Linux users who want to view Flash content will soon have no choice but to do it through Google’s Chrome browser.
That’s because Adobe is discontinuing its Flash Player for Linux as a standalone download as of version 11.2, due later this year, it announced on Wednesday. After that point, new versions of the Flash Player browser plugin for Linux will only be available as part of Google Chrome.
Adobe will continue to provide security updates to the standalone Flash Player 11.2 on Linux for five years after its release, it said.
A Dash of ‘Pepper’
Adobe has been working with Google to develop a new API for hosting plugins within the browser, it explained in a blog post on Wednesday, with an eye toward replacing the current Netscape plugin API (NPAPI) currently used by Flash Player.
Called “PPAPI,” or “Pepper,” the new API “aims to provide a layer between the plugin and browser that abstracts away differences between browser and operating system implementations,” the company explained.
Adobe and Google have now created a “Pepper” implementation of Flash Player for all x86/64 platforms supported by the Google Chrome browser, Adobe said. Later this year, Google will begin distributing that new implementation as part of Chrome on all platforms, including Linux.
That, moreover, will apparently be the only way Linux users can get Flash from that point forward. On Windows and other platforms, however, Adobe will continue to support non-”Pepper” plugin APIs, it said.
One Choice Remains
Adobe does plan to provide a debug player implementation of the Flash Player browser plugin on Linux, it said, and will update its whitepaper on the topic once more details are available.
In the meantime, though, there’s no mention of any other browsers being let in on this new Flash Player scheme, and Firefox maker Mozilla has even explicitly stated that it has no interest in working with Pepper.
So, bottom line? First Adobe cut off AIR for Linux; now, if you use Linux and want to see Flash content, it looks like you’re going to have just one choice, and that’s to embrace Google Chrome.
Article source: http://www.pcworld.com/businesscenter/article/250455/for_flash_on_linux_chrome_will_be_users_only_choice.html
Tags: API, First Adobe, Flash Player, Google Chrome
First, Adobe decided to kill off development of the mobile Flash plug-in. This, of course, happened less than a year after Google and Adobe took jabs at Apple because their iOS devices couldn’t render the “whole Web.” Now, Google and Adobe are at it again: they’re making Flash for Linux a Google Chrome exclusive.
Yes, you read that right. Adobe Flash Player 11.2 is the last standalone version that utilizes the NPAPI plug-in architecture. If you’re on Linux and want to view Flash content using a first-party plug-in, your only choice will be to install Google Chrome.
In their blog post announcing the switch, Adobe puts a sunny spin on things — saying that working with Google has afforded them room to develop a version of Flash that utilizes Chrome’s Pepper API that makes cross-platform development a simpler task. Curiously, that cross-platform ease wasn’t enough to convince Google and Adobe to build a version that worked with Chrome for Android. Once the new Pepper-based Flash is ready to roll, Google will start shipping it in Chrome. That’s due to happen at some point later this year.
Adobe continues by saying that the new Flash plug-in will only be distributed as part of Google Chrome. Others who develop browsers — even if they implement support for Pepper — won’t be able to download the PPAPI Flash Player for use with their apps.
What are your choices, then, if you don’t want to use Chrome on Linux? You can roll with an alternative browser and Flash 11.2 or you can use a third-party implementation for .SWF support. You can’t, however, use Chromium or a derivative, as the Flash code is closed source and doesn’t ship with Chrome’s wide-open brother.
More at WebUPD8 and Adobe
Article source: http://www.geek.com/articles/news/adobe-makes-flash-for-linux-a-chrome-exclusive-20120222/
Tags: Adobe Flash Player, Google Chrome, NPAPI, SWF
Stripping OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) checks from Google Chrome could have dangerous implications because it will turn Google into a single point of failure, according to security vendor Symantec.
When accessing a website over HTTPS, browsers check whether its SSL certificate has been revoked by the issuing certificate authority. This is done by querying the CA’s OCSP responder or by checking its published certificate revocation list.
For usability reasons, all major browsers currently ignore OCSP and CRL requests that result in network errors by default, in what is known as a soft fail mechanism. However, some of them do offer users the option to enable hard fail, which triggers errors for every request that goes unanswered.
Adam Langley, security engineer at Google, has announced that Chrome will stop performing OCSP and CRL checks in future versions. Instead, these checks are to be replaced with a locally cached list of revoked certificates that will be kept up to date by Google.
The reasons behind the decision are related to performance and security issues. OCSP and CRL requests increase page load times and are susceptible to blocking by man-in-the-middle attackers or captive portals, websites commonly used by Wi-Fi access points to prevent HTTP connections before users authenticate.
“This is a corner case that happens very infrequently. We argue that one shouldn’t discard OCSP and CRLs because they don’t work in a tiny fraction of cases,” said Fran Rosch, vice president of Trust Services and SSL at Symantec. “His proposal to have the browser maintain a list of revoked certificates turns Google into a single point of failure, which Langley himself agrees is bad engineering practice.”
According to Rosch, the soft fail mechanism currently used by browsers is the real issue, since it allows HTTPS sessions to continue without establishing whether the SSL certificate is valid or not. Symantec has maintained an uptime of 100 percent for its OCSP and CRL services for the past ten years, so CA-level downtime shouldn’t be a concern, he said.
“OCSP clearly does not work today because all major browsers operate it in soft fail mode. That needs fixing,” said Ivan Ristic, director of engineering at security firm Qualys. “My view is that Google should have first made an effort to fix the problem,” he said.
Qualys plans to start a project called “Global OCSP Responder monitoring” which will track the availability of all OCSP responders and identify CAs with unreliable ones. “That would hopefully enable everyone to switch to hard fail by default,” Ristic said.
According to Ristic, the performance issues could be resolved with the help of a technique known as OCSP stapling, which involves the owner of a SSL certificate querying the CA’s OCSP server periodically and caching a signed response. This response would then be served to clients directly without them needing to open a connection to a separate host.
“Even without OCSP stapling, browsers can start to display a website and perform the check in the background, so there’s not going to be an immediate performance impact,” Ristic said. “They could hard fail after a second or two, possibly preventing further interactions with the site.”
Removing OCSP checks from Google Chrome might even have legal implications for users, who won’t be able to claim warranties for damages resulting from the use of bad certificates if the software they rely on doesn’t make an effort to check certificate revocation status, said Eddy Nigg, founder and chief technology officer of certificate authority StartCom, via email.
“Strictly speaking, Google as a relying party and software vendor might not be able to make use of the CA root certificates its browser currently uses, due to non-compliance to those relying party obligations,” Nigg said.
Nigg agreed that the problem is the soft fail mechanism implemented in browsers, which he described as a failure in itself. “It’s rather the browsers that have fairly weak implementations at their side and don’t try hard enough (and smart enough) in order to obtain a status response,” he said.
Article source: http://rss.feedsportal.com/c/270/f/470440/s/1cc94381/l/0Lnews0Btechworld0N0Capplications0C33386850Csymantec0Ecriticises0Egoogle0Efor0Estripping0Esecurity0Ecertificate0Echecks0Efrom0Echrome0C0Dolo0Frss/story01.htm
Tags: CRL, Google Chrome, OCSP, SSL
Stripping OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) checks from Google Chrome could have dangerous implications because it will turn Google into a single point of failure, according to security vendor Symantec.
When accessing a website over HTTPS, browsers check whether its SSL certificate has been revoked by the issuing certificate authority. This is done by querying the CA’s OCSP responder or by checking its published certificate revocation list.
For usability reasons, all major browsers currently ignore OCSP and CRL requests that result in network errors by default, in what is known as a soft fail mechanism. However, some of them do offer users the option to enable hard fail, which triggers errors for every request that goes unanswered.
Adam Langley, security engineer at Google, has announced that Chrome will stop performing OCSP and CRL checks in future versions. Instead, these checks are to be replaced with a locally cached list of revoked certificates that will be kept up to date by Google.
The reasons behind the decision are related to performance and security issues. OCSP and CRL requests increase page load times and are susceptible to blocking by man-in-the-middle attackers or captive portals, websites commonly used by Wi-Fi access points to prevent HTTP connections before users authenticate.
“This is a corner case that happens very infrequently. We argue that one shouldn’t discard OCSP and CRLs because they don’t work in a tiny fraction of cases,” said Fran Rosch, vice president of Trust Services and SSL at Symantec. “His proposal to have the browser maintain a list of revoked certificates turns Google into a single point of failure, which Langley himself agrees is bad engineering practice.”
According to Rosch, the soft fail mechanism currently used by browsers is the real issue, since it allows HTTPS sessions to continue without establishing whether the SSL certificate is valid or not. Symantec has maintained an uptime of 100 percent for its OCSP and CRL services for the past ten years, so CA-level downtime shouldn’t be a concern, he said.
“OCSP clearly does not work today because all major browsers operate it in soft fail mode. That needs fixing,” said Ivan Ristic, director of engineering at security firm Qualys. “My view is that Google should have first made an effort to fix the problem,” he said.
Qualys plans to start a project called “Global OCSP Responder monitoring” which will track the availability of all OCSP responders and identify CAs with unreliable ones. “That would hopefully enable everyone to switch to hard fail by default,” Ristic said.
According to Ristic, the performance issues could be resolved with the help of a technique known as OCSP stapling, which involves the owner of a SSL certificate querying the CA’s OCSP server periodically and caching a signed response. This response would then be served to clients directly without them needing to open a connection to a separate host.
“Even without OCSP stapling, browsers can start to display a website and perform the check in the background, so there’s not going to be an immediate performance impact,” Ristic said. “They could hard fail after a second or two, possibly preventing further interactions with the site.”
Removing OCSP checks from Google Chrome might even have legal implications for users, who won’t be able to claim warranties for damages resulting from the use of bad certificates if the software they rely on doesn’t make an effort to check certificate revocation status, said Eddy Nigg, founder and chief technology officer of certificate authority StartCom, via email.
“Strictly speaking, Google as a relying party and software vendor might not be able to make use of the CA root certificates its browser currently uses, due to non-compliance to those relying party obligations,” Nigg said.
Nigg agreed that the problem is the soft fail mechanism implemented in browsers, which he described as a failure in itself. “It’s rather the browsers that have fairly weak implementations at their side and don’t try hard enough (and smart enough) in order to obtain a status response,” he said.
Article source: http://news.techworld.com/applications/3338685/symantec-criticises-google-for-stripping-security-certificate-checks-from-chrome/
Tags: CRL, Google Chrome, OCSP, SSL
Cameron Rawson, Sun, Feb 19, 2012
The battle of the browsers. It’s on-going. I’ve been a user of Google Chrome since it was released to the public.
Yes, yes – it was a slow start for Chrome, the hype was too much, many left to join the ever-so loved Firefox. I stuck with Chrome to see what I could make of it. I loved it, and as a result – stuck with it.
Chrome is sleek and beautifully simple.
Well, it was. I’m now using Firefox. Since Chrome was released, Mozilla have gone wild, as in — crazy wild with the updating of Firefox. It’s working for them which is great.
I’ve had to quit Chrome.
I really wish I didn’t have to, but I did. The amount of times I would have to exit, re-open in a working day was unbelievable. At least 5 times. I’ve been doing the exact same routine with Firefox and there isn’t one problem. Firefox may not be the pretty little beauty that Chrome is. But Firefox works for me.
Obviously, people have their own preference – like with a smartphone — iPhone/Android/BlackBerry.
It’s however in this case all about Firefox or Chrome.
A month from now I’ll be using Chrome, no doubt. I’m a bit of a wierdo when it’s down to using different ‘stuff’ on my laptop.
Let me know what you use below.
Cameron Rawson
Cameron started blogging early 2010, late to the tech scene as that maybe he’s made a big impact already having been invited to BBC Radio 1 and BBC 1′s Breakfast to discuss technology and the big gadgets of 2010. Not only is Cameron a blogger/writer he also has a radio show on Sine FM in Doncaster. Cameron loves music, radio and technology.
Website – Twitter
jQuery(‘.nrelate_default’).removeClass(‘nrelate_default’);
Firefox, Google Chrome, Mozilla
Article source: http://techleash.com/2012/02/im-now-firefox-not-chrome/
Tags: BBC, Cameron Rawson Cameron, Google Chrome, Website Twitter
SAN FRANCISCO – The mobile web is in its infancy, according to Sundar Pichai, senior vice president of Chrome and Apps at Google, adding that this market will flourish over the next three to five years.
Pichai sat down for a chat during the closing keynote discussion of the 2012 Goldman Sachs Technology and Internet Conference on Thursday afternoon.
See also: Groupon CEO: ‘We’ve cracked the code’
For critics who would ask what is there left to innovate with a browser, Pichai retorted that even though browsers have been around for 15 years, if you make the experience better, people will respond.
There are roughly 200 million Chrome users worldwide, and while Chrome is primarily a desktop experience as part of Google’s dual strategy (Chrome and Android), it’s starting to make its way on to mobile devices.
Last week, Google released a beta version of Chrome for Android for mobile devices running Android 4.0 (Ice Cream Sandwich).
Pichai noted that the “future of Chrome” is pushing the platform across smartphones and tablets. Part of the motivation for pushing Chrome to tablets, in particular, is how much more people use the browser on these devices.
“Users expect a seamless, integrated experience across devices,” Pichai asserted, explaining the necessity (and opportunity) to ensure Chrome’s presence and continuity across Google’s products, from the desktop to mobile devices to Google TV.
The underpinnings to Chrome relies on two things: cloud-based apps and the browser that makes these things work.
Although the Chrome App Store is “in its early days,” according to Pichai, he boasted about its success thus far given that install rates have tripled over the last three months, and there are approximately one million downloads in this space each day.
Pichai didn’t offer many specifics about where the Chrome App Store will go from here, but he did note that we’ll be seeing many more gaming and productivity apps released in the near future.
As far as productivity goes, Pichai pointed towards both Chrome and Google Apps, cloud computing products that are becoming much more popular with businesses trying to wrangle with the bring-your-own-device to work trend.
Businesses want something “that will scale across all this: a cloud-based solution that supports multiple endpoints,” Pichai argued. “That changes the value of Apps significantly.”
But as for any kind of pressure about merging the Android and Chrome platforms into a single unit, Pichai remained mum.
“We don’t know. We will always do the right thing by users,” Pichai said. “People use them differently, and we want to address them differently for today.”
Related:
Article source: http://www.zdnet.com/blog/btl/google-chrome-will-see-greater-expansion-on-mobile-devices/69641
Tags: Chrome App Store, Google Chrome, Panel Social, Related Cheap Android
Google’s Chromium open-source project has revealed what could be a future feature of the Chrome browser: a password generator.
“[Passwords] are easy to use but they are trivial to steal, either through phishing, malware, or a malicious/incompetent site owner,” the design document states, apparently updated on Feb. 14.
As a solution, Google has come up with a way to auto-generate a password, if a user allows it. So far, however, it’s just a work in progress; since it relies on the autocomplete function of a Web site (which must be enabled by the site) Google estimates that it won’t serve to defeat 40 percent to 70 percent of phishing sites.
Google can usually detect if a user clicks on a login field and offer to enter the related password, if a user allows it. Likewise, Chrome can also detect when a user is filling out a password field. When a user then creates a new login and password at a Web site, a “key” icon appears. Clicking it will generate (in Google’s example) a password of “hbXX#2opz7^1,” which contains special characters, numbers, and capital letters – all keys to a cryptographically strong passphrase.
“The reason we don’t just choose a password for them is that many sites have requirements (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters) some of which may be contradictory between sites,” Google says. “So we will choose a default generator that will work on most sites, but users may need to change our password if it doesn’t work.”
So how in the world do you remember a password like that? Chances are, you don’t; in fact, that’s Google’s end game.
“Chrome’s long term solution to this problem is browser sign in plus OpenID,” Google said. “While implementing browser sign in is something that we can control, getting most sites on the internet to use OpenID will take a while. In the meantime it would be nice to have a way to achieve the same affect of having the browser control authentication.”
Chromium is the name of the open-source browser project that Google’s Chrome is built upon; check out PCmag.com’s review of Chrome 17 for the latest updates, or our slideshow below. Anyone is free to take the Chrome source and modify or redistribute it according to the terms of the license; Google uses Chromium, and adds its logo, secure PDF viewer, Flash player, and other additions to generate its custom version.
For more from Mark, follow him on Twitter @MarkHachman.
For the top stories in tech, follow us on Twitter at @PCMag.
Article source: http://www.pcmag.com/article2/0,2817,2400403,00.asp?kc=PCRSS03069TX1K0001121
Tags: Google Chrome, PDF
Google released a new version of its Chrome browser in order to update the bundled Flash Player plug-in and address serious security vulnerabilities.
Google Chrome 17.0.963.56 fixes 12 security flaws, seven of which are considered high severity, four of medium severity and one of low severity.
Security researcher Jüri Aedla received a special $1,337 reward for discovering and reporting an integer overflow vulnerability in libpng, the library used by Chrome to process PNG images.
Other high-severity flaws were identified in the browser’s PDF codecs, its subframe loading, h.264 parsing and path rendering components, as well as its MKV, database, column and counter node handling code.
In theory these vulnerabilities should be considered critical because they could facilitate the remote execution of arbitrary code on the targeted systems.
However, because Google Chrome has a sandboxed architecture, exploiting these vulnerabilities alone would not provide attackers with the necessary level of access to run malicious code.
Six vulnerabilities patched in this release were discovered with the help of an open-source tool called AddressSanitizer, Google Chrome engineer Jason Kersey said in a blog post on February 15.
Chrome 17.0.963.56 also includes a new Flash Player version that Adobe released earlier this week, Kersey said. The Flash Player update addresses seven critical security flaws.
Google paid a total of $6,837 to security researchers who reported vulnerabilities patched in this release. The company recently expanded its Chromium Security Rewards Program to also cover vulnerabilities found in Chrome OS.
Article source: http://rss.feedsportal.com/c/270/f/470440/s/1cb7c931/l/0Lnews0Btechworld0N0Csecurity0C3338140A0Cgoogle0Echrome0Eupdate0Efixes0E120Evulnerabilities0Epatches0Eflash0Eplayer0C0Dolo0Frss/story01.htm
Tags: Flash Player, Google Chrome, Jason Kersey, PNG
Sundar Pichai, senior vice president of Chrome and Apps at Google, talks up the dual strategies of
Android and Chrome, but don’t expect the two platforms to merge anytime soon.
Sundar Pichai, SVP of Chrome, at the company’s Google I/O conference last spring.
(Credit:
Stephen Shankland/CNET)
SAN FRANCISCO–The mobile Web is in its infancy, according to Sundar Pichai, senior vice president of Chrome and Apps at Google, adding that this market will flourish over the next three to five years.
Pichai sat down for a chat during the closing keynote discussion of the 2012 Goldman Sachs Technology and Internet Conference on Thursday afternoon.
For critics who would ask what is there left to innovate with a browser, Pichai retorted that even though browsers have been around for 15 years, if you make the experience better, people will respond.
There are roughly 200 million Chrome users worldwide, and while Chrome is primarily a desktop experience as part of Google’s dual strategy (Chrome and Android), it’s starting to make its way on to mobile devices.
Last week, Google released a beta version of Chrome for Android for mobile devices running Android 4.0 (Ice Cream Sandwich).
Pichai noted that the “future of Chrome” is pushing the platform across smartphones and
tablets. Part of the motivation for pushing Chrome to tablets, in particular, is how much more people use the browser on these devices.
“Users expect a seamless, integrated experience across devices,” Pichai asserted, explaining the necessity (and opportunity) to ensure Chrome’s presence and continuity across Google’s products, from the desktop to mobile devices to Google TV.
The underpinnings to Chrome relies on two things: cloud-based apps and the browser that makes these things work.
Although the Chrome Web Store is “in its early days,” according to Pichai, he boasted about its success thus far given that install rates have tripled over the last three months, and there are approximately one million downloads in this space each day.
Pichai didn’t offer many specifics about where the Chrome App Store will go from here, but he did note that we’ll be seeing many more gaming and productivity apps released in the near future.
As far as productivity goes, Pichai pointed towards both Chrome and Google Apps, cloud computing products that are becoming much more popular with businesses trying to wrangle with the bring-your-own-device to work trend.
Businesses want something “that will scale across all this: a cloud-based solution that supports multiple endpoints,” Pichai argued. “That changes the value of Apps significantly.”
But as for any kind of pressure about merging the Android and Chrome platforms into a single unit, Pichai remained mum.
“We don’t know. We will always do the right thing by users,” Pichai said. “People use them differently, and we want to address them differently for today.”
This story was originally published as “Google Chrome will see greater expansion on mobile devices,” on ZDNet’s Between the Lines.
Article source: http://news.cnet.com/8301-1023_3-57379792-93/google-chrome-will-see-greater-expansion-on-mobile-devices/?part=rss&tag=feed&subj=
Tags: Chrome App Store, Google Chrome, Sundar Pichai, SVP
Sundar Pichai, senior vice president of Chrome and Apps at Google, talks up the dual strategies of
Android and Chrome, but don’t expect the two platforms to merge anytime soon.
Sundar Pichai, SVP of Chrome, at the company’s Google I/O conference last spring.
(Credit:
Stephen Shankland/CNET)
SAN FRANCISCO–The mobile Web is in its infancy, according to Sundar Pichai, senior vice president of Chrome and Apps at Google, adding that this market will flourish over the next three to five years.
Pichai sat down for a chat during the closing keynote discussion of the 2012 Goldman Sachs Technology and Internet Conference on Thursday afternoon.
For critics who would ask what is there left to innovate with a browser, Pichai retorted that even though browsers have been around for 15 years, if you make the experience better, people will respond.
There are roughly 200 million Chrome users worldwide, and while Chrome is primarily a desktop experience as part of Google’s dual strategy (Chrome and Android), it’s starting to make its way on to mobile devices.
Last week, Google released a beta version of Chrome for Android for mobile devices running Android 4.0 (Ice Cream Sandwich).
Pichai noted that the “future of Chrome” is pushing the platform across smartphones and
tablets. Part of the motivation for pushing Chrome to tablets, in particular, is how much more people use the browser on these devices.
“Users expect a seamless, integrated experience across devices,” Pichai asserted, explaining the necessity (and opportunity) to ensure Chrome’s presence and continuity across Google’s products, from the desktop to mobile devices to Google TV.
The underpinnings to Chrome relies on two things: cloud-based apps and the browser that makes these things work.
Although the Chrome Web Store is “in its early days,” according to Pichai, he boasted about its success thus far given that install rates have tripled over the last three months, and there are approximately one million downloads in this space each day.
Pichai didn’t offer many specifics about where the Chrome App Store will go from here, but he did note that we’ll be seeing many more gaming and productivity apps released in the near future.
As far as productivity goes, Pichai pointed towards both Chrome and Google Apps, cloud computing products that are becoming much more popular with businesses trying to wrangle with the bring-your-own-device to work trend.
Businesses want something “that will scale across all this: a cloud-based solution that supports multiple endpoints,” Pichai argued. “That changes the value of Apps significantly.”
But as for any kind of pressure about merging the Android and Chrome platforms into a single unit, Pichai remained mum.
“We don’t know. We will always do the right thing by users,” Pichai said. “People use them differently, and we want to address them differently for today.”
This story was originally published as “Google Chrome will see greater expansion on mobile devices,” on ZDNet’s Between the Lines.
Article source: http://news.cnet.com/8301-1023_3-57379792-93/google-chrome-will-see-greater-expansion-on-mobile-devices/
Tags: Chrome App Store, Google Chrome, Sundar Pichai, SVP
