Google Chrome Will Stop Sketchy Redirects Soon
You’ve been there: browsing on a slightly backwater website, crossing your fingers as you click what looks like a video’s play button. Instead of the TV show you had queued up, a million pop-ups spew out. The page you were on morphs into a Caribbean timeshare ad. It’s the sort of misdirection that Google aptly calls an “unwanted behavior.” And on Wednesday, the company’s Chrome browser team announced a series of fixes that attempt to block these sketchy shenanigans.
Chrome already has a pop-up blocker, and a tool to control autoplaying videos. But the new features will take these user controls a step further. Beginning in Chrome 64, which is currently in developer preview, the browser will block third-party media components (HTML modules known as “iframes” that are often used to display things like ads) from triggering redirects unless you directly click on them.
Instead, Chrome will show an alert asking if you want to be redirected to a new page. Similarly,when sites try to pull the trick of opening the page you want in a new tab while loading something undesired in the old tab (a ploy to get around pop-up blockers), Chrome 65 will block the redirect and offer an alert. Chrome will also start detecting/blocking as many phony play buttons and invisible overlays as possible, to minimize surprises in general while browsing.
With less ability to rely on malicious redirects in Chrome, attackers may be forced to rework some of their strategies.
Google says that 20 percent of the user feedback it receives about desktop Chrome relates to experiences where a website redirects in a tricky way to show something unwanted. This can happen when a website has intentionally embedded modules in its page to bounce users around, but the Chrome team points out that it can also occur unbeknownst to the site owner, if third-party components like ad servers contain malicious redirects.
The new features won’t just improve life for Chrome users day to day. They also have implications for privacy and security on the internet at large. Many web-based attacks, like malware distribution and phishing, rely on hidden redirects to subtly guide potential victims from safe and secure sites to compromised ones. With less ability to rely on malicious redirects in Chrome, attackers may be forced to rework some of their strategies. After all, Chrome holds about 60 percent of the browser market, according to NetMarketShare. Take that away, and there’s a lot less incentive to play the same old tricks.
“Security has always been a priority for Chrome,” Google spokesperson Ivy Choi told WIRED. “These changes continue to build on Chrome’s strong defenses.”
One challenge in adding these types of tools is ensuring that they don’t unintentionally break legitimate web design features. So Google is launching an assessment called the “Abusive Experiences Report,” which developers can use to check whether their sites contain what Chrome would now classify as “abusive experiences.” And since the features will be rolling out incrementally over the next few months (they’ll all be out by mid-2018, and developers can test them in advance through Chrome Beta), there’s time for site owners to tweak their setups. “Making changes that affect the web platform always require care to ensure they have the intended effect,” Google’s Choi says. “As always, we’ll be watching bug reports and community feedback carefully.”
These new Chrome features are meant to be a contribution for both users and security professionals, but given that these problems have plagued the web for years, they could have come sooner. In fact, extensions have been available for both Chrome and Firefox for some time that attempted to approximate the new, official tools.
Google says it was finally motivated to make the changes because of “overwhelming negative feedback from users about these undesirable experiences.” It’s better late than never. Still, it’s too bad we can’t get back all those minutes lost to swatting away the internet’s junkiest tabs.