from techniques used by privacy-focused extensions NoScript and uBlock Origin (eg "stub scripts"), SmartBlock provides a way to block tracking scripts while attempting to minimize performance-affecting delays or errors that can arise from meddling with webpage code.

"SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts," explains Thomas Wisniewski, web compatibility engineer at Mozilla, in a blog post.

"These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact."

Firefox SmartBlock can replace trackers found on the extensive Disconnect Tracking Protection List, which just for the US numbers well over a thousand.

Firefox 87 also incorporates another privacy enhancement: It will limit the information contained in the referrer (misspelled but implemented as "Referer") header string by setting its default Referrer-Policy to "strict-origin-when-cross-origin."

What this means is that when a Firefox user follows a link like "https://www.example.com/path?query" – where "path" and "query" represent more meaningful or sensitive information – the HTTP Referer Header that gets sent to the visited website will indicate that the visitor has arrived from "https://www.example.com" and the extra path and query data will be dropped. ®

Broader topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022