The latest version of Chrome (v66) launched with Site Isolation, an important security feature that protects against multiple types of bugs, as well as Spectre/Meltdown attacks. The new browser version also stopped trusting website certificates issued by Symantec before June 1, 2016, as was previously announced.
Site Isolation Is Now Live
One important security feature that went live in Chrome 66 is strict site isolation, which is designed to make it difficult for untrusted websites to steal sensitive information from your account on other websites.
Typically, websites can’t access data from other websites due to another security feature called Same Origin Policy. However, sometimes attackers find bugs, such as universal cross-site scripting (UXSS) bugs, in the Same Origin Policy code and are then able to steal data from other websites.
Site Isolation is an additional layer of security that aims to prevent that. It ensures that web pages are always put into different processes and sandboxes that limit what those processes can do. It can also stop speculative side-channel attack techniques, made possible by CPU design flaws such as Spectre and Meltdown. Although Microsoft seems to be working on its own version of Site Isolation, a study comparing the security of major browsers last year showed that Chrome’s Site Isolation is more complete and less prone to being bypassed by attacks.
Windows Defender Protection For Chrome
Chrome got another boost in security, but this time from an unlikely place: Microsoft. Microsoft launched an extension for Chrome called “Windows Defender Protection” that's supposed to defend primarily against phishing attacks or malware-infected websites.
As with any antivirus that wants to protect you from online threats (especially cloud-based ones), there is also a catch: Microsoft will be able to track the websites you visit. The company said that it checks the domain names of the phishing websites and compares it with those on its database:
The Windows Defender Browser Protection extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.If you click a malicious link in an email or navigate to a site designed to trick you into disclosing financial, personal or other sensitive information, or a website that hosts malware, Windows Defender Browser Protection will check it against a constantly updated list of malicious URLs known to Microsoft.If the malicious link matches one on the list, Windows Defender Browser Protection will show a red warning screen letting you know that the web page you are about to visit is known to be harmful, giving you a clear path back to safety with one click.
It’s important to note that Google’s Safe Browsing service (enabled by default in Chrome) already offers the same type of protection. However, Microsoft claimed (opens in new tab) that its own extension catches 99% of the phishing links as opposed to Google's 87% catch rate.
What I am more interested in is that Chrome 66 supports aborting fetches.
"If I click on a *malicious* link Browser Protection will check if the target is on a list."
So no check if the link is benign?
Then only if the target is on the list will a warning appear, even though Browser protection already knows that the link is malicious, because that's what triggered the check in the first place?
*system not used for video editing, designing, rendering, etc.