Following the Mac, Windows, and Linux release, Chrome 68 is now rolling out to Android. Users will benefit from a new HTTP “Not secure” warning, as well as Spectre and redirect protections. There is also a new “Add to Home screen” prompt and an Android P-like tab switcher.
The latest part of Google’s long-running HTTPS push involves marking HTTP sites as “Not secure” in the Omnibar. A gray “info” icon and text in the top left-corner will warn users, with this behavior first implemented last year with HTTP sites in Incognito mode.
Google first announced this plan two years ago, and notes the increase in HTTPS adoption by operating system:
- 76 percent of Chrome traffic on Android is now protected, up from 42 percent
- 85 percent of Chrome traffic on Chrome OS is now protected, up from 67 percent
- 83 of the top 100 sites on the web use HTTPS by default, up from 37
Also on the security front, Chrome 68 brings Site Isolation to Android. This technique for mitigating Spectre involves rendering pages in separate processes to prevent malicious sites from stealing passwords, cookies, and additional data from other open tabs. It can be manually enabled with the following flag:
Chromium’s Certificate Transparency policy asks Certificate Authorities to maintain publicly available logs for all SSL certificates issued. This is aimed at letting Chrome and other security researches verify best practices. With Chrome 68, all certificates issued after April 30, 2018 have to feature these logs.
Progressive Web Apps now have more control over the “Add to Home screen” prompt and a new mini infobar. Google’s end goal is to add an install button right in the Omnibox. But in the meantime, Chrome will allow developers to surface their own UI informing users that the site can be “installed” to the home screen.
The last version of Chrome began work on a horizontal tab switcher. Tabs overlapped in Chrome 67, but in version 68, the cards are spaced out and the tab switcher looks like Android P’s Recents menu. This is great for visibility with users able to still swipe away cards.
With Chrome 68, a user gesture will be required before the browser automatically navigates to content with a different origin. This is aimed at combating iframe redirects used legitimately by single-sign-on providers and payment processors, but nefariously by sites that send users to unwanted pages.
This protection is similar to pop-up blocking, with users seeing a Chrome UI to confirm the redirect before continuing. The change also applies to “tab-under” when a page opens another window to the intended destination, but navigates the original page to malicious third-party content.
With the Page Lifecycle API, web developers can suspend background web apps and tabs when demanded by the operating system. This is aimed at replicating how Android and iOS can start/stop apps at anytime to manage device resources. Web apps would otherwise run continuously and tax memory, CPU, battery, and network.
Chrome 68 for Android and desktops is rolling out now, with Chrome OS following shortly.