Google: Chrome now protects you from Spectre password-stealing attacks

Chrome 67 for Mac, Windows has just added extra defences against Spectre-style data-stealing attacks.
Written by Steve Ranger, Global News Director

Google says a new security feature in Chrome should make it harder for malicious websites to use a Spectre-style attack to steal data or passwords from other sites open as tabs in the same browser.

The company has now enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS in Chrome 67, the latest version of its browser.

"This means even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker," said Google software engineer Charlie Reis.

"This significantly reduces the threat posed by Spectre."

The Spectre attacks, which were made public in January, effectively allow malicious code to read any memory in a process's address space.

This flaw matters more for browsers because they run JavaScript code from multiple websites, often in the same process, which could allow a website to use such an attack to steal information from other websites.

SEE: How to build a successful developer career (free PDF)

Google said Site Isolation is a large change to Chrome's architecture, limiting each renderer process to documents from a single site. This means all navigations to cross-site documents cause a tab to switch processes.

"Site Isolation is a significant change to Chrome's behavior under the hood, but it generally shouldn't cause visible changes for most users or web developers (beyond a few known issues). It simply offers more protection between websites behind the scenes," Reis said.

However, because Site Isolation does cause Chrome to create more renderer processes this means there is a performance impact -- about a 10 to 13 percent total memory overhead in real workloads due to the larger number of processes.

Google said Site Isolation has been enabled for 99 percent of users on Windows, Mac, Linux, and Chrome OS in Chrome 67. It has held back one percent to monitor performance.

Read more

Spectre and Meltdown: Insecurity at the heart of modern CPU design

Google enabled Site Isolation in Chrome 67: Here's why and how it affects users (TechRepublic)

Chrome 67 is out: Password-free logins get closer, plus bug fixes, better AR-VR support

Google: Chrome is backing away from public key pinning, and here's why

Chrome has a new way to keep Spectre hackers at bay (CNET)

Editorial standards