Chrome 86 Rolls Out With Massive User Security Enhancements

Google has released Chrome 86 today, October 6th, 2020, to the Stable desktop channel, and it includes numerous security enhancements, features, and APIs for developers.

Chrome 86 brings many security enhancements to both desktop and mobile users in the form of increased password security, protection from insecure downloads and form submissions, and biometric protection when auto-filling saved passwords.

With Chrome 86 now promoted to the Stable channel, Chrome 87 is the new Beta version, and Chrome 88 will be the Canary version.

Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome. The browser will then automatically check for the new update and install it when available.

Chrome gets .well-known/change-password support

Last month, BleepingComputer reported that Google Chrome was adding support for the ‘.well-known/change-password’ file to make it easier to reset breached passwords.

When Chrome performs a password checkup of saved login credentials, if any passwords are involved in data breaches, it will prompt the user to change their password, as shown below.

When clicking on ‘Change password,’ Chrome will connect to a sites ‘.well-known/change-password’ file, which should automatically redirect the user to the site’s password protection page.

If the site does not support the change-password file, it will instead redirect the user to the site’s homepage.

Increased security on Android and iOS

In Google Chrome 83, Google rolled out a new feature called ‘Safety Check’ that performs a checkup of the browser and saved data to ensure it is secure and not compromised.

With the release of Chrome 86 Mobile, Google is enabling this feature in the mobile browser, as shown below.

In May, Google rolled out an Enhanced Safe Browser for Desktop users, and they are now rolling it to out to Android.

With this feature enabled, Chrome for Android users will get real-time protection when browsing the web and downloading files. This increased security is enabled by Chrome sharing additional information with Google Safe Browsing in real-time to check URLs for malicious activity.

Google states with the predictive phishing protections included in Enhanced Safe Browsing, there has been a dramatic drop in users falling for phishing scams.

“Among our users who have enabled checking websites and downloads in real time, our predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites,” Google stated.

iOS users also get a security boost with Chrome 86 with the addition of biometric authentication when auto-filling saved passwords into login forms.

“To improve security on iOS too, we’re introducing a biometric authentication step before Autofilling passwords. On iOS, you’ll now be able to authenticate using Face ID, Touch ID, or their phone passcode,” Google announced today.

Google now blocks mixed content downloads

For some time, Google has been slowly blocking mixed-content information transmitted over Google Chrome.

Mixed content is when files or data are delivered over an insecure HTTP connection when first initiated from HTTPS websites.

With the release of Chrome 86, Google now blocks mixed content downloads for executables and archives. This includes .exe, .apk, .zip, .iso, etc.

If you attempt to initiate a download delivered over insecure HTTP connection when they are first initiated from HTTPS websites, you will see a warning stating “[executable].exe can’t be downloaded securely.”

Also Read: Contract For Service Template: 5 Important Sections

You can test this feature yourself, using this proof of concept page hosted at BleepingComputer.com.

Additionally, Google Chrome 86 will now warn users when they submit insecure mixed content forms that the connection is not completely secure. Chrome will then provide the option to continue submitting the data or go back to the page you were on.

Security vulnerabilities fixed

The Chrome 86 release also includes numerous patches for security vulnerabilities.

The list of vulnerabilities has not been published yet, and this article will be updated when it is released.

Experimental features added in Chrome 86

Google also added new flags to Chrome 86 that allow you to test experimental features, such as the ability to edit saved passwords, disable autofill in mixed-content forms, and view AVIF images.

The new features added in this build are:

Edit passwords in settings  – Enables password editing in settings

Disable autofill for mixed forms – If enabled, autofill is not allowed for mixed forms (forms on HTTPS sites that submit over HTTP), and a warning bubble will be shown instead. Autofill for passwords is not affected by this setting. – Mac, Windows, Linux, Chrome OS, Android

Mixed forms interstitial – When enabled, a full-page interstitial warning is shown when a mixed content form (a form on an HTTPS site that submits over HTTP) is submitted.

Enable Incognito Desktop Shortcut – Enables users to create a desktop shortcut for incognito mode.

H.264 Decoder Buffer Is Complete Frame – H.264 decoder will treat each DecoderBuffer as a complete frame. Defaults to enabled.

Content settings page redesign – Enables a new content settings page UI.

Enable AVIF image format – Adds image decoding support for the AVIF image format.

Chrome 86 users can test these features by going to chrome://flags in the address bar and search for the above descriptions.

Also Read: Top 5 Importance Of Website Maintenance Singapore