From 10eb45fbe68958300278acb842805a33bd6b7f43 Mon Sep 17 00:00:00 2001 From: heisenburger Date: Fri, 12 Jan 2024 16:25:24 +0100 Subject: [PATCH] link out to posts --- ...1-03-12-mitigating-side-channel-attacks.md | 1 - ...21-a-safer-default-for-navigation-https.md | 1 - .../2021-07-14-increasing-https-adoption.md | 1 - ...nnouncing-launch-of-chrome-root-program.md | 1 - ...22-12-08-introducing-passkeys-in-chrome.md | 1 - _posts/2023-05-02-an-update-on-lock-icon.md | 2 +- ...03-redesigning-chrome-downloads-to-keep.md | 1 - ...-:protecting-chrome-traffic-with-hybrid.md | 3 +- _posts/2023-08-16-towards-https-by-default.md | 1 - ...0-11-unlocking-power-of-tls-certificate.md | 1 - index.html | 31 ++++++------------- 11 files changed, 11 insertions(+), 33 deletions(-) diff --git a/_posts/2021-03-12-mitigating-side-channel-attacks.md b/_posts/2021-03-12-mitigating-side-channel-attacks.md index 8cd7397..389b05b 100644 --- a/_posts/2021-03-12-mitigating-side-channel-attacks.md +++ b/_posts/2021-03-12-mitigating-side-channel-attacks.md @@ -4,7 +4,6 @@ author: Mike West, on behalf of Chrome's Web Platform Security team date: 2021-03-12 source-url: https://blog.chromium.org/2021/03/mitigating-side-channel-attacks.html source-blog: Chromium Blog -excerpt: --- The web platform relies on the [origin](https://developer.mozilla.org/en-US/docs/Glossary/Origin) as a fundamental security boundary, and browsers do a pretty good job at preventing *explicit* leakage of data from one origin to another. Attacks like [Spectre](https://spectreattack.com/), however, show that we still have work to do to mitigate *implicit* data leakage. The side-channels exploited through these attacks prove that [attackers can read any data which enters a process hosting that attackers' code](https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md#introduction). These attacks are [quite practical](https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html) today, and pose a real risk to users. diff --git a/_posts/2021-03-21-a-safer-default-for-navigation-https.md b/_posts/2021-03-21-a-safer-default-for-navigation-https.md index e08ef46..88c29e4 100644 --- a/_posts/2021-03-21-a-safer-default-for-navigation-https.md +++ b/_posts/2021-03-21-a-safer-default-for-navigation-https.md @@ -4,7 +4,6 @@ author: Shweta Panditrao and Mustafa Emre Acer, Chrome team date: 2021-03-21 source-url: https://blog.chromium.org/2021/03/a-safer-default-for-navigation-https.html source-blog: Chromium Blog -excerpt: --- Starting in version 90, Chrome's address bar will use *https://* by default, improving privacy and even loading speed for users visiting websites that support HTTPS. Chrome users who navigate to websites by manually typing a URL often don't include "http://" or "https://". For example, users often type "example.com" instead of "https://example.com" in the address bar. In this case, if it was a user's first visit to a website, Chrome would previously choose *http://* as the default protocol^1^. This was a practical default in the past, when much of the web did not support HTTPS. diff --git a/_posts/2021-07-14-increasing-https-adoption.md b/_posts/2021-07-14-increasing-https-adoption.md index 0d297f3..a9eca6b 100644 --- a/_posts/2021-07-14-increasing-https-adoption.md +++ b/_posts/2021-07-14-increasing-https-adoption.md @@ -4,7 +4,6 @@ author: Shweta Panditrao, Devon O'Brien, Emily Stark, Google Chrome team date: 2021-07-14 source-url: https://blog.chromium.org/2021/07/increasing-https-adoption.html source-blog: Chromium Blog -excerpt: --- When a browser connects to websites over HTTPS (vs. HTTP), eavesdroppers and attackers on the network can't intercept or alter the data that's shared over that connection (including personal info, or even the page itself). This level of privacy and security is vital for the web ecosystem, so Chrome [continues](https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html) [to](https://blog.chromium.org/2020/02/protecting-users-from-insecure.html) [invest](https://blog.chromium.org/2021/03/a-safer-default-for-navigation-https.html) in making HTTPS more widely supported. diff --git a/_posts/2022-09-19-announcing-launch-of-chrome-root-program.md b/_posts/2022-09-19-announcing-launch-of-chrome-root-program.md index 40ed954..4df089e 100644 --- a/_posts/2022-09-19-announcing-launch-of-chrome-root-program.md +++ b/_posts/2022-09-19-announcing-launch-of-chrome-root-program.md @@ -4,7 +4,6 @@ author: Ryan Dickson, Chris Clements, Emily Stark from Chrome Security date: 2022-09-19 source-url: https://blog.chromium.org/2022/09/announcing-launch-of-chrome-root-program.html source-blog: Chromium Blog -excerpt: --- In 2020, we [announced](https://groups.google.com/g/mozilla.dev.security.policy/c/3Q36J4flnQs/m/VyWFiVwrBQAJ) we were in the early phases of establishing the Chrome Root Program and launching the Chrome Root Store. diff --git a/_posts/2022-12-08-introducing-passkeys-in-chrome.md b/_posts/2022-12-08-introducing-passkeys-in-chrome.md index 1b0098f..16376f9 100644 --- a/_posts/2022-12-08-introducing-passkeys-in-chrome.md +++ b/_posts/2022-12-08-introducing-passkeys-in-chrome.md @@ -4,7 +4,6 @@ author: Ali Sarraf, Product Manager, Chrome date: 2022-12-08 source-url: https://blog.chromium.org/2022/12/introducing-passkeys-in-chrome.html source-blog: Chromium Blog -excerpt: --- We [announced in October](https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html) that passkey support was available in Chrome Canary. Today, we are pleased to announce that passkey support is now available in Chrome Stable M108. diff --git a/_posts/2023-05-02-an-update-on-lock-icon.md b/_posts/2023-05-02-an-update-on-lock-icon.md index 9d9d782..b5a3ffd 100644 --- a/_posts/2023-05-02-an-update-on-lock-icon.md +++ b/_posts/2023-05-02-an-update-on-lock-icon.md @@ -4,7 +4,7 @@ author: David Adrian, Serena Chen, Joe DeBlasio, Emily Stark, and Emanuel von Ze date: 2023-05-02 source-url: https://blog.chromium.org/2023/05/an-update-on-lock-icon.html source-blog: Chromium Blog -excerpt: +excerpt: Browsers have shown a lock icon when a site loads over HTTPS since the early versions of Netscape in the 1990s. For the last decade, Chrome participated in a major initiative to increase HTTPS adoption on the web, and to help make the web secure by default. As late as 2013, only 14% of the Alexa Top 1M sites supported HTTPS. Today, however, HTTPS has become the norm and over 95% of page loads in Chrome on Windows are over a secure channel using HTTPS. This is great news for the ecosystem; it also creates an opportunity to re-evaluate how we signal security protections in the browser. In particular, the lock icon. --- _Editor's note: based on industry research (from Chrome and others), and the ubiquity of HTTPS, we will be replacing the lock icon in Chrome's address bar with a new "tune" icon -- both to emphasize that security should be the default state, and to make site settings more accessible. Read on to learn about this multi-year journey._ diff --git a/_posts/2023-08-03-redesigning-chrome-downloads-to-keep.md b/_posts/2023-08-03-redesigning-chrome-downloads-to-keep.md index 1bae879..c8c1df9 100644 --- a/_posts/2023-08-03-redesigning-chrome-downloads-to-keep.md +++ b/_posts/2023-08-03-redesigning-chrome-downloads-to-keep.md @@ -4,7 +4,6 @@ author: Joshua Cruz, Communications Manager date: 2023-08-03 source-url: https://blog.chromium.org/2023/08/redesigning-chrome-downloads-to-keep.html source-blog: Chromium blog -excerpt: --- [![Main image of blog post that showcases the new download experience for Chrome on the right side of the Chrome Address bar.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_Wk6hUyNuwt82auTtHqsRHsnhylPD_2MDzrPZAsUiZdrBPVnVKmJuOXgiUJU-qWB0sTXV8ViI7A7pX4nl8fu4JDsQbWGUWoLQFOrWyh_-eWpvMrvJLrEn_LeDI8bmHAdQSzPAuHgeNzjZ3UHv_QBBcLXnJme9ctfO-szOUh_sxGZFrzkPfnEqo9-fw6st/s16000/DownloadsUI_Header.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_Wk6hUyNuwt82auTtHqsRHsnhylPD_2MDzrPZAsUiZdrBPVnVKmJuOXgiUJU-qWB0sTXV8ViI7A7pX4nl8fu4JDsQbWGUWoLQFOrWyh_-eWpvMrvJLrEn_LeDI8bmHAdQSzPAuHgeNzjZ3UHv_QBBcLXnJme9ctfO-szOUh_sxGZFrzkPfnEqo9-fw6st/s6001/DownloadsUI_Header.png) diff --git a/_posts/2023-08-10-:protecting-chrome-traffic-with-hybrid.md b/_posts/2023-08-10-:protecting-chrome-traffic-with-hybrid.md index 9ef90c0..0b1b0bc 100644 --- a/_posts/2023-08-10-:protecting-chrome-traffic-with-hybrid.md +++ b/_posts/2023-08-10-:protecting-chrome-traffic-with-hybrid.md @@ -3,8 +3,7 @@ title: Protecting Chrome Traffic with Hybrid Kyber KEM author: Devon O'Brien, Technical Program Manager, Chrome Security date: 2023-08-10 source-url: https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html -source-blog: -excerpt: +source-blog: Chromium Blog --- Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography. Continuing with our [strategy](https://cloud.google.com/blog/products/identity-security/how-google-is-preparing-for-a-post-quantum-world) for handling this major transition, we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success. diff --git a/_posts/2023-08-16-towards-https-by-default.md b/_posts/2023-08-16-towards-https-by-default.md index 31a2f75..5d9e326 100644 --- a/_posts/2023-08-16-towards-https-by-default.md +++ b/_posts/2023-08-16-towards-https-by-default.md @@ -4,7 +4,6 @@ author: Joe DeBlasio, Chrome Security team date: 2023-08-16 source-url: https://blog.chromium.org/2023/08/towards-https-by-default.html source-blog: Chromium blog -excerpt: --- For the past several years, [more than 90%](https://transparencyreport.google.com/https/overview?hl=en) of Chrome users' navigations have been to HTTPS sites, across all major platforms. Thankfully, that means that most traffic is encrypted and authenticated, and thus safe from network attackers. However, a stubborn 5-10% of traffic has remained on HTTP, allowing attackers to eavesdrop on or change that data. Chrome shows a warning in the address bar when a connection to a site is not secure, but we believe this is insufficient: not only do many people not notice that warning, but by the time someone notices the warning, the damage may already have been done. diff --git a/_posts/2023-10-11-unlocking-power-of-tls-certificate.md b/_posts/2023-10-11-unlocking-power-of-tls-certificate.md index 425979f..a8082cc 100644 --- a/_posts/2023-10-11-unlocking-power-of-tls-certificate.md +++ b/_posts/2023-10-11-unlocking-power-of-tls-certificate.md @@ -4,7 +4,6 @@ author: "Chrome Root Program, Chrome Security Team" date: 2023-10-11 source-url: https://blog.chromium.org/2023/10/unlocking-power-of-tls-certificate.html source-blog: Chromium blog -excerpt: --- TL;DR: Automated certificate issuance and management strengthens the underlying security assurances provided by Transport Layer Security (TLS) by increasing agility and resilience. This post describes the benefits of automation and upcoming changes to the Chrome Root Program policy that represent Chrome Security's ongoing commitment to improving web security. diff --git a/index.html b/index.html index 6665157..f550308 100644 --- a/index.html +++ b/index.html @@ -37,40 +37,27 @@

chrome.security

{% include chromeball-protect.svg %} -

Recent blog posts

- + {% for post in site.posts limit:3 %} +
-

Unlocking the power of TLS certificate automation for a safer and more reliable Internet

-

Wednesday, October 11, 2023

-

TL;DR: Automated certificate issuance and management strengthens the underlying security assurances provided by Transport Layer Security (TLS) by increasing agility and resilience. This post describes the benefits of automation and upcoming changes to the Chrome Root Program policy that represent Chrome Security’s ongoing commitment to improving web security.

-

Keep reading

-
- - -
-

Towards HTTPS by default

-

Wednesday, August 16, 2023

-

For the past several years, more than 90% of Chrome users' navigations have been to HTTPS sites, across all major platforms. Thankfully, that means that most traffic is encrypted and authenticated, and thus safe from network attackers. However, a stubborn 5-10% of traffic has remained on HTTP, allowing attackers to eavesdrop on or change that data. Chrome shows a warning in the address bar when a connection to a site is not secure, but we believe this is insufficient: not only do many people not notice that warning, but by the time someone notices the warning, the damage may already have been done.

-

Keep reading

-
- - -
-

Protecting Chrome Traffic with Hybrid Kyber KEM

-

Thursday, August 10, 2023

-

Teams across Google are working hard to prepare the web for the migration to quantum-resistant cryptography. Continuing with our strategy for handling this major transition, we are updating technical standards, testing and deploying new quantum-resistant algorithms, and working with the broader ecosystem to help ensure this effort is a success.

+ +

{{ post.title }}

+

{{ post.date }}

+

{{ post.excerpt | strip_html }}

Keep reading

+
+ {% endfor %}
-

Hand-crafted links for ✨you✨

+

Hand-crafted links for you

For security researchers...