Google hardens Chrome 13 and 14
Google is experimenting with blocking sites that mix HTTP and HTTPS scripts and with supporting DNSSEC validation of HTTPS sites in the "canary" and development builds of Chrome and ChromiumÂ 14. Google has also detailed the enhancements to security in ChromeÂ 13 which recently entered the beta channel.
Chrome 13 is already introducing a number of new experimental security features. It blocks HTTP authentication for resources within a page where the resources are from a different domain. It also adds a first implementation of Mozilla's Content Security Policy to help mitigate cross site scripting, click jacking and packet sniffing attacks.
In the recently released Chrome 12, HSTS (HTTP Strict Transport Security) was introduced as a user configurable feature. HSTS allows sites to request that users only communicate with them over HTTP. In Chrome 13, Google is going one step further by experimenting with building in sites for which this will always be enabled, initially with gmail.com. It has also reduced the number of Certificate Authorities that can vouch for gmail.com's certificates, partly in response to the Comodo breach earlier this year.
Many browsers already warn when there is mixed HTTPS/HTTP content on a page. For example, Chrome currently crosses out the padlock and strikes through the https: in the URL bar if there is mixed scripting, or adds a yellow warning triangle if there is mixed content. In Chrome 14, when an HTTPS site attempts to load a script from an HTTP source, a warning will appear and, by default, the script will not be loaded.
Another experiment in Chrome 14 is the activation of DNSSEC validation of HTTPS sites. DNSSEC has been designed to prevent DNS cache poisoning attacks which attempt to redirect users to malicious sites by corrupting DNS information. When accessing an HTTPS site, Chrome 14 will now also check that the DNS server that has provided the information is trusted by checking the response was correctly signed and that the digital signature is valid.