Search the Community: Showing results for tags 'Google'.
Found 3 results
Revised proposals attempt to address worries over Manifest v3 API changes. Google has proposed changes to its Chrome Extension renovation plan that answer some but not all of the concerns its Manifest v3 technical specification. The initial changes, announced in October last year, set off alarm bells last month when a critical mass of Chrome plugin developers finally realized what Google intended. The Manifest v3 changes represent an attempt to address real issues for users of the Chrome browser, specifically the security and performance implications of third-party code that has access to sensitive data. But the fixes Google initially suggested have broad implications. The Manifest v3 specification would break content and ad blockers, privacy extensions, and a host of other browser add-on code that relies on the ability to intercept requested web content before it gets rendered in the browser. Much of the angst arises from planned changes to the webRequest API, through which Chrome extensions handle incoming web content; Google wants to limit the API and replace it with a neutered version, the declarativeNetRequest API. The trouble is that as initially outlined, declarativeNetRequest is far too limited to accommodate current use cases. If implemented, existing extensions like uBlock Origin will have to be rewritten and won't have the same functionality regardless. Other technical changes have been floated that represent potential problems for existing code, like changes to background pages, but declarativeNetRequest represents the major sticking point. On Friday, Google software engineer Devlin Cronin published an update on Google's plans, insisting that there's too much abuse to maintain the status quo. "Users need to have greater control over the data their extensions can access," he wrote in a message posted to the Chromium Extensions discussion group. At the same time, he reiterated Google's interest in input from the developer community and offered evidence that Google is listening by outlining a less awful version of the declarativeNetRequest API. The tweaked spec will include support for dynamic rules – which content blockers formulate based on incoming content rather than declaring them ahead of time. "We agree that this is valuable in creating sophisticated content blocking extensions, and will be adding support for declarative rules that can be added or removed at runtime to the declarativeNetRequest API," Cronin said. The API will also be able to handle more than 30,000 rules, though how many isn't clear. Cronin insists the number cannot be unbounded to ensure adequate performance. And it will include expanded matching capabilities – necessary for effective filtering – and some request modification capabilities, like the ability to strip cookies. "We are also investigating other conditions and actions that may make sense to add, such as matching based on top-level domain," said Cronin. Other potential issues, like the difficulty of using ServiceWorkers as a replacement for persistent background pages to handle resource-intensive background processes like decryption and DOM parsing, are also being evaluated. "We won’t launch Manifest V3 until it is ready, and there will be a migration period in which we can continue to address feedback and issues," said Cronin. "We will not remove support for Manifest V2 until we are confident in the platform.nge By Thomas Claburn in San Francisco 16 Feb 2019 at 01:48
chain posted a topic in NewsUpdate (Feb 6): We have updated the post to clarify a protocol used in the design is centered around private set intersection.Google helps keep your account safe from hijacking with a defense in depth strategy that spans prevention, detection, and mitigation. As part of this, we regularly reset the passwords of Google accounts affected by third-party data breaches in the event of password reuse. This strategy has helped us protect over 110 million users in the last two years alone. Without these safety measures, users would be at ten times the risk of account hijacking.We want to help you stay safe not just on Google, but elsewhere on the web as well. This is where the new Password Checkup Chrome extension can help. Whenever you sign in to a site, Password Checkup will trigger a warning if the username and password you use is one of over 4 billion credentials that Google knows to be unsafe.Password Checkup was designed jointly with cryptography experts at Stanford University to ensure that Google never learns your username or password, and that any breach data stays safe from wider exposure. Since Password Checkup is an early experiment, we’re sharing the technical details behind our privacy preserving protocol to be transparent about how we keep your data secure. https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html
chain posted a topic in NewsDuring its incessant web crawling, Google's search engine constantly encounters credentials dumped by hackers or left exposed by the careless. And because it can, the ad confectionery copies and encrypts these spilled usernames and passwords. Armed with this info, the Chocolate Factory directed its software engineers, in conjunction with crypto boffins from Stanford University, to create a Chrome browser extension called Password Checkup that allows Chrome users to check to see whether their passwords can be found online. The hope is that users thus warned will get the hint and change the compromised secret. Mozilla's rival browser Firefox implemented a similar service last year called Firefox Monitor that checks a third-party database of exposed credentials called HaveIBeenPwned.com. Users of password management app 1Password also have access to an extension that checks stored credentials against exposed ones using the same service. Google's Password Checkup extension takes a similar approach with its internal dataset of 4bn identifiers. Your password is safe - trust usMembers of Google's security and anti-abuse research team – Jennifer Pullman, Kurt Thomas, and Elie Bursztein – claim that "Google never learns your username or password" even through it collects the data. "At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried," the trio explain in a blog post today. "At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option." The company's supposed ignorance of these secrets arises from repeated hashing and privacy techniques like single-party private information retrieval (PIR) and 1-out-of-N oblivious transfer. https://www.theregister.co.uk/2019/02/05/google_leaked_passwords_chrome_extension/