Google this week released Chrome 83, picking up after skipping a version because of the COVID-19 pandemic, auto-upgrading eligible users to DNS-over-HTTPS (DoH) and enabling tab groups for everyone.
The search firm paid at least $76,000 in bounties to bug researchers who reported some of the 38 vulnerabilities patched in Chrome 83. Five were marked “High,” the second-most serious in Google’s four-level threat ranking, with three of those marked as “use after free” flaws. The first vulnerability listed, a use-after-free bug in Chrome’s reader mode, earned researcher Woojin Oh a $20,000 reward.
Chrome updates in the background, so most users can finish the refresh by relaunching the browser. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab shows that the browser has been updated or displays the download process before presenting a “Relaunch” button. Those who are new to Chrome can download version 83 for Windows, macOS and Linux directly.
Google updates Chrome every six to eight weeks; the previous upgrade landed April 7.
Note: Google suspended Chrome releases in mid-March because of the pandemic and its impact on businesses. Chrome 81 was slated to launch March 16 but was postponed three weeks. Google skipped Chrome 82 and resumed upgrade numbering on May 19 with Chrome 83. Chrome 84 will be the next upgrade.
Tab grouping…, we really mean it this time!
Tab Groups, a feature that Google has been working on and testing for months, does what it says: Users organize tabs in the bar atop the browser by lumping together several tabs, each lump designated by color and name, adding new tabs and removing existing ones.
The feature was to debut in February’s Chrome 80, then in a roll-out “throughout Chrome 81.” Except it didn’t. Google now says, “This has been rolled out to Chrome, Mac, Windows, and Linux users throughout Chrome 83,” as in past tense. Except it hasn’t: All of Computerworld‘s instances of Chrome 83 – both on Windows 10 and macOS – still lacked the tool.
Those without tab grouping can switch it on manually by entering chrome://flags in the address bar, searching for Tab Groups, changing the setting at the right to Enabled, and relaunching the browser.
Chrome 83 was also to be the final step in automatically upgrading eligible users to DNS-over-HTTPS (DoH), a security feature that Google and other browser makers like Mozilla have been implementing, each in their own way.
The DNS (Domain Name Service) requests from users whose DNS provider offers the defensive feature of transmitting that traffic over encrypted connections (hence, HTTPS) is to gradually roll out to all users during Chrome 83’s lifecycle. The list of DNS providers that have DoH capability is relatively short, so not all Chrome users will get this. (The current list of providers can be found here, and includes names such as Cloudflare, Comcast, Google and OpenDNS.)
In a Tuesday post to the Chromium blog, Kenji Baheux, product manager laid out Google’s thinking on DoH and explained why it chose its approach. It’s well worth reading.
IT admins can disable DoH with the DnsOverHttpsMode group policy or in the Google Admin Console.
But wait, there’s more (privacy and security)
Not only has Google revamped the Privacy and security section’s UI (user interface) within Settings, but the company has loaded Chrome 83 with a slew of new security and privacy features.
Note: As with so much else Google does in Chrome, some users will see these changes before others as the firm ladles out the tools piecemeal to a gradually expanding set. Impatient users can prematurely turn on some of the still-missing through the chrome://flags options page.
Google has started what sounded like a long-term project with Chrome 83 by offering what it calls Enhanced Safe Browsing Protection. This was billed as a build atop Safe Browsing – the 13-year-old blocklist and associated API – that began by warning users when they were headed to what was probably a phishing website and has expanded to cover, among other things, to-be-downloaded files.
The primary difference in Enhanced is that the new, more advanced feature would not anonymize the incoming data, in effect linking an individual to the specific sites visited or even attempted to access. “If you are signed in to Chrome, this data is temporarily linked to your Google Account,” said a quartet of engineers on the Safe Browsing team.
While that may set off bells in the minds of privacy advocates, Google argued that it’s necessary for a next-step in protection. “We do this so that when an attack is detected against your browser or account, Safe Browsing can tailor its protections to your situation. In this way, we can provide the most precise protection without unnecessary warnings,” wrote Nathan Parker, Varun Khaneja, Eric Mill and Kiran C Nair.
Enhanced Safe Browsing Protection will be slowly deployed to Chrome 83 users, after which it will appear as an “Enhanced protection” option under Safe Browsing in the Privacy and security section.
The feature will gradually expand in what defenses it offers, the four engineers said. “We’ll be adding even more protections…, including tailored warnings for phishing sites and file downloads and cross-product alerts.”
Also on the books will be Safety check, actually a small set of security exams including one that scans the browser for blacklisted malicious extensions. The best in the bunch, though, does a Mozilla Lockwise-like look at the user’s passwords, then flags accounts that had previously been involved in known data breaches. The check is supposed to show in the Privacy and security section of the browser’s settings.
Other privacy additions will include a by-default blocking of all third-party cookies when browsing in Chrome’s Incognito (aka privacy) mode, a move reminiscent of Mozilla’s auto-blocking of Firefox’s private browsing mode five years ago.
Elsewhere in the browser, Chrome users can now manage individual site cookies as well as individual cookies within a website. Options let users block all third-party cookies, block all cookies on just some – or all – sites, and block some of the cookies on some sites. Management is so granular, however, that it’s unlikely that many will take advantage of the new control.
Google’s AbdelKarim Mardini, a senior product manager, described these security and privacy changes and others in a long post to the Chrome blog, a rare instance of the Mountain View company outlining the new simultaneously with an upgrade’s launch.
Chrome’s next upgrade, to version 84, will release on July 14.