Chrome 83 released with massive security and privacy upgrades

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Google has released Chrome 83 today, May 19th, 2020, to the Stable desktop channel, and it includes massive security and privacy overhaul changes for its users.

With this release, users are getting a redesigned Privacy and security settings section, better control over cookies, a new Safety Check feature, improved DoH settings, and a new Enhanced Safe Browsing feature.

With Chrome 83 now being promoted to the Stable channel, Chrome 84 will soon be promoted to the Beta version, and Chrome 85 will be the Canary version.

As you may have realized, Google did not release Chrome 82, and instead decided to skip that version due to the pandemic and roll all of its changes into Chrome 83.

Windows, Mac, and Linux desktop users can upgrade to Chrome 83 by going to Settings -> Help -> About Google Chrome. The browser will then automatically check for the new update and install it when available.

More intuitive privacy and security controls in Chrome:
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
So it seems like the "Enhanced" safe browsing feature basically amounts to sending full URLs plus snippets of page content to Google for analysis. I'm sure that will provide better protection but it does seem to be a pretty big privacy tradeoff, considering the regular Safe Browsing is fairly privacy-friendly by never explicitly telling Google exactly what you've visited.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
So it seems like the "Enhanced" safe browsing feature basically amounts to sending full URLs plus snippets of page content to Google for analysis. I'm sure that will provide better protection but it does seem to be a pretty big privacy tradeoff, considering the regular Safe Browsing is fairly privacy-friendly by never explicitly telling Google exactly what you've visited.
Just like Smartscreen. :ROFLMAO: I figure google already knows about me since I used google forever. May not be bad to go back to Chrome now.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Just like Smartscreen. :ROFLMAO: I figure google already knows about me since I used google forever. May not be bad to go back to Chrome now.
Yeah technically speaking with Google's browser tab syncing features and the other default privacy settings, Google already knows your browsing history. You have to go out of your way to configure Google Chrome to not retain your browsing history in the cloud, at which point you'd probably disable this feature too.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Yeah technically speaking with Google's browser tab syncing features and the other default privacy settings, Google already knows your browsing history. You have to go out of your way to configure Google Chrome to not retain your browsing history in the cloud, at which point you'd probably disable this feature too.
It's true, you have to go out of your way. I compartmentalize some browsing, but really am not too worried about it. The fact is that the worst thing google has still done with our data is try to sell us stuff. As someone who's taken a lot of marketing classes I'm a)Resistant to their tactics in a lot of respects and b)Understanding that their sticking their noses into our privacy isn't worth much individually, it's the aggregated info they are after. Now, that doesn't make me not want my privacy, and I'm not excited about the web being centered around google. But in a lot of ways they are less inept and much less scary than most governments.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Great additions to Chrome, and even better controls geared towards Chrome OS users.

Wish-list:
- Integrated "disconnect" Tracking Protection
- Containers (similar to Firefox)
- Manage (Allow/Block) domains from loading in Subframes
- Improve media icon design on toolbar when media is playing from the web player.

1589911523722.png


icydk; version 82 was skipped.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Yeah technically speaking with Google's browser tab syncing features and the other default privacy settings, Google already knows your browsing history. You have to go out of your way to configure Google Chrome to not retain your browsing history in the cloud, at which point you'd probably disable this feature too.
Ironically I am writing this in Firefox with DoH enabled with encrypted SNI (but that's another issue with my ISP DNS and Firefox).
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
The Chrome team is delighted to announce the promotion of Chrome 83 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

Chrome 83.0.4103.61 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 83

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 38 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
It's true, you have to go out of your way. I compartmentalize some browsing, but really am not too worried about it. The fact is that the worst thing google has still done with our data is try to sell us stuff. As someone who's taken a lot of marketing classes I'm a)Resistant to their tactics in a lot of respects and b)Understanding that their sticking their noses into our privacy isn't worth much individually, it's the aggregated info they are after. Now, that doesn't make me not want my privacy, and I'm not excited about the web being centered around google. But in a lot of ways they are less inept and much less scary than most governments.

One of my worries regarding privacy is that Google does have to respond to law enforcement requests. Thanks to the recent changes to the PATRIOT act, the FBI doesn't even need a warrant to go along with some browsing history requests. Sure if you have nothing to hide, the FBI is fully welcome to look at my browsing history. But one untracked cost of handing private data over to US corporations is that it does make you open to having that data turned over to law enforcement.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
One of my worries regarding privacy is that Google does have to respond to law enforcement requests. Thanks to the recent changes to the PATRIOT act, the FBI doesn't even need a warrant to go along with some browsing history requests. Sure if you have nothing to hide, the FBI is fully welcome to look at my browsing history. But one untracked cost of handing private data over to US corporations is that it does make you open to having that data turned over to law enforcement.
If the FBI wants you and your data I don’t see any minor privacy steps stopping them. This is much scarier than google selling ads. Until the long term boomers are out of congress this policing overreach isn’t going anywhere.

As far as the FBI goes, they are not a concern for most people unless some pretty draconian laws get passed. At which point we have much bigger problems than google Chrome (with the possibility that we already do).
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
If the FBI wants you and your data I don’t see any minor privacy steps stopping them. This is much scarier than google selling ads. Until the long term boomers are out of congress this policing overreach isn’t going anywhere.
As far as the FBI goes, they are not a concern for most people unless some pretty draconian laws get passed. At which point we have much bigger problems than google Chrome (with the possibility that we already do).

Well that again goes back to the metaphorical "if you have nothing to hide, why don't you give all your personal info to the government?"

I think most people, even who do not believe they are doing anything illegal or wrong, rightfully might not want themselves to be an open book like that. For example, stuff like downloading an epsiode of a TV show from one of those streaming websites over HTTPS might have been anonymous before (even if they subpoena your ISP) but having access to browsing history makes it very easy to have incriminating evidence at hand.

When companies design products in ways that respect user privacy and don't collect identifiable data, it does severely impact law enforcement's ability to get information.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Well that again goes back to the metaphorical "if you have nothing to hide, why don't you give all your personal info to the government?"

I think most people, even who do not believe they are doing anything illegal or wrong, rightfully might not want themselves to be an open book like that. For example, stuff like downloading an epsiode of a TV show from one of those streaming websites over HTTPS might have been anonymous before (even if they subpoena your ISP) but having access to browsing history makes it very easy to have incriminating evidence at hand.

When companies design products in ways that respect user privacy and don't collect identifiable data, it does severely impact law enforcement's ability to get information.
And I agree. But my point is if the government wants you they’re gonna actually try to get you. Anybody who really has things to hide (criminals) shouldn’t be putting any of it on the Internet. I also agree we shouldn’t make it easy for them, and agree we all have the right to privacy. I just think we are probably fooling ourselves that they don’t have methods to get around our ‘privacy attempts’ as far as law enforcement is concerned. It’s just not as easy to execute. And being okay with some advertising when using a useful service doesn’t mean someone wants to hand all their data over to the government either because they have nothing to hide. There’s a balance everyone has to make between what’s practical, what’s private, and what’s convenient and within their technical abilities. And it’s a shame it is that way.
 

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,323
The Chrome team is delighted to announce the promotion of Chrome 83 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

Chrome 83.0.4103.61 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 83

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 38 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

  • [$20000][1073015] High CVE-2020-6465: Use after free in reader mode. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-04-21
  • [$15000][1074706] High CVE-2020-6466: Use after free in media. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-04-26
  • [$7500][1068084] High CVE-2020-6467: Use after free in WebRTC. Reported by ZhanJia Song on 2020-04-06
  • [$7500][1076708] High CVE-2020-6468: Type Confusion in V8. Reported by Chris Salls and Jake Corina of Seaside Security, Chani Jindal of Shellphish on 2020-04-30
  • [$5000][1067382] High CVE-2020-6469: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-02
  • [$5000][1065761] Medium CVE-2020-6470: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-03-30
  • [$3000][1059577] Medium CVE-2020-6471: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-08
  • [$3000][1064519] Medium CVE-2020-6472: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-25
  • [$2000][1049510] Medium CVE-2020-6473: Insufficient policy enforcement in Blink. Reported by Soroush Karami and Panagiotis Ilia on 2020-02-06
  • [$2000][1059533] Medium CVE-2020-6474: Use after free in Blink. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-07
  • [$1000][1020026] Medium CVE-2020-6475: Incorrect security UI in full screen. Reported by Khalil Zhani on 2019-10-31
  • [$1000][1035315] Medium CVE-2020-6476: Insufficient policy enforcement in tab strip. Reported by Alexandre Le Borgne on 2019-12-18
  • [$500][946156] Medium CVE-2020-6477: Inappropriate implementation in installer. Reported by RACK911 Labs on 2019-03-26
  • [$500][1037730] Medium CVE-2020-6478: Inappropriate implementation in full screen. Reported by Khalil Zhani on 2019-12-24
  • [$500][1041749] Medium CVE-2020-6479: Inappropriate implementation in sharing. Reported by Zhong Zhaochen of andsecurity.cn on 2020-01-14
  • [$500][1054966] Medium CVE-2020-6480: Insufficient policy enforcement in enterprise. Reported by Marvin Witt on 2020-02-21
  • [$500][1068531] Medium CVE-2020-6481: Insufficient policy enforcement in URL formatting. Reported by Rayyan Bijoora on 2020-04-07
  • [$TBD][795595] Medium CVE-2020-6482: Insufficient policy enforcement in developer tools. Reported by Abdulrahman Alqabandi (@qab) on 2017-12-17
  • [$TBD][966507] Medium CVE-2020-6483: Insufficient policy enforcement in payments. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-23
  • [$N/A][1045787] Medium CVE-2020-6484: Insufficient data validation in ChromeDriver. Reported by Artem Zinenko on 2020-01-26
  • [$N/A][1047285] Medium CVE-2020-6485: Insufficient data validation in media router. Reported by Sergei Glazunov of Google Project Zero on 2020-01-30
  • [$TBD][1055524] Medium CVE-2020-6486: Insufficient policy enforcement in navigations. Reported by David Erceg on 2020-02-24
  • [$500][539938] Low CVE-2020-6487: Insufficient policy enforcement in downloads. Reported by Jun Kokatsu (@shhnjk) on 2015-10-06
  • [$500][1044277] Low CVE-2020-6488: Insufficient policy enforcement in downloads. Reported by David Erceg on 2020-01-21
  • [$500][1050756] Low CVE-2020-6489: Inappropriate implementation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-02-10
  • [$TBD][1035887] Low CVE-2020-6490: Insufficient data validation in loader. Reported by Twitter on 2019-12-19
  • [$N/A][1050011] Low CVE-2020-6491: Incorrect security UI in site information. Reported by Sultan Haikal M.A on 2020-02-07


We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [1084009] Various fixes from internal audits, fuzzing and other initiatives

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.



Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Thank you,

Srinivas Sista
 
Last edited by a moderator:

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Maybe this can help:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top