Reflecting on a year’s worth of Chrome security improvements
In the next few weeks, you’ll probably be spending lots of time online buying gifts for your friends, family and “extended family” (your dog, duh). And as always, you want to do so securely. Picking the perfect present is hard enough; you shouldn’t have to worry about staying safe while you’re shopping.
Security has always been a top priority for Chrome, and this year we made a bunch of improvements to help keep your information even safer, and encourage sites across the web to become more secure as well. We’re giving you a rundown of those upgrades today, so that you can concentrate on buying the warmest new slippers for your dad or the perfect new holiday sweater for your dog in the next few weeks.
More protection from dangerous and deceptive sites
For years, Google Safe Browsing has scanned the web looking for potential dangers—like sites with malware or phishing schemes that try to steal your personal information—and warned users to steer clear. This year, we announced that Safe Browsing protects more than 3 billion devices, and in Chrome specifically, shows 260 million warnings before users can visit dangerous sites every month.
We’re constantly working to improve Safe Browsing and we made really encouraging progress this year, particularly with mobile devices. Safe Browsing powers the warnings we now show in Gmail’s Android and iOS mobile apps after a user clicks a link to a phishing site. We brought Safe Browsing to Android WebView (which Android apps sometimes use to open web content) in Android Oreo, so even web browsing inside other apps is safer. We also brought the new mobile-optimized Safe Browsing protocol to Chrome, which cuts 80 percent of the data used by Safe Browsing and helps Chrome stay lean.
In case you do download a nastygram, this year we’ve also redesigned and upgraded the Chrome Cleanup Tool with technology from IT company ESET. Chrome will alert you if we detect unwanted software, to remove the software and get you back in good hands.
Making the web safer, for everyone
Our security work helps protect Chrome users, but we’ve also pursued projects to help secure the web as a whole. Last year, we announced that we would mark sites that are not encrypted (i.e., served over HTTP) as “not secure” in Chrome. Since then, we’ve seen a marked increase in HTTPS usage on the web, especially with some of the web’s top sites:
If you’re researching gifts at a coffee shop or airport, you might be connecting to unfamiliar Wi-Fi which could be risky if the sites you’re visiting are not using the secure HTTPS protocol. With HTTPS, you can rest assured that the person sitting next to you can’t see or meddle with everything you’re doing on the Wi-Fi network. HTTPS ensures your connection is encrypted and your data is safe from eavesdroppers regardless of which Wi-Fi network you’re on.
An even stronger sandbox
Chrome has never relied on just one protection to secure your data. We use a layered approach with many different safeguards, including a sandbox—a feature that isolates different tabs in your browser so that if there’s a problem with one, it won’t affect the others. In the past year, we’ve added an additional sandbox layer to Chrome on Android and improved Chrome’s sandboxing on Windows and Android WebView.
So, if you’ve entered your credit card to purchase doggy nail polish in one Chrome tab, and you’ve inadvertently loaded a misbehaving or malicious site in another tab the sandbox will isolate that bad tab, and your credit card details will be protected.
Improving our browser warnings to keep you even safer
It should always be easy to know if you might be in danger online, and what you can do to get back to safety. Chrome communicates these risks in a variety of different ways, from a green lock for a secure HTTPS connection, to a red triangle warning if an attacker might be trying to steal your information.
By applying insights from new research that we published this year, we were able to improve or remove 25 percent of all HTTPS warnings Chrome users see. These improvements mean fewer false alarms, so you see warnings only when you really need them.
Some of Chrome’s HTTPS warnings (on the left) are actually caused by reasons unrelated to security—in this case, the user's clock was set to the wrong time. We’ve made the warnings more precise (on the right) to better explain what’s going on and how to fix it.
Unfortunately, our research didn’t help users avoid dog-grooming dangers. This is a very challenging problem that requires further analysis.
A history of strong security
Security has been a core pillar of Chrome since the very beginning. We’re always tracking our own progress, but outside perspectives are a key component of strong protections too.
The security research community has been key to strengthening Chrome security. We are extremely appreciative of their work—their reports help keep our users safer. We’ve given $4.2 million to researchers through our Vulnerability Reward Program since it launched in 2010.
Of course, we’re also happy when aren’t able to find security issues. At Pwn2Own 2017, an industry event where security professionals come together to hack browsers, Chrome remained standing while other browsers were successfully exploited.
Zooming out, we worked with two top-tier security firms to independently assess Chrome’s overall security across the range of areas that are important to keep users safe. Their whitepapers found, for example, that Chrome warns users about more phishing than other major browsers, Chrome patches security vulnerabilities faster than other major browsers, and “security restrictions are best enforced in Google Chrome.” We won’t rest on these laurels, and we will never stop improving Chrome’s security protections.