A group of researchers say that it will be difficult to avoid Spectre bugs in the future unless CPUs are dramatically overhauled. From a report: Google researchers say that software alone is not enough to prevent the exploitation of the Spectre flaws present in a variety of CPUs. The team of researchers -- including Ross McIlroy, Jaroslav Sevcik, Tobias Tebbi, Ben L Titzer and Toon Verwaest -- work on Chrome's V8 JavaScript engine. The researchers presented their findings in a paper distributed through ArXiv and came to the conclusion that all processors that perform speculative execution will always remain susceptible to various side-channel attacks, despite mitigations that may be discovered in future.

Google has sent out invites to this year's Game Developers Conference (GDC) press event, where the company is expected to unveil a new game streaming product. ExtremeTech reports: There have been rumors about a Google game stream product or service for several years. Initially, leaks pointed to a hardware platform called Yeti that would stream games to a connected display. In late 2018, Google rolled out a game streaming test called Project Stream. To publicize the demo, it worked with Ubisoft to give everyone free access to the new Assassin's Creed Odyssey. Google wrapped up Project Stream in early 2019, offering players a free copy of Assassin's Creed Odyssey as thanks. Of course, you'd need a real gaming PC to run that version.

Google's GDC event will take place on March 19th at 10 AM Pacific. All we know for sure is that Google is there to talk about a gaming project. It just seems extremely likely that it will be a new phase for Project Stream. It might remain browser-only, but Google does have a giant network of TV's out there with Chromecast streaming dongles plugged in. If it could leverage those to stream games, it could instantly have as many eyeballs as Sony or Microsoft.

Microsoft has released an official Timeline extension for Google Chrome called "Web Activities" that brings Timeline integration to Google's web browser. From a report: Just like with Microsoft Edge, this new extension syncs web browsing activities with the Timeline feature on Windows 10, making it easier to pick up old activities and search through webpages you've visited recently. The extension is available now in the Chrome Web Store, and ties with your Microsoft Account.

AmiMoJo writes: When browsing the web with Google Chrome, some sites are using a method to determine if a visitor is in a regular browsing session or in incognito mode. As this can be considered a breach of privacy, Google will be changing how a particular API works so that web sites can no longer utilize this technique.

Chrome supports the FileSystem API, which allows sites to create a virtual file system that lives within the sandbox of the browser. This allows sites that utilize large assets, such as online games, to download these assets to a virtual file system so that they do not have to download them each time they are needed. Currently the FileSystem API is not available in incognito sessions, because it leaves files behind and could be considered a privacy risk. Currently the API doesn't work in incognito mode, offering sites a way to check for it. In a Chrome Gerrit post started this week and updated earlier this morning, Google has stated that they are changing the FileSystem API so that it can be used in incognito mode, without the risks to privacy.

Google has changed its stance on upcoming Chrome Manifest V3 changes as benchmark shows they lied about performance hit. Catalin Cimpanu, writing for ZDNet: A study analyzing the performance of Chrome ad blocker extensions published on Friday has proven wrong claims made by Google developers last month, when a controversy broke out surrounding their decision to modify the Chrome browser in such a way that would have eventually killed off ad blockers and many other extensions. The study, carried out by the team behind the Ghostery ad blocker, found that ad blockers had sub-millisecond impact on Chrome's network requests that could hardly be called a performance hit. Hours after the Ghostery team published its study and benchmark results, the Chrome team backtracked on their planned modifications. At the root of Ghostery's benchmark into ad blocker performance stands Manifest V3, a new standard for developing Chrome extensions that Google announced last October.

An anonymous reader shares a report: Samsung's mobile internet browser, if you ask its users, is pretty great. A lot of folks even say it's better than Chrome. That appreciation has manifested in the app hitting a very exclusive Play Store milestone: Samsung Internet Browser now has more than one billion installs. That impressive figure puts the browser's install base ahead of those of Firefox and Opera combined. Now, there are a couple of caveats here: for one, Samsung's browser comes pre-loaded on Samsung devices, of which each activation counts as an "install." What's more, both Firefox's and Opera's Play Store listings report that each browser has "100,000,000+" installs, which, because of the somewhat silly way figures are reported on Android's app marketplace, means their combined installs total anywhere between 200 million and 999,999,998. Still, though, Samsung's browser is on more devices than the both of 'em.

The Google Play Store has been caught hosting an app designed to steal cryptocurrency from unwitting end users, according to researchers with Eset security company. "The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers," reports Ars Technica. "As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers." From the report: So-called clipper malware has targeted Windows users since at least 2017. The clipper malware available in Google Play impersonated a service called MetaMask, which is designed to allow browsers to run apps that work with the digital coin Ethereum. The primary purpose of Android/Clipper.C, as Eset has dubbed the malware, was to steal credentials needed to gain control of Ethereum funds. It also replaced both bitcoin and Ethereum wallet addresses copied to the clipboard with ones belonging to the attackers. Eset spotted the app shortly after its introduction to Google Play on February 1. Google has since removed it. Stefanko said it's the first time clipper malware has been hosted in the Android app bazaar. Eset malware researcher Lukas Stefanko wrote: "This attack targets users who want to use the mobile version of the MetaMask service, which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node. However, the service currently does not offer a mobile app -- only add-ons for desktop browsers such as Chrome and Firefox. Several malicious apps have been caught previously on Google Play impersonating MetaMask. However, they merely phished for sensitive information with the goal of accessing the victims' cryptocurrency funds."

Microsoft cybersecurity expert Chris Jackson recently published a post on the official Windows IT Pro blog, titled "The perils of using Internet Explorer as your default browser." Jackson urges users that it's time to stop using its old web browser, a product Microsoft officially discontinued in 2015. From a report: In his post, Jackson explains how Microsoft customers still ask him Internet Explorer related questions for their business. The fact of the matter is that while most average internet users have moved on to Google Chrome, Firefox, or Microsoft's Edge, some businesses are still working with older web apps or sites that were designed for Internet Explorer. Instead of updating its tech, many companies have chosen to just keep using the various enterprise compatibility modes of Microsoft's old web browser. But, Jackson says "enough is enough." It's time to event stop calling Internet Explorer a web browser.

Google Chrome 73, scheduled for release next month, will be the first version of Chrome that will officially support the multimedia keys that some users have on their desk and laptop keyboards, ZDNet reports. From the report: Support for multimedia keys will initially be available for Chrome on Chrome OS, macOS, and Windows, while support for Linux will come later (unspecified date). Users will be able to control both audio and video content played in Chrome, including skipping through playlists. Initial support is planned for multimedia keys such as "play," "pause," "previous track," "next track," "seek backward," and "seek forward." Key presses will be supported at the Chrome level, not the tab level, meaning that multimedia buttons will work regardless if the Chrome browser is in the operating system's foreground or background (minimized).

An anonymous reader quotes a report from ZDNet: After a year of secret preparations, Mozilla has publicly announced plans today to implement a "site isolation" feature, which works by splitting Firefox code in isolated OS processes, on a per-domain (site) basis. The concept behind this feature isn't new, as it's already present in Chrome, since May 2018. Currently, Firefox comes with one process for the browser's user interface, and a few (two to ten) processes for the Firefox code that renders the websites. With Project Fission (as this was named), Firefox split processes will change, and a separate one will be created for each website a user is accessing. This separation will be so fine-grained that just like in Chrome, if there's an iframe on the page, that iframe will receive its own process as well, helping protect users from threat actors that hide malicious code inside iframes (HTML elements that load other websites inside the current website). This is the same approach Chrome has taken with its "Site Isolation."

DuckDuckGo cautions internet users that companies like Google, Facebook, and Twitter, do not respect the "Do Not Track" setting on web browsers. From a report: According to DuckDuckGo's research, over 77% of US adults are not aware of that fact. The "Do Not Track" (DNT) setting on browsers sends signals to web services to stop tracking a user's activity. However, the DNT setting is only a voluntary signal which websites are not obligated to respect. "It can be alarming to realize that Do Not Track is about as foolproof as putting a sign on your front lawn that says "Please, don't look into my house" while all of your blinds remain open."

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

At some point in the future, Chrome may gain a new feature, dubbed 'Never-Slow Mode', which would trim heavy web pages to keep browsing fast. From a report: The prototype feature is referenced in a work-in-progress commit for the Chromium open-source project. With Never-Slow Mode enabled, it would "enforce per-interaction budgets designed to keep the main thread clean." The design document for Never-Slow Mode hasn't been made public. However, the feature's owner, Chrome developer Alex Russell, has provided a rough outline of how it would work to speed up web pages with large scripts. "Currently blocks large scripts, sets budgets for certain resource types (script, font, css, images), turns off document.write(), clobbers sync XHR, enables client-hints pervasively, and buffers resources without 'Content-Length' set," wrote Russell.

An anonymous reader writes: Starting with Firefox 66 -- scheduled for release on March 19, 2019 -- Mozilla plans to block auto-playing audio on both desktop and mobile -- a feature it began to test on Nightly builds last year. The new rule will apply to any website that plays audio without user interaction in advance -- such as a user clicking a button. The audio autoplay ban will apply to both HTML5 audio and video elements used for media playback in modern browsers, meaning Firefox will block sound coming from both ads and video players, the most common sources of such abuse. Mozilla's move comes almost a year after Chrome took a similar decision to block all auto-playing sound by default with the release of Chrome 66 in April 2018. Microsoft similarly announced plans to block auto-playing sounds in Edge, but the feature never made it to production.

Google today rolled out Instant Tethering to third-party Chromebooks. Fifteen additional Chromebook models and over 30 cell phone models now support the feature. The move is part of Google's strategy of bringing Chrome OS and Android closer together. From a report: Tethering requires switching on your hotspot that uses your phone's mobile data, connecting to it from your other device by entering the password, and disconnecting when you're done. Instant Tethering skips those steps by putting you through an initial set-up process and then just showing a notification with a Connect button when your Chromebook detects that it has no Wi-Fi access. As long as tethering is enabled on your mobile data plan, and you have the data to spare, your Chromebook can always be online. Instant Tethering will also automatically disconnect if it detects 10 minutes of no activity.

Maximiliano Firtman: Chrome 72 for Android shipped the long-awaited Trusted Web Activity feature, which means we can now distribute PWAs in the Google Play Store! I played with the feature for a while, digging into the APIs and here you have a summary of what's going on, what to expect and how to use it today. Chrome 72 for Android is now shipping from the Play Store to all users and this version included Trusted Web Activity (TWA), that in a nutshell is a way to open Chrome in standalone mode (without any toolbar or Chrome UI) within the scope of our own native Android package. Let me start saying that the publishing process is not straightforward as it should be (such as "enter your URL" in the Play Console and it's done). It's also not a way to use the currently available WebAPK and publish it in the store. It's a Java API that communicates through services with Chrome and seem to be in the early stages, so there is a lot of manual work to do yet today.

"In the last year, a swell of privacy-focused website analytics platforms have started to provide an alternative to Google's tracking behemoth," reports Fast Company.

An anonymous reader shares their article about startups providing "privacy-centric analytics, claiming not to collect any personal data and only display simple metrics like page views, referral websites, and screen sizes in clean, pared-down interfaces."

While Simple Analytics and Fathom are both recent additions to the world of privacy-focused data analytics, 1.5% of the internet already uses an open-source, decentralized platform called Matomo, according to the company... "When [Google] released Google Analytics, [it] was obvious to me that a certain percent of the world would want the same technology, but decentralized, where it's not provided by a centralized corporation and you're not dependent on them," says Matthieu Aubry, Matomo's founder. "If you use it on your own server, it's impossible for us to get any data from it."

Aubry says that 99% of Matomo users use the analytics code, which is open for anyone to use, and host their analytics on their own servers -- which means that the company has no access to it whatsoever. For Aubry, that's his way of ensuring privacy by design. United Nations, Amnesty International, NASA, and the European Commission and about 1.5 million other websites use Matomo. But Matomo also offers significantly more robust tracking than Fathom or Simple Analytics -- Aubry says it can do about 95% of what Google Analytics does. Still, there are a few key differences. Like Simple Analytics, Matomo honors Do Not Track....

The rise of these analytics startups speaks to a growing desire for alternatives to the corporate ecosystems controlled by giants like Google, Amazon, and Apple, a swell that has helped privacy-focused search engine Duck Duck Go reach 36 million searches in a day. There's even an entire website dedicated to alternates to all of Google's services. For Aubry of Matomo, this concentration of power in the hands (or servers) of billion-dollar companies is the reason to support smaller, decentralized networks like his own that share code. "We want to control our future technology -- be able to understand it, study it, see what it does beneath the hood," he says. "And when it doesn't work we can fix it ourselves."

Google Chrome browser is set to add a feature that will warn users when accessing sites with domain names that look like authentic websites. From a report: The feature has been in the works for quite some time at Google and is a response to the practice of using typosquatted domains or IDN homograph attacks to lure users on websites they didn't intend to access. Since the release of Chrome Canary 70, Google engineers have been testing a new feature called "Navigation suggestions for lookalike URLs." In Chrome Canary distributions -- Google Chrome's testing ground for new features -- users can access the following URL to enable the feature: chrome://flags/#enable-lookalike-url-navigation-suggestions.

Following Mozilla's footsteps, Google has released Chrome 72 for Windows, Mac, and Linux. From a report: The release includes code injection blocking and new developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers often must make an effort to stay on top of everything available -- as well as what has been deprecated or removed -- most notably, Chrome 72 removes support for Chromecast setup on a computer. To set up a Chromecast, you'll now need to use a mobile device.

As this isn't a major release, there aren't many new features to cover. Chrome 72 for Windows, however, blocks code injections, reducing crashes caused by third-party software. The initiative to block code injections in Chrome started last year, with warnings letting users know that Chrome was fighting back. Those warnings are now gone, and Chrome blocks code injections full stop. Further reading: All the Chromium-based browsers.

An anonymous reader quotes a report from ZDNet: A Microsoft program manager has caused a stir on Twitter over the weekend by suggesting that Firefox-maker Mozilla should give up on its own rendering engine and move on with Chromium. "Thought: It's time for @mozilla to get down from their philosophical ivory tower. The web is dominated by Chromium, if they really 'cared' about the web, they would be contributing instead of building a parallel universe that's used by less than five percent?" wrote Kenneth Auchenberg, who builds web developer tools for Microsoft's Visual Studio Code.

Auchenberg's post referred to Mozilla's response to Microsoft's announcement in December that it would scrap Edge's EdgeHTML rendering engine for Chromium's. The move will leave Firefox's Gecko engine as the only alternative to Chromium, which is used by Opera and dozens of other browsers. Few people agreed with Auchenberg, including engineers from both Mozilla and Chromium. Long-serving Mozillian Asa Dotzler was not impressed. "Just because your employer gave up on its own people and technology doesn't mean that others should follow," Dotzler replied to Auchenberg. Auchenberg clarified that he didn't want to see Mozilla vanish, but said it should reorganize into a research institution "instead of trying to to justify themselves with the 'protectors of the web' narrative."