Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Patches 30 Chrome Bugs, Adds Instant Pages

CmdrTaco posted more than 2 years ago | from the not-a-bad-month dept.

Chrome 103

JohnBert writes "Google patched 30 vulnerabilities in Chrome, paying out the third-highest bounty total ever for the bugs that outsiders filed with its security team. The company packaged the patches with an update to Chrome 13, adding Instant Pages to the 'stable' channel of the browser. The feature, which Google earlier tucked into Chrome 13 previews, proactively pre-loads some search results to speed up browsing. Google last upgraded Chrome's stable build in early June. Like Mozilla, which this year shifted to a rapid-release schedule, Google produces an update about every six-to-eight weeks. Fourteen of the 30 vulnerabilities patched were rated 'high,' the second-most-serious ranking in Google's four-step scoring system, while nine were pegged 'medium' and the remaining seven were labeled 'low.'"

cancel ×

103 comments

Instant Pages? (3, Insightful)

OverlordQ (264228) | more than 2 years ago | (#36973596)

I thought this was called link prefetching.

Re:Instant Pages? (1)

i kan reed (749298) | more than 2 years ago | (#36973644)

Yep, I remember when Firefox removed this feature because it was only really useful to 56k users.

Re:Instant Pages? (4, Insightful)

Anonymous Coward | more than 2 years ago | (#36973766)

I seem to recall an antivirus software (AVG I think) doing something similar (prefetching and scanning for viruses on search results) and it caused havoc for webmasters.

Re:Instant Pages? (0)

Anonymous Coward | more than 2 years ago | (#36973914)

The conspiracy theorists on the web would question if google were causing havoc for webmasters deliberatly.

Can Google Analytics filter these prefetched pages out as a useful feature?

Re:Instant Pages? (1)

obergfellja (947995) | more than 2 years ago | (#36974460)

shouldn't the Google analytics and other website analytics force this idea to be a "bot" read since there wasn't an official delivery rendered by end user but done by prefetching?

Re:Instant Pages? (1)

Phaeilo (1851394) | more than 2 years ago | (#36975428)

I don't think your browser runs prefetched javascript. So Google Analytics won't be triggered.

Re:Instant Pages? (1)

iceT (68610) | more than 2 years ago | (#36978654)

Think of it as free hits to your website, without getting all those pesky customers...

Re:Instant Pages? (1)

rbrausse (1319883) | more than 2 years ago | (#36973662)

coming to you soon: Google Instant Pages(tm).

the last trademark owner abandoned [uspto.gov] the poor little expression :)

Re:Instant Pages? (3, Interesting)

Bloodwine77 (913355) | more than 2 years ago | (#36973710)

I added a simple check to my scripts long ago that detected Firefox prefetching and thew a HTTP 403 Forbidden status with a "Prefetching not permitted" message. It was straightforward to detect and block.

Hopefully Chrome either makes it easy to detect and block, or at least easy to detect.

Re:Instant Pages? (2, Informative)

Anonymous Coward | more than 2 years ago | (#36974072)

I added a simple check to my scripts long ago that detected Firefox prefetching and thew a HTTP 403 Forbidden status with a "Prefetching not permitted" message. It was straightforward to detect and block.

Hopefully Chrome either makes it easy to detect and block, or at least easy to detect.

Sites must opt-in by changing their HTML. Users can disable it for their browser by unchecking "Predict network actions to improve page load performance" in Settings.

Re:Instant Pages? (4, Informative)

Bloodwine77 (913355) | more than 2 years ago | (#36974094)

I did some Googling and apparently Chrome will send the following header when prefetching:

X-Purpose: instant

http://www.google.com/chrome/intl/en/webmasters-faq.html#instant [google.com]

So it looks like it will be easy for me to block just as I have blocked Firefox prefetches.

Re:Instant Pages? (0)

Anonymous Coward | more than 2 years ago | (#36974930)

I'm curious, why block prefetching? That will remove the faster "user experience". Do you want your visitors to perceive your pages as slow?

Re:Instant Pages? (1)

TheRaven64 (641858) | more than 2 years ago | (#36975010)

Think of a site like the New York Times, which allows you to read n stories for free, and then bounces you to the paywall. If they allow prefetching, then people who use Chrome either always get the stories for free, or they get stories that show up in their search results - but which they don't actually read - counting towards the total. Other sites that change some global state when real humans look at them may do the same thing.

Re:Instant Pages? (1)

Anonymous Brave Guy (457657) | more than 2 years ago | (#36975098)

Because bandwidth costs money, in a nutshell. There's no point spending that money to provide a page the user may never see.

The same argument applies in reverse. We don't all have effectively unlimited broadband caps, and I will not thank Google if it starts randomly downloading pages with accompanying multimedia content to use up mine.

(My sites show up plenty fast enough on demand for my visitors, and the only sites I use where speed is a real problem would be unlikely to benefit much from this feature since I'd have to log in first to see the real content anyway.)

How much are you saving? (1)

Crag (18776) | more than 2 years ago | (#36975654)

Do you log details of blocked pre-fetches? Do you have data on what portion of blocked pre-fetches were then followed by real visitors? You say "My sites show up plenty fast enough on demand for my visitors, ..." but does that apply well to heavily bandwidth-constrained users? Modems may be old-fashioned, but mobile and wireless users still frequently get poor network performance. Do you have data on how fast all of your visitors download your pages?

You may well have done all the analysis and come up with the best cost-vs-benefit balanced solution, but I would worry about premature optimization in a situation like this. Pre-fetching doesn't exist at random. It solves a real problem and your defeating of the mechanism has real costs which are less obvious to you than they are to some of your visitors.

If you have done this analysis, it would make an interesting read and you should submit it as a /. story.

Re:How much are you saving? (1)

Anonymous Brave Guy (457657) | more than 2 years ago | (#36975946)

I'm a contractor, so I've worked on quite a few projects within a relatively short space of time. Few of them block prefetching techniques in practice as far as I know, but several of them keep quite careful metrics about user download performance, particularly those serving multimedia content of one kind or another, and they are certainly healthy enough for their intended user bases without prefetching.

I'm not arguing that prefetching should always be disabled, BTW, just pointing out a possible reason why some content providers might choose to do so. This is an industry where big players literally remove all of the unnecessary spaces from their HTML files or serve "broken" content with missing closing tags, because a small reduction in file sizes multiplied by a large number of visitors can still equal a significant amount of extra hardware and/or bandwidth you don't have to pay for.

Obviously that sort of argument doesn't apply to most smaller sites, but then I guess most smaller sites wouldn't know or care about blocking prefetching either.

Why would you do that? (0)

Anonymous Coward | more than 2 years ago | (#36976972)

Just out of curiosity, why would you do that in this day and age? If it makes the user experience better without me having to do anything, I am all for it. I certainly do not want users to think my site noticeably slower than my competitions'. As for bandwidth, server resources and so on.. in 2011, do you even notice this? I have 800,000 hits a month (good sized site, but not huge), and I wouldn't.

Re:Instant Pages? (3, Informative)

alendit (1454311) | more than 2 years ago | (#36973794)

As far as i understood, Instant Pages not only prefetch the top-hit in your search, but also renders the page in background. Didn't find any original anouncement from google, but here you can read some more about it http://www.ecreativeim.com/blog/2011/06/google-announces-chrome-only-instant-pages/ [ecreativeim.com] .

Re:Instant Pages? (0)

Anonymous Coward | more than 2 years ago | (#36974098)

That's an awesome feature. I can now be infected automatically. I can't tell you how many times the top result has been some malware/scam website. <3 Google.

Re:Instant Pages? (0)

Anonymous Coward | more than 2 years ago | (#36974206)

This will be taken care of by the soon to be announced Google AV.

Re:Instant Pages? (2)

tapo (855172) | more than 2 years ago | (#36973866)

The difference is in implementation. Link prefetching was already supported in Chrome (and Firefox), which fetches the page in the background and stores the results in cache. Chrome 13 goes a step farther, actually prerendering the page in the background if requested (including running Javascript).

Implementation details are here: http://code.google.com/chrome/whitepapers/prerender.html [google.com]

Re:Instant Pages? (4, Insightful)

HarrySquatter (1698416) | more than 2 years ago | (#36974232)

Chrome 13 goes a step farther, actually prerendering the page in the background if requested (including running Javascript).

Better hope that it's not a malware page or something trying to use an XSS exploit. Be exploited before you even clicked the link! Brilliant!

Re:Instant Pages? (1)

Smauler (915644) | more than 2 years ago | (#36975510)

I agree - this could be a very serious expoit route. Well meaning sites could easily be spammed with malware site links, and preloading links will completely fubar any sense of trust in that site. Pre-loading is diabolical anyway, for anyone who has a bandwidth cap, and uses it.

Re:Instant Pages? (1)

cyfer2000 (548592) | more than 2 years ago | (#36974588)

Does this feature draw juice from my notebook batteries?

Re:Instant Pages? (0)

Anonymous Coward | more than 2 years ago | (#36975018)

No, this feature is implemented purely with non-electricity-requiring assembler instructions.

first post (-1)

Anonymous Coward | more than 2 years ago | (#36973614)

via Instant Posting

I can see a couple issues (1)

Bloodwine77 (913355) | more than 2 years ago | (#36973660)

The first issue is this is going to play havoc with traffic analytics and tracking. I'm sure Google Analytics will handle Chrome's Instant Pages just fine, but everybody else will have to figure out how to ignore Chrome pre-loads. I did some searching and they are adding a Visibility API to Chrome to allow authors of other traffic reporting packages to handle the difference. Hopefully the Visibility will be pretty straightforward and not require a lot of extra work.

The other issue is that this is going to eat up more hosting bandwidth. Popular websites that appear near the top are going to incur bandwidth usage that may never actually be actively used by the potential visitor.

Re:I can see a couple issues (4, Interesting)

Anonymous Coward | more than 2 years ago | (#36973716)

The first issue is this is going to play havoc with traffic analytics and tracking.

Good. If information about my browsing habits starts to become unusable then perhaps they will stop tracking it.

Re:I can see a couple issues (3, Informative)

Anonymous Brave Guy (457657) | more than 2 years ago | (#36975130)

If information about my browsing habits starts to become unusable then perhaps they will stop tracking it.

I'm about as pro-privacy as they come on this issue, but even I don't mind a web site doing analytics within its own domain to see which types of content are most popular so they can be prioritised, optimise navigation based on users actual needs, etc. It's the cross-site/cross-visit tracking that is creepy, IMHO, particularly if associated with any other data previously known only to some of those sites.

Re:I can see a couple issues (0)

Anonymous Coward | more than 2 years ago | (#36977032)

then you shouldn't like the pre-fetch
considering all analytics software will have to be updated to account for the non-click/navigation

of course google doesn't mind given it's analytics software will simply work in conjunction with it's search engine to determine which are the real and fake clicks
and given it's installed across any number of websites, having a chrome browser only world will do wonders for google

Re:I can see a couple issues (0)

Anonymous Coward | more than 2 years ago | (#36974244)

It looks like this is going to be more focused on the web sites than for the search pages. From what I am reading it is up to the site author to specify on their page what to pre-render and you can only pre-render on page per Chrome instance.

As Google says in their write-up on this, it is good for things like multi-page articles, where the author is pretty sure what the next page is that the user is going to visit... the "next" page.

Re:I can see a couple issues (1)

bberens (965711) | more than 2 years ago | (#36974436)

The prefetching mechanism passes a special header so anyone in the analytics business will know to ignore those requests.

Re:I can see a couple issues (1)

TheRaven64 (641858) | more than 2 years ago | (#36975106)

Unfortunately, you don't always want to ignore them. The browser will fetch the page and prerender it. It may or may not then display it. You want to ignore the cases where it doesn't display it, but you don't count the cases where it does. Does it send another request to the server saying 'okay, actually displaying the page now'? If not, then this is going to cause problems for Google's accounting for adverts. My cynical guess is that the fix will be to count prefetch pages when charging advertisers, but not count them when paying pages that show advertising.

Does instant pages pump up the hit count? (1)

bareman (60518) | more than 2 years ago | (#36973696)

If the browser starts preloading high ranked pages that I'm not interested in, and do not click on, doesn't that falsely inflate usage statistics on those sites?

Re:Does instant pages pump up the hit count? (1)

Bloodwine77 (913355) | more than 2 years ago | (#36973752)

It looks like they are going to try to address that with the upcoming Visibility API:

http://code.google.com/chrome/whitepapers/pagevisibility.html [google.com]

However, it seems to be JavaScript based which, at least to me, is not a desirable way to determine whether or not the page is being pre-loaded.

At least Firefox sent a "X-moz: prefetch" header which I used to ignore the traffic on those requests.

Re:Does instant pages pump up the hit count? (1)

bhcompy (1877290) | more than 2 years ago | (#36973812)

So because I only enable javascript when I want to they'll never know I was viewing the page?

Re:Does instant pages pump up the hit count? (1)

bberens (965711) | more than 2 years ago | (#36974448)

Chrome has a similar header

Re:Does instant pages pump up the hit count? (1)

JiveDonut (135491) | more than 2 years ago | (#36973836)

Yes it does. I have a a very low traffic blog so I can see the results easily. Doing a search where my posts come up in the first page of results causes each page to register two pageviews in the blogger stats for each one.

Re:Does instant pages pump up the hit count? (1)

SmilingBoy (686281) | more than 2 years ago | (#36974860)

Doing a search where my posts come up in the first page of results causes each page to register two pageviews in the blogger stats for each one.

Why two?

Still No MRU Tabs (0)

Anonymous Coward | more than 2 years ago | (#36973740)

Until Chrome finally adds most-recently-used tab order for switching between tabs, there are a lot of people [google.com] who won't touch it, no matter what other changes you make to the browser.

Re:Still No MRU Tabs (1)

BlueMikey (1112869) | more than 2 years ago | (#36974088)

Why do you care if this is built in to Chrome? There are extensions that add this behavior.

Re:Still No MRU Tabs (1)

HarrySquatter (1698416) | more than 2 years ago | (#36974258)

Because one shouldn't need to install an extension for such a basic feature?

Re:Still No MRU Tabs (1)

BlueMikey (1112869) | more than 2 years ago | (#36974366)

That's not a reason to not use the browser though. If Chrome is superior except for one feature that can be fixed by an extension that takes 30 seconds to install once at the same time you install the browser, that's a really stupid reason to avoid the browser. Trying to add every single feature that every single person wants (and I don't consider this to be a necessary feature, especially considering there are better ways to switch tabs) just leads to a bloated browser, which Google wanted to avoid.

If you could buy a really great, affordable car, and the car's only downside was crummy factory tires, you buy the car and you put on some tires of your own choosing. You don't go buy a crappy car just because it has nice tires.

Re:Still No MRU Tabs (0)

Anonymous Coward | more than 2 years ago | (#36979352)

Because Chrome prevents extensions from altering the CTRL-TAB behaviour. You can install an extension that uses, e.g. CTRL-` but you CANNOT have CTRL-TAB do anything other than cycle through all tabs in sequential order.....

you know what speeds up my browsing (0)

Osgeld (1900440) | more than 2 years ago | (#36973742)

its when the page doesnt update every fucking time I type in a letter frantically trying to guess what I mean, often with not even funny anymore horseshit

let me type and when I am good and GD ready for the query to be executed then I will hit enter

Re:you know what speeds up my browsing (2)

geekoid (135745) | more than 2 years ago | (#36973782)

Then turn it off.

Sheesh.

Re:you know what speeds up my browsing (1)

Osgeld (1900440) | more than 2 years ago | (#36973862)

then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

  Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not that fucking hard, but NO they want to shove it down your throat so its inconvienent to not use it

Re:you know what speeds up my browsing (1)

Osgeld (1900440) | more than 2 years ago | (#36973898)

I am just going to copy paste this since everyone in slashdot just accepts whatever "features" they want to shove down our thoats and I dont feel like typing it out for a dozen sheep

"then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

    Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not that fucking hard, but NO they want to shove it down your throat so its inconvenient to not use it"

Re:you know what speeds up my browsing (0)

Anonymous Coward | more than 2 years ago | (#36974228)

/wrists

Re:you know what speeds up my browsing (1)

Calos (2281322) | more than 2 years ago | (#36974306)

You must type really slow or something.

In my experience, it only manages to fire off one or two DNS queries before I hit enter, much less load a page. When I am stuck - usually when I'm using it to search my history or the name of a site I can't quite remember - it's always seemed very helpful.

IMHO and YMMV and all that, but for the sake of your health, take a deep breath and calm down :)

Re:you know what speeds up my browsing (1)

bhcompy (1877290) | more than 2 years ago | (#36973826)

You can disable instant searching(for now)

Re:you know what speeds up my browsing (1)

Osgeld (1900440) | more than 2 years ago | (#36973918)

I am just going to copy paste this since everyone in slashdot just accepts whatever "features" they want to shove down our thoats and I dont feel like typing it out for a dozen sheep

"then it pops up on the next computer I use, maybe I want to delete cookies then I have to constantly turn of the fucker, what If I am one of those people who clear cookies every time my browser closed

        Sheesh they can handle my documents just fine, I am almost always signed in MAKE IT AN ACCOUNT SETTING, its not that fucking hard, but NO they want to shove it down your throat so its inconvenient to not use it"

Re:you know what speeds up my browsing (1)

Atzanteol (99067) | more than 2 years ago | (#36974104)

You're always signed in, yet clearing cookies and using other people's browsers?

Re:you know what speeds up my browsing (1)

Osgeld (1900440) | more than 2 years ago | (#36975082)

um yea firefox just decides to do it once in a while, and 2 its not other peoples, its my computers at home and at work

Re:you know what speeds up my browsing (1)

TheRaven64 (641858) | more than 2 years ago | (#36975150)

Only if you allow google to place a tracking cookie on your system. Contrast this with how DuckDuckGo handles preferences: the cookie that you set contains a string with one flag for each preference setting, and can be added to the URL if you don't want a cookie. If two users have the same preferences, then they have the same cookie / preferences string, and so can't be tracked based on the cookie.

Re:you know what speeds up my browsing (1)

Archangel Michael (180766) | more than 2 years ago | (#36973948)

So, what you're saying is that when you're searching for porn and it is recommending non-porn search terms, it isn't helpful? ;)

Re:you know what speeds up my browsing (1)

Osgeld (1900440) | more than 2 years ago | (#36975122)

no, like when I was going to look for a specific electronics part and it brings up doggies, yes google perfect I have never searched for doggies in my entire life but I am constantly ordering diodes, thank you for your great service, it makes goggling for something with my laptop impossible

and yet I have to google "something" just to have the option of shutting it off

Re:you know what speeds up my browsing (1)

Archangel Michael (180766) | more than 2 years ago | (#36980396)

Just tried typing DIode into google. Not a single DOggie reference as I typed. In fact ....

D ... Dictionary.reference.com (and several other such)
I. ... Dictionary.reference.com (no change)
O ... Diocese and a bunch of Catholic sites.
D ... Diodes .... wikipedia entry on top.

Re:you know what speeds up my browsing (1)

doti (966971) | more than 2 years ago | (#36974216)

I don't see this because I never use the google.com search page, I use quicksearch instead (Firefox feature since 0.x days).

search, go to jail (2)

box4831 (1126771) | more than 2 years ago | (#36973754)

proactively pre-loads some search results to speed up browsing

God help you if you search for 'child pore cleansing products' with google instant search turned on~

Re:search, go to jail (2)

IAmGarethAdams (990037) | more than 2 years ago | (#36973878)

Well, after you type the 'r' in 'pore', Google will stop showing you any Instant search results

Re:search, go to jail (2)

MrHanky (141717) | more than 2 years ago | (#36974004)

But that's only because they forward your search to the FBI, who doesn't have a public search engine.

Re:search, go to jail (1)

bberens (965711) | more than 2 years ago | (#36974470)

Adult material does not show up in the instant search results.

THIRTY vulnerabilities? (0)

Anonymous Coward | more than 2 years ago | (#36973770)

Good Lord! Did Google hire away the IE guys from Microsoft or something?

Re:THIRTY vulnerabilities? (1)

NevarMore (248971) | more than 2 years ago | (#36973972)

Good Lord! Did Google hire away the IE guys from Microsoft or something?

No. If they did the vulns wouldn't be getting patched.

Re:THIRTY vulnerabilities? (0)

Anonymous Coward | more than 2 years ago | (#36974670)

Nope. OP was correct. Google could have two teams, the first team of former IE developers to create the vulnerabilities, and the second team of home grown talent to patch them up.

Caps? (4, Insightful)

Anonymous Coward | more than 2 years ago | (#36973784)

Won't this help you burn through your usage caps in the background?

Re:Caps? (1)

Calos (2281322) | more than 2 years ago | (#36974492)

What are caps for most people these days? Usually I see 150-250 GB; once, I've encountered 50 GB, so I sent them a letter letting them know I wouldn't be purchasing their service and told them who I was going with and why.

Seems like a few extra pageloads would be insignificant. If you query Google 20 times a day, and as a result, incur 5*20=100 extra pageloads... how big is a page? Loading the /. homepage, I use 519 KB. Ars Technica: 868 KB. Facebook: 417 KB. CNN: 889 KB. And this is assuming no content is cached; if I don't force a refresh of everything on the page, I use 1/4 or less of these amounts.

So if we're generous, we'll call it 1 MB/page * 100 pages/day * 31 days/month = and additional ~3 GB. So, and extra couple percent, for what I've seen from most ISPs in the States, and maybe as high as 6% - of course dependent on the number of searches one makes.

But this isn't anything new. Prefetching has been around for some time. This new feature just takes the additional step of rendering the prefetched pages, instead of waiting to render if the user decides to go there. The "damage" of prefetching could very well be already factored in to your current usage.

Re:Caps? (1)

Calos (2281322) | more than 2 years ago | (#36974614)

Oh, I should add: I use a script blocking extension as well as Privoxy. Because I do use the tested sites somewhat, chances are some of the scripts are enabled, but Privoxy will crunch ads and certain scripts anyway, and I have it set up to block any kind of Facebook Open Graph stuff, as well as Share This On (Digg|Twitter|Facebook|Reddit) things, and other random things. So, the 1 MB/page may not be quite so generous, but probably not far off the mark.

On the other hand, it very well could be that the people most likely to run into cap limitations are the types who know their way around the computer well enough to install, say, Adblock Plus.

Re:Caps? (0)

Anonymous Coward | more than 2 years ago | (#36975844)

In my country 10gb is probably the most common, with 1g, 5g and 25g also available

If you go over expect to be slowed to 64k or pay $10-$20 per 10gb (which is $USD8-16)

Print Preview - Finally! (3, Informative)

bogaboga (793279) | more than 2 years ago | (#36973870)

While I appreciate this new print preview functionality, I am not impressed that:
  • first, it took so long and
  • second, that even the delivered functionality pales in comparison with its Firefox counterpart.

This is what I mean: I would like to adjust margins on the fly as I can do with Firefox.

Re:Print Preview - Finally! (0)

Anonymous Coward | more than 2 years ago | (#36974346)

A little off topic, but thank you for mentioning it. I didn't even know about the new function. I have to see, it is pretty nice.

It does, however, remind me of the print dialog (if you want to call it that) from Office 2010.

Who cares? (1)

gweihir (88907) | more than 2 years ago | (#36974048)

Seriously, this is patchnotes or changelog entries, but not "News".

Re:Who cares? (1)

Atzanteol (99067) | more than 2 years ago | (#36974354)

You're at the wrong site. You want http://www.cnn.com./ [www.cnn.com] I can completely understand how you mis-typed that and ended up here by accident.

Tabmix plus (0)

Anonymous Coward | more than 2 years ago | (#36974052)

Does not exist for Chrome. I've tried to use Chrome, and loved a bunch of things about it. The tab management is simply not enough for me though. It appears that Google is not allowing access to required functionality, so I went back to Firefox. The second I hear it being available on Chrome, I'm going to use it as my primary browser. (the alternatives so far have(has?) not even come close)

Pre-fetching requires PERFECT security... (5, Insightful)

MadCow42 (243108) | more than 2 years ago | (#36974080)

For most users the intuition of "don't click on that link" is the last layer of security between the wild west of the Internet and your computer. Prefetching breaks that barrier, and potentially exposes you to any malware writer that's capable enough and determined enough to get their infected (or pwnd) website into the top search results.

Sorry... although Chrome is decent and maybe more secure than other browsers, until they can promise PERFECT security I don't want to take that chance.

That'll never happen.

If I can survive this far on my company-mandated, outdated IE browser without getting pwnd myself (yet), I think that last layer of security may be the most important one of all.

Re:Pre-fetching requires PERFECT security... (1)

hansamurai (907719) | more than 2 years ago | (#36974218)

First time I encountered nastiness from pre-fetching was from using Stumbleupon. It would pre-fetch the next stumble (this can thankfully be disabled, though it should be noted you would have stumbled to it either way), so I would get a Noscript warning on like a Youtube or Wikipedia page, bit bizarre. Only until I stumbled again and actually landed on the page in question would things become clearer.

Re:Pre-fetching requires PERFECT security... (1)

dn15 (735502) | more than 2 years ago | (#36974408)

That's a good point. But... to be the devil's advocate, all that it's doing is pre-loading stuff into cache, right? If that's true, then it seems like it should only be able to do something if you actually click on that page. Is the end result really any different from a security standpoint?

Re:Pre-fetching requires PERFECT security... (1)

Bloodwine77 (913355) | more than 2 years ago | (#36974738)

Google Instant Pages sounds like it will be rendering the entire page, including images and other external resources. I wouldn't be surprised if it also executed JavaScript, fetched embedded iframes, and anything else that the page would normally do if you clicked on that link. I wonder if it would even follow redirections?

What is to stop a malevolent webmaster from performing redirects to nasty trojan or malware-infected pages if it detects the page is being pre-rendered? If that page contains flash objects, java apps, or other attack vectors on it, I'd think you'd be just as at risk as if you actually visited the site directly.

I could be wrong, though. I haven't thoroughly researched Google Instant Pages, but from what little I've found it seems it will be performing a full page render in anticipation of you clicking on the link to the page.

Re:Pre-fetching requires PERFECT security... (1)

SmilingBoy (686281) | more than 2 years ago | (#36974890)

Don't really see the difference. All this can be done today already after someone clicks on the link. And if it is the first Google result, the likelihood is very high that many people will click on it.

Re:Pre-fetching requires PERFECT security... (1)

smash (1351) | more than 2 years ago | (#36974608)

Not quite. Pre-fetching doesn't need perfect security, but pre-rendering certainly does. Which is what they're implementing....

I'll be turning it off...

Re:Pre-fetching requires PERFECT security... (0)

Anonymous Coward | more than 2 years ago | (#36974632)

I don't think they are parsing DOM, more likely just setting up connections and loading the text resources from the same domain only.

Re:Pre-fetching requires PERFECT security... (2)

gstrickler (920733) | more than 2 years ago | (#36975140)

You can disable (as I have) the prefetch in Chrome 13. Visit chrome://settings/advanced [chrome] and deselect "Predict network actions to improve page load performance".

Due to security, tracking, bandwidth usage, etc. concerns, it's just a bad idea for 95+% of the population. If you have metered performance, it wastes your bandwidth and/or costs you money. If you have a high speed link, the time savings are marginal. If the site has malware, you could get infected, possibly without even clicking the link. If it's a porn site, the URL, pics, and text might appear in your cache or history, which could cause you some marital or legal problems. The site may create cookies on your machine, possibly even an ever-cookie. If the site uses Flash or Flash based ads, it may use additional CPU and reduce your battery life on mobile devices. Does it even help if you're in the habit of opening links in a new tab/window (probably, but I don't know)? What if the site pops up other windows (popup or popunder), will those execute (I suspect not, but again I don't know)? I'm sure I've missed a number of other concerns.

Re:Pre-fetching requires PERFECT security... (0)

Anonymous Coward | more than 2 years ago | (#36975288)

For most users the intuition of "don't click on that link" is the last layer of security between the wild west of the Internet and your computer. Prefetching breaks that barrier, and potentially exposes you to any malware writer that's capable enough and determined enough to get their infected (or pwnd) website into the top search results.

Sorry... although Chrome is decent and maybe more secure than other browsers, until they can promise PERFECT security I don't want to take that chance.

That'll never happen.

If I can survive this far on my company-mandated, outdated IE browser without getting pwnd myself (yet), I think that last layer of security may be the most important one of all.

Google have attempted to respond to people's security concerns. I'm not entirely convinced myself. See el Reg article...

http://www.theregister.co.uk/2011/06/17/google_instants_search_engine_peril/

Re:Pre-fetching requires PERFECT security... (1)

MadCow42 (243108) | more than 2 years ago | (#36976196)

Hmmm... that's hardly re-assuring.

>> "We've thought hard about this issue, and we don't believe there is any additional risk to users," a Google spokesman explained.

"Sites marked as potentially harmful by our Safe Browsing technology will not be pre-rendered, nor will sites that Chrome detects as suspicious. We also exclude sites with SSL certificate issues and those that try to download files or display popup alerts."

Google added that search engine poisoning to promote scareware sites and the like is an industry-wide problem. ®

So... the way I read this is that if an infected site is pre-fetched (pre loaded, pre-rendered, or whatnot), then YES it could harm your computer. But, we're supposed to trust that their browser is smart enough to know a trustworthy site from an untrusty one, and only prefetch "safe" sites.

That's all well and good until a "safe" site (that I would never actually visit anyway) is hacked. But that's NEVER happened before, right? Not.

Re:Pre-fetching requires PERFECT security... (1)

utkonos (2104836) | more than 2 years ago | (#36979196)

I can see how this feature can expose you to security problems. However, it can also provide a measure of performance increase. So, why not let users have their cake and eat it too. Allow users to enable/disable it on a per URL basis in the same way that Javascript, cookies, plug-ins, etc. are. As long as there is fine grained control over the feature, I see no problem.

I wouldn't mind enabling the pre-fetch feature on sites that I trust and use often, and have it disabled by default. I use chrome's settings to whitelist Javascript etc just this very way.

"Instant" (0)

Anonymous Coward | more than 2 years ago | (#36974112)

Google Patches 30 Chrome Bugs, Adds Instant Pages

...adding Instant Pages...

...and this is where I stop using Chrome altogether. Fuck Google. Fuck this "instant"bullshit. They have jumped the shark.

Re:"Instant" (1)

gstrickler (920733) | more than 2 years ago | (#36975272)

You can disable it.

Still waiting for split view on Mac Chrome. (1)

Shag (3737) | more than 2 years ago | (#36974124)

BlogSpot loves showing me ads for Chrome, saying I can drag one tab to the right, and get a split-screen view.

Be nice if it actually started working in Chrome for Mac, someday.

Re:Still waiting for split view on Mac Chrome. (1)

Sits (117492) | more than 2 years ago | (#36975144)

There is a rumour that this is a "Chrome on Windows 7" feature (see http://www.youtube.com/watch?v=YAEN_BDR6ao [youtube.com] for a video of the feature). You can apparently get extensions that offer something close but not quite the same. For what it's worth the split view feature seems to be broken if you have your tabs down the left hand side in Chrome...

Terrifying (1)

ThatsNotPudding (1045640) | more than 2 years ago | (#36974486)

proactively pre-loads some search results to speed up browsing.

Better hope your skeezy uncle wasn't using your computer when the party van shows up.

Bookmark Pane (1)

emgarf (727623) | more than 2 years ago | (#36974726)

Another Chrome version, another failure to provide an option for a persistent bookmark sidebar/pane. Sigh.

Psha. Instant Pages is so 2010. (0)

Anonymous Coward | more than 2 years ago | (#36974804)

Fetching and rendering one level of links/search results is so 2010. I've come up with a much more powerful system, that fetches the entire Inter##ERROR:STACK OVERFLOW##

WTF? I need to upgrade my OS to run Chrome 13? (1)

xanthos (73578) | more than 2 years ago | (#36975242)

Fired up chrome this morning on my linux box and it happily told me that I was running an obsolete OS and needed to upgrade.

I run a highly modified version of debian 5.x on that box that I 'm not going to mess with for the sake of running chrome 13.

Time to turn off the automated update check I guess.

Re:WTF? I need to upgrade my OS to run Chrome 13? (2)

Zan Lynx (87672) | more than 2 years ago | (#36976464)

It's Debian. It's obsolete when it's released.

Old news... (1)

TheBrutalTruth (890948) | more than 2 years ago | (#36975344)

Cr-48, dev channel. Or try the Chrome dev channel. Old features guys...

Version number sanity? (2)

kripkenstein (913150) | more than 2 years ago | (#36976678)

90 comments so far, and none of the top ones are bashing Google for Chrome's new version number. Have we finally moved past bashing Chrome and Firefox for increasing the major version number every 6 weeks? Please let it be so :)

Re:Version number sanity? (0)

Anonymous Coward | more than 2 years ago | (#36977446)

90 comments so far, and none of the top ones are bashing Google for Chrome's new version number. Have we finally moved past bashing Chrome and Firefox for increasing the major version number every 6 weeks? Please let it be so :)

Sorry, but I don't see how the hell Chrome can be up to major version 13 already. Has there really been this much significant rewriting of the code base and breaking of backwards compatibility? Either their code must be a hell of a mess and their developers are idiots, or their marketing team is lying to us. Chances are it's the latter, and we should be offended. Version number sanity would be calling the 13th incremental change something like "2.13" or "2.2.13" or "milestone 13 for the future version 3.0", not updating the major version number every time someone's patch is accepted.

Re:Version number sanity? (1)

njahnke (757694) | more than 2 years ago | (#36977566)

all things are relative.

IE is more intuitive (1)

jweller13 (1148823) | more than 2 years ago | (#36977750)

I don't care for chrome. I find chrome very unintuitive. I find IE and to a lesser degree FireFox much more intuitive. I use chrome when I want to view videos because it seems faster but otherwise not so much.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...