The internet can be a marvelous thing that gives us access to all the world’s information. However, it also gives us access to all the world’s malware. Every browser maker has implemented tougher security in recent years, but Google and Microsoft are particularly intent on competing with each other. In the latest volley, Google has rolled out a major new enterprise security feature in Chrome called site isolation. It’s a stronger version of the browser’s existing sandboxing feature.
Starting in Chrome v63, which is rolling out now, administrators have the option of enabling site isolation on client machines. This feature uses a separate process for each page the user loads, rather than using the main Chrome process for everything in a window. This offers improved security, because even if a site is running malicious code, it cannot access anything else running in Chrome.
Site isolation comes with a major drawback, though. Google explains that running a separate process for each tab consumes more memory, and Chrome is already a bit of a memory hog. Enabling this feature could increase Chrome’s memory usage by 10-20 percent. If a system has lots of extra RAM, this might be a relatively risk-free change.
This change comes as Microsoft has been making a case for its Edge browser on Windows. In a recent update, Edge gained support for hardware-based virtualization that keeps the browser in an isolated process. This protects the operating system from any malware the browser might encounter, and it doesn’t come with the same performance hit as Chrome’s process isolation.
Meanwhile, Google is also moving forward on a plan to revoke trust for certificates issued by Symantec, which it has accused of lax oversight in the way these important cryptographic keys are distributed. Symantec and Google began tussling over the last year when Mozilla developers brought to light some bad practices at Symantec. At that point, Google investigated what appeared to be around 100 incorrectly assigned certificates. It turned out the number was closer to 30,000, which is a huge security issue. Websites that were issued these certificates without proper accreditation might appear legitimate to a browser, but in reality, they could be stealing user information or distributing malware.
Symantec is selling its certificate business to let someone else manage the fallout. Google will begin marking old Symantec certificates as untrusted this coming April with Chrome v66, and all Symantec certificates will be untrusted in late 2018.