Google hardens Chrome 13 and 14
Google is experimenting with blocking sites that mix HTTP and HTTPS scripts and with supporting DNSSEC validation of HTTPS sites in the "canary" and development builds of Chrome and Chromium 14. Google has also detailed the enhancements to security in Chrome 13 which recently entered the beta channel.
Chrome 13 is already introducing a number of new experimental security features. It blocks HTTP authentication for resources within a page where the resources are from a different domain. It also adds a first implementation of Mozilla's Content Security Policy to help mitigate cross site scripting, click jacking and packet sniffing attacks.
In the recently released Chrome 12, HSTS (HTTP Strict Transport Security) was introduced as a user configurable feature. HSTS allows sites to request that users only communicate with them over HTTP. In Chrome 13, Google is going one step further by experimenting with building in sites for which this will always be enabled, initially with gmail.com. It has also reduced the number of Certificate Authorities that can vouch for gmail.com's certificates, partly in response to the Comodo breach earlier this year.
In Chrome 14, sites that mix script content retrieved from HTTPS and HTTP sources will be blocked by default, in an attempt to halt "mixed scripting" attacks. The change is part of an experiment to see what impact it will have on users and sites. Web sites that use HTTPS can mix secure content with other content from unsecured HTTP sites â this is called "mixed display"; when that content is JavaScript, it is known as "mixed scripting" and it becomes a problem. An attacker can set out to compromise the unsecured HTTP sites and inject their own malicious scripts into those sites which will, in turn, be loaded and executed in the context of the secured HTTPS page.
Many browsers already warn when there is mixed HTTPS/HTTP content on a page. For example, Chrome currently crosses out the padlock and strikes through the https: in the URL bar if there is mixed scripting, or adds a yellow warning triangle if there is mixed content. In Chrome 14, when an HTTPS site attempts to load a script from an HTTP source, a warning will appear and, by default, the script will not be loaded.
Another experiment in Chrome 14 is the activation of DNSSEC validation of HTTPS sites. DNSSEC has been designed to prevent DNS cache poisoning attacks which attempt to redirect users to malicious sites by corrupting DNS information. When accessing an HTTPS site, Chrome 14 will now also check that the DNS server that has provided the information is trusted by checking the response was correctly signed and that the digital signature is valid.
(djwm)