Google Chrome Update Focuses on Enterprise Security

Google released Chrome 63 this week and the new version adds several security features aimed at the enterprise, including per-site isolation and permission-based extension blacklisting.

Chrome’s process sandboxing mechanism, which was architected into the browser from the beginning, already provides strong security. It isolates the HTML and JavaScript rendering engines into restricted environments where they cannot write or access files on disk. In addition, the browser uses a multi-process architecture in which one or more opened tabs are grouped into separate processes—if one of them crashes, it doesn’t take the whole browser down with it.

While Chrome arguably offered the best browser security model for many years, Microsoft has taken steps to catch up, especially with the recent introduction of WDAG (Windows Defender Application Guard) for its Edge browser, a technology that allows users to run the browser in a Hyper-V-based virtualized environment.

With Chrome 63, Google has further strengthened its sandboxing with Site Isolation, a feature that forces every website to have its own dedicated rendering process. This means that malicious code or exploits loaded from one website won’t be able to affect sites opened in other tabs.

According to Google’s documentation, turning on this feature for all websites will increase Chrome’s memory usage about 10 percent to 20 percent. However, the isolation also can be enabled on a per-site basis, such as for corporate sites dealing with sensitive information.

In the enterprise, IT administrators can configure Chrome’s site isolation though Chrome policies and administrative templates. It’s known that enabling the feature breaks page printing—cross-site iframes will appear blank. To overcome this, users can save a copy of the page locally and then print it.

Chrome 63 also includes a policy mechanism through which administrators can disable browser extensions based on their required permissions. For example, admins can block all extensions that require access to the webcam and microphone, or those that want to access data on visited websites.

Finally, Chrome 63 comes with TLS 1.3 support enabled by default for Gmail. This is the newest, safest and most-efficient version of the TLS security protocol, and Google plans to roll out support for it to more websites in 2018. A policy is included that allows admins to disable this version of the protocol if they have software or hardware proxies on their networks that are not compatible with it and can’t process TLS 1.3 connections.

Chrome version 64, which will be released early next year, will add support for the NTLMv2 authentication protocol that’s already used in Windows, including Extended Protection for Authentication (EPA) on Mac, Android, Linux and Chrome OS. Later, in Chrome 65, NTLMv2 will become the default version of NTLM.

Google also recently announced that next year it plans to block third-party applications—malware and antivirus programs—from injecting code into Chrome. However, over the coming months, the company plans to add a policy that will allow corporate administrators to bypass this restriction if it breaks compatibility with the security applications they use.

“We’re excited to bring new capabilities to IT admins that enhance Chrome’s security and stability,” Matt Blumberg, product manager for Chrome Enterprise, said in a blog post.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 154 posts and counting.See all posts by lucian-constantin