Google Chrome 46 Boosts Security


In a bid to help simplify security, Google is now reducing the number of page security warnings in its Chrome browser from four to three. The move comes with the release of Chrome 46, which includes 24 different security fixes.

The reduced number of security warnings is a result of Google no longer warning about mixed http/https content with a yellow triangle in the browser bar. Mixed content is a page where some elements on a given webpage are secured by HTTPS, while others are not. Google is helping to push for an HTTPS Everywhere Web now -- but it understands that during the migration process, there will be some mixed content.

"During this process the site may not be fully secured, but it will usually not be less secure than before," Google's Chrome security team wrote in a blog post. "Removing the yellow 'caution triangle' badge means that most users will not perceive a warning on mixed content pages during such a migration. We hope that this will encourage site operators to switch to HTTPS sooner rather than later."

For Google, the removal of the mixed content warning is all about striking a balancing between warning users of risks and encouraging sites to do the right thing when it comes to HTTPS deployment. According to Google, some users have been confused by the yellow triangle that shows up for mixed content pages.

Moving forward, Google plans to further simplify its HTTPS message warnings down to only two.

"In the long term, we hope that most sites on the internet will become secure, and we plan to reduce the icon to just two states: secure and not secure," Google stated.

Reducing warnings isn't the only way that Google is boosting security in Chrome 46. Google is awarding researchers a total of $24,174 for reporting vulnerabilities that are now fixed in Chrome 46.

The top award is an $8,837 bounty awarded to security researcher Mariusz Mlynsk, for CVE-2015-6755, which is identified as a Cross-origin bypass issue in the Blink rendering engine. Google created Blink back in 2013 as a fork of the open-source WebKit rendering engine.

Google is also awarding two different researchers for use-after-free memory errors found in Chrome. CVE-2015-6756 is a use-after-free issue in PDFium that was reported to Google by an anonymous researcher who will now earn $6,337 for the bug. Researcher Collin Payne is being awarded $3,500 for CVE-2015-6757, which is a user-after-free in Chrome's Service Worker library.

Among the other interesting security issues patched in Chrome 46 is CVE-2015-6759, which is an information leakage issue in Chrome's LocalStorage component. Researcher Muneaki Nishimura is credited by Google for discovering the issues and is being awarded a $1,000 bug bounty.

Sean Michael Kerner is a senior editor at eSecurity Planet and Follow him on Twitter @TechJournalist.