Chrome has a new way to stop Spectre hackers. Too bad it takes more memory
The Chrome change paves the way for more browser security improvements.
Stephen Shanklandprincipal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertiseprocessors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, scienceCredentials
I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
By adding new compartmentalization technology,
browser has taken a step to keep websites from stealing sensitive data -- but the change means Chrome will need even more memory.
Since Google first released Chrome publicly in 2008, the web browser has divided work among multiple computing processes. That approach helps keep one tab's work from interfering with what's happening in another. Google has been testing a stricter variation of this sort of partitioning to protect against Spectre, a new type of attack that Google and other researchers revealed in January.
But site isolation will help future versions of Chrome with more problems besides just Spectre.
"The best part is coming in a few releases, when site isolation will provide a general mitigation" against two classes of computer attack, remote code execution and universal cross-site scripting, in a key part of Chrome, tweeted Justin Schuh, Chrome's lead security leader, on Thursday.
Uses more memory
Google's site isolation feature is a major change to Chrome. It affects a core part of the browser called the renderer, which turns website programming code into actual pixels on your phone or laptop screen. With site isolation, Chrome splits renderers into separate computing processes more often to wall off data better.
Unfortunately, that means Chrome needs more memory. The increase is about 10 to 13 percent for people with lots of tabs open, Google said in a project document. The good news, though, is that site isolation lets Google relax earlier restrictions on monitoring precise timing of browser actions it had adopted to make Spectre attacks harder.
"Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure," Reis said in the blog post. And it's also working to bring site isolation to Chrome for Android, he said.
"Google invested many engineer-years in a feature that initially seemed hopelessly out of whack from cost/benefit POV [point of view]," he tweeted. Then when Spectre arrived, site isolation suddenly became "an essential defense against a class of attack."
First published July 11, 12:09 p.m. PT.
Update July 13, 9:43 a.m. PT: Adds that site isolation will improve Chrome security beyond addressing Spectre problems.