Google Chrome to support same-site cookies, get anti-fingerprinting protection

[The AchieVer]

Google Chrome to support same-site cookies, get anti-fingerprinting protection

Google announces two new privacy-focused features for Chrome at the I/O 2019 developer conference.

 

 

 

Image: Google // Composition: ZDNet

 

Google plans to add support for two new privacy and security features in Chrome, namely same-site cookies and anti-fingerprinting protection.

 

Both features have been announced today at the company's I/O 2019 developer conference, and no deadlines have been provided for when the two will hit Chrome installations in the coming year.

SAME-SITE COOKIES

The biggest change that Google plans to roll out is in regards to how it treats cookie files.

 

These new controls will be based on a new IETF standard that Chrome and Mozilla developers have been working on for more than three years.

 

This new IETF specification describes a new attribute that can be set inside HTTP headers. Called "SameSite," the attribute must be set by the website owner and should describe the situations in which a site's cookies can be loaded.

 

A SameSite attribute of "strict" will mean the cookie can only be loaded on the "same site." Setting attributes such as "lax" or "none" will allow the cookies to be loaded on other sites as well.

 

 

 

In layman terms, this creates a dividing line between cookies, which will become ether same-site or cross-site cookies.

 

Google hopes that website owners will update their sites and convert old cookies that they were using for sensitive operations, such as login operations and managing per-site settings, to same-site cookies.

 

All old cookies that don't have a SameSite header will automatically use a "none" attribute, and Chrome will consider them as cross-site --or tracking-- cookies.

 

Google said today that it plans to add options in Chrome's setting panel so users can view "how sites are using cookies, as well as simpler controls for cross-site cookies."

 

It is unclear if these "simpler controls" will let users block cross-site (tracking) cookies altogether, but Google promised to preview these features later this year.

 

Firefox has added support for cross-site cookies since April 2018, with the release of Firefox 60. Chrome has supported same-site cookies since 2016, but the browser will start requiring the attribute starting later this year.

 

As an added benefit, websites that use same-site cookies are also protected against a series of attacks, such as cross-site request forgery (CSRF) attacks. Using same-site cookies means malicious code loaded on a third-party website can't pull and read a cookie on another domain --because the "SameSite: strict" attribute in the cookie's header will block this from happening.

 

Even if Google won't deliver on its promise to add controls to block cross-site (tracking) cookies, just by supporting the SameSite attribute, Google will greatly improve the security posture of many websites and web applications, as CRSF attacks are some of the most common today.

 

More details about the SameSite IETF specification --currently a draft-- are available in RFC 6265, on the MDN portal, and in this introductory blog post on Google's web.dev tutorial site.

ANTI-FINGERPRINTING PROTECTION

 

But Google engineers also announced a second major new privacy feature for Chrome today at the I/O 2019 developer conference.

 

According to Google, the company plans to add support for blocking certain types of "user fingerprinting" techniques that are being abused by online advertisers.

 

Google didn't go into details of what types of user fingerprinting techniques it was planning to block. It is worth mentioning that there are many, which range from scanning locally installed system fonts to abusing the HTML5 canvas element, and from measuring a user's device screen size to reading locally installed extensions.

 

The first major browser to block fingerprinting scripts/techniques was the Tor Browsers, which had to do so to prevent the deanonymization of its users. This feature was later backported back into the Firefox browser, just as Mozilla was, too, shifting to a privacy-first approach that the company set on in late 2017.

 

Now, in a I/O conference that has centered around announcements of new privacy-focused services and features for its users, Google said that Chrome would be receiving an anti-fingerprinting feature as well.

 

"Because fingerprinting is neither transparent nor under the user's control, it results in tracking that doesn't respect user choice," the company said today.

 

"This is why Chrome plans to more aggressively restrict fingerprinting across the web. One way in which we'll be doing this is reducing the ways in which browsers can be passively fingerprinted, so that we can detect and intervene against active fingerprinting efforts as they happen."

BUT, WHY!?!

Some users might be asking themselves as to why is Google --a company that makes the bulk of its profit from online advertising and tracking users-- is now shipping these privacy features, which are expected to have a big impact on its business.

 

The answer is simple. With ad blockers extensions that have a "scorched earth" approach to blocking intrusive tracking scripts, Google is attempting to control the eventual decline of online advertising profits.

 

In recent months, the company has gone as far as to include a basic ad blocker inside Chrome and has even attempted to neuter ad blockers through a very controversial update to its extensions ecosystem.

 

Ad blockers are here to stay, and Google's best chance right now is to reduce their damage by setting itself in firm control of what privacy and ad-blocking features users have access to by default --in an attempt to control the entire ecosystem before users get too used to the current state of affairs.

 

 

 

Source

[steven36]

On 5/7/2019 at 9:28 PM, The AchieVer said:

BUT, WHY!?!

 

This is why  Chrome Will Soon Allow Users to Block Tracking Cookies Except Google's

https://beincrypto.com/chrome-will-soon-allow-users-to-block-tracking-cookies-except-googles/

 

It don't protect against Google tracking you 

Quote

 

According to a new report, Chrome will be rolling out tools which allow users to block all tracking cookies. However, there's a catch — these soon-to-be-released tools will not allow users to block tracking cookies from Google.

 

 

When I use Chromium    I  block Google Sites with Cookie  Bro and never sign in .  if you allow cookies to Google  and to sign in you must allow Cookies  they set tracking cookies signed in or signed out . 

[steven36]

Here  another problem with it.

 

Google’s privacy changes are mostly marketing

 

Google’s move will allow users to more easily restrict cookie tracking while preserving their logins and preferences. Blocking third-party cookies — cookies from domains you haven’t directly visited, which are often used to target ads — is an option Chrome users already had, though the option will now become more prominent.

 

But research has shown that the vast majority of people don’t update their browser settings. Most people don’t change the settings on any of their devices, meaning that what a manufacturer or product maker decides to include is what most people will experience.

 

Google itself knows the value of default options. It pays Apple billions of dollars each year to be the default search engine on Apple’s Safari browser.

 

“By not changing the default, by making it optional, Google is relying on people not changing it,” Brendan Eich, co-founder and CEO of Brave, a privacy-oriented web browser and thus a Chrome competitor, told Recode. “Chrome users may never know this is an option.”

 

Eich estimates that people opting out would be in the “single digits.” Google declined to speculate or disclose the percentage of current Chrome users that change their browser settings on the world’s most popular web browser. Chrome has a more than 60 percent global market share.

 

Google’s cookie news comes as regulators are sounding off on privacy, which has become a more important issue to rank-and-file Americans, as calls to break up big tech companies like Google proliferate. Privacy is also becoming something people want to buy. Google’s privacy announcements are an attempt to separate it from other tech giants like Facebook, which has been beleaguered by its many privacy mishaps, and even Apple, which is known for its security but also its price tag. In the privacy department, however, Chrome is still leagues behind Apple’s Safari browser, which has blocked third-party cookies by default for years.

 

Perhaps more important are Google’s other privacy announcements, like making it harder for companies to use fingerprints, which are a cookie workaround that uses your browser information to figure out where else you’ve been. Google is also now requiring that developers state whether cookies can work across sites, which could be used for more stringent control down the road.

Overall, Google’s changes are meaningful, but probably not as much as they are marketing.

 

“It’s a minimal net gain to privacy,” said Wes MacLaggan, SVP of marketing at Marin Software, an online advertising company that uses first-party cookies. “It’s a net gain nevertheless.”

 

Source

 

Only people who knows about privacy and reads  the PC Centric news  will ever change any settings in there browser , most people never do and Google  knows this and they pay apple billions a year because the don't so it just a marketing stunt that don't hurt them because they still tracking you  because the over  2 billion people trapped in there  ecosystem behind there software  gave up there privacy  for free services years ago .

 

So it's laughable to even read that google are making changes like this to give user  a false sense of privacy. It's kind of like the smoke and mirrors Microsoft put in Windows 10 to make the Netherlands  happy , they  got the government after them and are facing  being sued for Anti trust   they could care less about your privacy  but there being forced to put up smoke and mirrors . ( pseudo privacy )