Security

Google warns devs as it tightens Chrome cookie security: Stuff will break if you're not clued up

You'll have to tag those for cross-site use from February


Google is asking developers to get ready for more secure cookie settings to be implemented in Chrome 80 that is planned for release in February 2020.

The announced changes relate to the SameSite cookie attribute. First specified in July 2016, the SameSite attribute is set by the developer when the cookie is planted, and can be either "strict", "lax", "none" or omitted.

These settings (provided the browser supports them) control what happens when the browser requests content from a site other than the one you are visiting, such as when an ad is displayed. If it is set to strict, no cookies are sent to the third-party site. If it is set to lax, no cookies are sent unless you click a link that takes you to that site, in which case they are sent. If it is set to none, cookies set by the third-party site are always sent.

The SameSite attribute protects users from cross-site request forgery, where you are logged into site A and a script on site B impersonates you by sending a request to site A. If site A receives your session cookie, that request would appear to come from you.

Google puts Chrome on a cookie diet (which just so happens to starve its rivals, cough, cough...)

READ MORE

The major browsers, including Chrome, have supported this attribute for years, but Google has been gradually tightening security. Now it is moving to the next stage and implementing two changes:

Google is flagging up this issue for developers because the change in behaviour could break some features, such as single sign-on for business applications, if developers do not implement the required attributes. The change also impacts frameworks that set cookies. Enterprise administrators will be able to disable the new behaviour if necessary.

Although this is a welcome (perhaps overdue) change, it is not great for tracking protection, since advertisers that want to see tracking cookies can ensure that they set the required attributes. Users can of course set "Block third-party cookies" in the browser but this is off by default in most browsers since it breaks functionality. Firefox, for example, warns that blocking all third-party cookies "may cause websites to break").

Firefox offers specific blocking of tracking cookies, and warns against blocking all third-party cookies

Mozilla has taken a more proactive line on the matter of tracking cookies by using a list of services that set tracking cookies and blocking third-party cookies from those sites only. This is now on by default in Firefox, but to use it in Chrome you need an extension.

You can block all third-party cookies in Chrome, but it is a crude solution

Google takes a different view, arguing: "Blunt approaches to cookie blocking have been tried, and in response we have seen some user-tracking efforts move underground, employing harder-to-detect methods that subvert cookie controls. These methods, known as 'fingerprinting,' rely on various techniques to examine what makes a given user's browser unique."

Fingerprinting grabs what information it can about the user's browser and machine to track identity without relying on cookies. Google is promising to "more aggressively restrict fingerprinting across the web", but this is non-trivial and implementation will be imperfect. Google is also concerned about what it calls the "web ecosystem", no doubt including its own income from advertising and investment in personalisation, which means it is not a neutral party in respect of this issue.

Google does note that, once we reach the point where all cross-site cookies have these attributes set, "browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites." This is still challenging, though, since not all cross-site cookies are harmful.

Google's efforts to tighten web standards are welcome in that as the maker of the dominant web browser, it has the clout to ensure that changes are implemented. That said, it lacks incentive to make its web browser the best in terms of privacy, which means rivals like Mozilla Firefox are likely to stay ahead in this area.®

Send us news
21 Comments

Bank manager tricked into handing $35m to scammers using fake 'deep voice' tech

Plus: Microsoft Translator machine learning software now supports over 100 languages

In brief Authorities in the United Arab Emirates have requested the US Department of Justice's help in probing a case involving a bank manager who was swindled into transferring $35m to criminals by someone using a fake AI-generated voice.

The employee received a call to move the company-owned funds by someone purporting to be a director from the business. He also previously saw emails that showed the company was planning to use the money for an acquisition, and had hired a lawyer to coordinate the process. When the sham director instructed him to transfer the money, he did so thinking it was a legitimate request.

But it was all a scam, according to US court documents reported by Forbes. The criminals used "deep voice technology to simulate the voice of the director," it said. Now officials from the UAE have asked the DoJ to hand over details of two US bank accounts, where over $400,000 from the stolen money were deposited.

Continue reading

Amazon textbook rental service scammed for $1.5m

Michigan man arrested for borrowing costly textbooks and selling them

A 36-year-old man from Portage, Michigan, was arrested on Thursday for allegedly renting thousands of textbooks from Amazon and selling them rather than returning them.

Andrew Birge, US Attorney for the Western District of Michigan, said Geoffrey Mark Hays Talsma has been indicted on charges of mail and wire fraud, transporting stolen property across state lines, aggravated identity theft, and lying to the FBI.

Also indicted were three alleged co-conspirators: Gregory Mark Gleesing, 43, and Lovedeep Singh Dhanoa, 25, both from Portage, Michigan, and Paul Steven Larson, 32, from Kalamazoo, Michigan

Continue reading

Computer scientists at University of Edinburgh contemplate courses without 'Alice' and 'Bob'

Academics advised to consider excluding certain terminology for the sake of inclusivity

A working group in the School of Informatics at the University of Edinburgh in Scotland has proposed a series of steps to "decolonize" the Informatics curriculum, which includes trying "to avoid using predominantly Western names such as Alice/Bob (as is common in the computer security literature)."

The names Alice and Bob were used to represent two users of a public key cryptography system, described in a 1978 paper by Ronald Rivest, Adi Shamir, and Leonard Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems." And since then, a variety of other mostly Western names like Eve – playing an eavesdropper intercepting communications – have been employed to illustrate computer security scenarios in related academic papers.

The School of Informatics' working group reflects the University of Edinburgh's commitment to diversity, equity, and inclusion and to meet specific obligations spelled out in Scottish regulations like the Equality Act 2010 and the Public Sector Equalities Duty.

Continue reading

Toyota needs more than its Cheer Squad to deal with chip shortages, as five more home factories forced into idleness

Car makers facing increasingly tough times until supply catches up

Toyota said it would cut car production by up to 150,000 vehicles due to ongoing semiconductor shortages and restrictions associated with the COVID-19 pandemic.

The car maker is idling five factories in home country Japan on some days in November, which affects the production of popular models including Corolla and Camry.

Toyota started cutting production in August due to chip shortages and said, "we expect the shortage of semiconductors to continue in the long-term".

Continue reading

Missouri governor demands prosecution of reporter for 'decoding HTML source code' and reporting a data breach

Salus populi suprema lex esto ... or perhaps not

A Missouri politician has been relentlessly mocked on Twitter after demanding the prosecution of a journalist who found and responsibly reported a vulnerability in a state website.

Mike Parson, governor of Missouri, described reporters for local newspaper the St Louis Post Dispatch (SLPD) as "hackers" after they discovered a web app for the state's Department of Elementary and Secondary Education was leaking teachers' private information.

Around 100,000 social security numbers were able to be exposed when the web app was loaded in a user's browser. The public-facing app was intended to be used by local schools to check teachers' professional registration status. So users could tell between different teachers of the same name, it would accept the last four digits of a teacher's social security number as a valid search string.

Continue reading

Everyone who wants a smartphone for Chrimbo will get one, but in the real world things are somewhat different

Global handset market slips in Q3 on sliding chipset availability, says Canalys

Crippling component shortages caused smartphone shipments to dip in calendar Q3, though it was the also-rans, vendors outside of the top five biggest brands with the lowest economies of scale, that suffered most.

Preliminary results from Canalys show the market declined 6 per cent year-on-year. The analyst was not yet ready to make public the absolute shipment figures but a year ago sales into the channel were 348 million, so they look 20.9 million units lighter.

"The chipset famine has truly arrived," said Ben Stanton, principal analyst. "On the supply side, chipset manufacturers are increasing prices to disincentivize over-ordering, in an attempt to close the gap between supply and demand. But despite this, shortages will last until well into 2022."

Continue reading

Windows terminates here. Please remember to finish setting it up on arrival

Washington Metro admin has taken an early lunch

Bork!Bork!Bork! It's a whole new world for bork today as a Washington Metro platform indicator suggests an alternative to the usual train for weary commuters. How about getting a bit more out of Windows?

This is a suggestion that everyone wants to see while waiting for a Yellow Line train at Washington Metro's Huntington Station (located, helpfully, on Huntington Avenue in the Huntington Area).

Continue reading

Boeing 737 Max chief technical pilot charged with deceiving US aviation regulators over MCAS

He hasn't got $2.5bn to hand to the DoJ, unlike his bosses

A Boeing 737 Max test pilot has been charged with obstructing US aviation safety regulators, according to the US Department of Justice, and faces up to 20 years in prison if convicted.

Former 737 Max chief technical pilot Mark Forkner, 49, of Texas, has been charged with "deceiving the Federal Aviation Administration's Aircraft Evaluation Group" (AEG) and committing fraud by misleading Boeing's airline customers into believing the 737 Max was a safe aircraft.

"Forkner allegedly abused his position of trust by intentionally withholding critical information about MCAS during the FAA evaluation and certification of the 737 MAX and from Boeing's US-based airline customers," said Assistant Attorney General Kenneth A Polite Jr of the Justice Department's Criminal Division in a statement.

Continue reading

Keep expectations low and you won't be disappointed: OVH manages 6 per cent increase on its IPO debut

French cloud provider puts outage and fire behind it to focus on beating the big players

French cloud and colocation service provider OVH has edged a 6 per cent increase in its nominal market valuation following its initial public offering on the Euronext Paris stock exchange.

The Gallic tech challenger, viewed by some as the great cloud hope for Europe, has faced its fair share of challenges this year, having seen fire engulf its Strasbourg operations on 10 March.

But the European IPO proved hot in other ways, with shares up to around €19.70, well on track with the launch price range of €18.50-€20.

Continue reading

Space boffins: Exoplanet survived hydrogen-death of its host star

Hope extended to gas giants across the universe... well, it is Friday

Those of us fatalistically counting down the minutes until the Earth is engulfed by the dying embers of the Sun in approximately 5 billion years might be offered a glimmer of hope by the news that planets – or at least gas giants – can survive the collapse of their host star.

Joshua Blackman, a postdoctoral researcher at Australia's University of Tasmania, and his colleagues have found evidence of a Jupiter-like planet orbiting a white dwarf star somewhere outside the Solar System off in the Milky Way.

It is the first time scientific evidence of a planet surviving a star's collapse has been presented, although theoretical models predicted it is possible, according to a study published in Nature.

Continue reading

Spanner in the works: The goal is not 100% compatibility, Google says of PostgreSQL interface

Meanwhile, Yugabyte says PostgreSQL compatibility for its distributed database dates back to 2019

Google has clarified details of the interface between its popular distributed SQL database-management-cum-storage-service Spanner and the open-source RDBMS PostgreSQL.

According to a blog published this week, Spanner's PostgreSQL interface uses "the familiarity and portability of PostgreSQL" to make developers' lives easier.

"Teams can be assured that the schemas and queries they build against the Spanner PostgreSQL interface can be easily ported to another PostgreSQL environment, giving them flexibility and peace of mind," said Justin Makeig, product manager for Cloud Spanner.

Continue reading