Insights For Success

Strategy, Innovation, Leadership and Security

Chrome

VPN Support coming to Linux apps on Chromebooks

GeneralEdward KiledjianComment
space-19070.jpg

It seems everyone has jumped on the VPN bandwagon these days. On Chromebooks, we can use VPN extensions, but these don't protect Android apps. We can use Android VPN apps, which protect the entire ChromeOS (including Android apps but not Linux apps).

So what happens today? Even if you have an Android VPN running, the Linux apps go our via your origin IP bypassing the VPN network adapter. If you need to use a VPN with the Linux container today on ChromeOS, you have to install a Linux VPN client in the container itself.

In Chrome 76, Google will finally fix this issue and app Linux traffic will also flow through the VPN (extension of Android app). You can test this today if you have the developer or Canary versions of ChromeOS installed on your Chromebook.

We expect ChromeOS 76 to be released to the Beta channel June 13-20 and to the stable channel around July 30.

Other cool features coming with the ChromeOS 76 release will be

  • "Picture In Picture" support for most video platforms

  • "Web Share Target Level 2" which will allow any installed application to receive a file share (using a manifest)

Mozilla Firefox 67 will allow letterboxing to protect your online identity

GeneralEdward Kiledjian2 Comments
fingerprint-2904774.jpg

September 2016 I wrote an article entitles “Your browser will betray your identity” that discussed the various techniques legitimate (marketers) and illegitimate (threat actors) use to keep track of your identity even if you aren’t logged into any of their sites.

The purpose-built TOR version of the Mozilla Firefox browser has (for a while) implemented a technique called letterboxing to protect users from this type of nefarious identification through browser fingerprinting.

Most browsers allow a site to send client-side javascript code that detects the display size of the browser. This technique is used to create dynamically generated webpages that are optimized for the device size you are using. This is why modern well-designed websites render correctly on large 24" desktop screens and 6" smartphones.

Would you be surprised to learn that this can be one dimension threat actors or marketers can use to start deanonymizing you?

The privacy team behind the TOR project goes to great lengths to maximize your privacy while using their anonymizing network by minimizing your data exhaust while browsing the web. We have seen the Firefox team backport some of these privacy enhancements back into the mainstream Firefox. This backport initiative is called TOR Uplift and started in 2016.

In release 67, expected in May, Firefox will bring letterboxing into the mainstream version (from the TOR one). Letterboxing is a technique of rounding the actual size of the browser window (height and width) down to a multiple of 200 pixels for width and 100 pixels for height. This means more users will have the same window size value making deanonymizing more complicated. Firefox will add grey bars on a side that needs to be padded if the rendered page isn't a perfect fit. If you are more concerned about looks, you will be able to turn off this additional protection technique using a Firefox flag.

In the Bugzilla tracker, Mozilla wrote "Window dimensions are a big source of fingerprintable entropy on the web" & "Maximized windows reveal available screen width and height, excluding toolbars; and full-screen windows reveal screen width and height. Non-maximized windows can allow a strong correlation between two tabs".

Here is a demo of letterboxing while resizing the browser window. Notice the grey added around the rendered page.

The letterboxing feature won’t be turned on by default. Users wanting this extra layer of protection will have to open about:config and enter “privacy.resistFingerprinting” in the config search box and change the setting to “true”.

Exciting new multi-monitor feature coming to Chromebooks

GeneralEdward KiledjianComment
fabian-grohs-693366-unsplash.jpg

Every professional understands the power of a dual screen setup. The additional real estate enables a more fluid and productive work process.

I use a tone of platforms (mainframe & mini to Mac, Windows and Linux) and I find that ChromeOS handles multi-screen setups with ease and grace. Every time I have hooked an external display to a "good" Chromebook (something that costs $500 or more), it has worked flawlessly immediately without having to fiddle or fine tune.

I have successfully connected 2 external monitors to my Pixelbook at work using a Lenovo USB hub but this isn't something most people will have access to and therefore the 3 monitor option normally isn't used.

We know the sultan of search, El Goog, is working on an elegant solution to solve this 2 external monitor issue using a technology called display daisy chaining. This is something that is known in the industry but not currently supported on ChromeOS. The idea is to connect one USBC monitor to your Chromebook and then connect the second USBC monitor to the first one (as long as the monitor supports it).

This means you can connect (eventually) one cable to your device and everything just works. Technically this daisy chaining will be able to go beyond 2 external monitors to a larger number (as long as your device hardware can push the required number of pixels).

This is a request we have regularly seen in the Chromium forums

Capture2.PNG
Capture.PNG

How do we know it is coming? We know it is coming because we can see a commit for Multi-Stream Transport Support or something called Hatch.

The commit enables a chip to support the Multi-Stream flow and there is a good chance this won’t be enabled on existing older Chromebooks. We know that generically Multi-Stream required DisplayPort 1.2 and a handful of Chromebooks already have it so… There is hope for existing customers. We will just have to wait and see.

Many of you know I love my Pixelbook and may be wondering… “Does the Pixelbook support displayport?”

The answer is that the Pixelbook does support Displayport. The USBC ports on the Pixelbook are of type 3.1 Gen1 and support PowerDelivery (PD), DisplayPort (DP) and HDMI.

We don’t know which version of ChromeOS this will be enabled in yet. That’s all for this article dear readers. Stay tuned for more cool tech news as I find them.

Google to protect users from IDN Homograph Attacks

GeneralEdward KiledjianComment
fire-and-water-2354583.jpg

What geeks call an International Domain Name Homograph Attack, the general public calls typo-squatting. This is when threat actors buy domain names that are close to popular ones hoping to trick users, examples:

  • gma1l.com instead of gmail.com

  • paypa1.com instead of paypal


To help protect users from these tricksters, Google is launching Navigation suggestions for lookalike URLs. Think of this as an AI powered auto-correct for URLs. This feature is in active experimentation in Canary 70 and should enter the mainstream version in the coming months. A google engineer even spoke about it at the Usenix conference.

usenix.PNG

If you are one of the courageous experimenters running Canary, you can enable this feature now using this flag:

chrome://flags/#enable-lookalike-url-navigation-suggestions

Google Chrome's Spectre Mitigation is consuming 10% more RAM

GeneralEdward KiledjianComment
data-2793195.jpg

Google Chrome has always been a resource hog, but you may have noticed it's been consuming just a little bit more RAM lately (on your desktop).

This new more demanding Chrome is because of the Google's Spectre mitigation efforts.
The Google Chrome security team has enabled site isolation as a default (in Chrome v67 for desktops). Justin Schuh, head of Google Chrome Security, explained that site isolation separates each website process thereby preventing a malicious tab from stealing data from another.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”

Don't expect to see this update on the Android version anytime soon, the resource consumption requirements are too high (for now).

Chrome is obviously my browser of choice but I have been concerned at the amount of resources it requires and this move (although right from a security perspective) further pushes Chrome in the wrong direction. 

Additional reading: