Chrome Apes IE8, Adds Clickjacking, XSS Defenses 90
CWmike writes "Google has announced that it added several new security features to Chrome 4, including two security measures first popularized (some later shot down as having 'zero impact') by rival Microsoft's IE8 last year. The newest 'stable' build of Chrome includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team. The two aped from IE include 'X-Frame-Options'" a security feature that helps sites defend against 'clickjacking' attacks, and cross-site scripting protection.'"In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS,' Barth said. 'The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script.'"
Re:Cross-site scripting (Score:5, Insightful)
At that point you're already a man in the middle and can send whatever you want to the browser, why on earth would you need to exploit XSS vulnerabilities?
Re:Chrome Apes? Moronic Monkies? (Score:1, Insightful)
Believe me, it's used frequently enough for any fluent speaker in conversations, let alone native speakers. It's an old one, besides, I found it in a dictionary from the 1950s.
Dumb article (Score:5, Insightful)
Oh my god Chrome is copying IE by supporting for the http header X-Frame-Options that Microsoft wants web developers to start using. Don't they know you're supposed to invent your own browser-specific variation of what your opponent implements?
I also like how they mention Chrome added 5 security features but they only cover the 2 that are already in IE.
It's nice that all of the browsers are adding security features but can we cover one of them without focusing on who did what first?
Re:Chrome Apes? Moronic Monkies? (Score:4, Insightful)
I'm a native English speaker and it seems like a bizarre, stupid usage of the word to me. But then, Slashdot headline have always had trouble making sense.
Re:Stay classy /. (Score:4, Insightful)
I hope the submitter realized that the only reason MS even bothered with any of this is thanks to them getting an ass pounding over the last few years for not giving a shit about security. Your welcome MS drones.
MS have never got the 'ass pounding' their security record has earned. If the security problems they cause cost them just 1% of what they cost their customers they would be bankrupt fairly quickly.
Software is weird, where else would you not be responsible for the faults in the products you sell?
What's the need for all this security stuff... (Score:3, Insightful)
...when Google goes ahead, tracks your every move, and sells it to the same crooks anyway?
(Not trolling here. As far as I heard, Google does track everything. And as far as I know, Google does sell that information to advertisers as its main business. Finally, as far as I know, those advertisers include all those spamming crooks and their friends.)
Re:What's the need for all this security stuff... (Score:3, Insightful)
And as far as I know, Google does sell that information to advertisers as its main business
Not so sure about that... in their privacy statement, they say that they inform advertisers only about the number of times their ads were clicked (that is, in total, thus no information about individual clicks is released).
Re:Dumb article (Score:4, Insightful)
Google copies Microsoft. Google is showing no imagination. First their own OS, Browser and now security features that MS originally put in their browser.
I didn't knew that MS invented operating systems and browsers, and when you write your own that you're copying from MS.
Re:Stay classy /. (Score:1, Insightful)
Because if you were, you probably wouldn't be able to purchase the software as it'd be seriously more expansive than it is today.
Re:Ads (Score:2, Insightful)
Re:Stay classy /. (Score:3, Insightful)
Your house is seriously insecure, even if you have a steel door and have window panes are made of bullet-proof glass, you probably live in a stick frame building where a drill and a sawz-all can gain me access to the interior in an hour or two. Yet no one seems to get excited about the insecurity of our houses.
When our houses get robbed, we recognize that the wrongdoing is being done by the criminal. Yet when our computers are hacked, we place the wrongdoing on the provider of the software.
I have never really understood why software is held to such lofty standards, particularly on consumer desktops. It would be one thing if file sharing of your entire filesystem was enabled by default in typical software, but lets be real- hacks these days require really clever methods to exploit systems, and if it wasn't for very intelligent, very dedicated people constantly pounding and poking our software, we wouldn't have to worry at all. Yet an uneducated teenager can break into a house in a few minutes with little more than a stick to break a window, and we seem to all go about our day without any outrage at all.
I just don't understand this.