Chrome 87 released with fix for NAT Slipstream attacks, broader FTP deprecation

Support for FTP links will be disabled for 50% of Chrome 87 users, with a complete removal scheduled for Chrome 88.

chrome-new-ui.png

Google

Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol.

Todays' release is available for Windows, Mac, Linux, Chrome OS, Android, and iOS. Users can update to the new version via Chrome's built-in update utility.

While in previous versions, Google has shipped some changes to Chrome settings and UI elements, almost all the major new Chrome 87 features are aimed at web developers.

In Chrome 87, we have new APIs and updates to Chrome's built-in Developer Tools, such as:

  • Support for the new Cookie Store API;
  • New features to allow easier modification of web fonts via CSS;
  • A new feature to let websites enumerate all the locally installed fonts;
  • Support for pan, tilt, and zoom controls on webcam streams; and,
  • Support for debugging WebAuthn operations via the Chrome DevTools.

NAT Slipstream attack fixes

Chrome 87 also comes with a fix for a new attack disclosed at the end of October by Samy Kamkar, a famous security researcher and computer hacker.

Named NAT Slipstream, this technique allows attackers to bypass firewalls and make connections to internal networks by tricking users into accessing malicious sites — effectively turning Chrome into a proxy for attackers.

nat-slipstream.png

Image: Samy Kamkar

Chrome 87 will be the first browser to block NAT Slipstream attacks by blocking access to ports 5060 and 5061, which the attack uses to bypass firewalls and network address translation (NAT) schemes.

Similar efforts are also underway at Apple and Mozilla, with fixes planned for future versions of Safari and Firefox.

FTP deprecation

In addition, Google is also following through on its plans to remove FTP support from Chrome. This process started last year, and was initially planned for Chrome 81.

Google delayed its initial deprecation schedule due to the COVID-19 pandemic, fearing that the change might disrupt hospital networks or employees working from home needing to access resources stored on FTP servers.

The FTP deprecation was rescheduled for the fall and began last month with the release of Chrome 86 when Google removed support for FTP links for 1% of Chrome's userbase.

With Chrome 87, Google will now remove FTP support for half of Chrome's userbase, and the browser maker plans to disable support for FTP links altogether next year, in January, with the release of Chrome 88.

Mozilla has already removed support for FTP links in Firefox earlier this year in June, with the release of Firefox 77.

Tab throttling, occlusion tracking, and back-forward cache

Chrome 87 also comes with some performance improvements by the addition of tab throttling, occlusion tracking, and back-forward cache.

The first two features will work together. Occlusion tracking will allow Chrome to know which browser windows and tabs are visible to the user, and then enable the new tab throttling feature to put background tabs to sleep until they're needed again.

Back-forward caching is an older feature that was first added in Chrome 79, but hidden under a Chrome flag. With Chrome 87, back-forward caching is now enabled by default for all users. Google says it expects to improve back-forward navigation events by roughly 20% once this new feature is enabled.


But we only touched on the major Chrome 87 features. Users who'd like to learn more about the other features added or removed in this new Chrome release can check out the following links for more information:

  • Chrome security updates are detailed here.
  • Chromium open-source browser changes are detailed here.
  • Chrome developer API deprecations and feature removals are listed here.
  • Chrome for Android updates are detailed here.
  • Chrome for iOS updates are detailed here.
  • Changes to Chrome V8 JavaScript engine are available here.
  • Changes to Chrome's DevTools are listed here.