Soon Google Chrome is going to use even more of your RAM, assuming that it’s even possible to use more than it already does. This is because of Chrome 67’s new Site Isolation feature to protect against Spectre.

Spectre, for those who have forgotten, is a fundamental design flaw in every CPU on the market that exploits an issue in speculative execution to effectively read memory that the process should not have access to. The worst case scenario is that JavaScript code running in your web browser from a malicious or hacked site could read memory from elsewhere on your PC and steal your passwords, or find out that you’ve been browsing something embarrassing, like Linux fan sites.

To fix this problem, Chrome 67 adds by default a new security feature called Site Isolation, which limits each rendering process to a single site, which means you will have a chrome.exe process for howtogeek.com and another chrome.exe process for google.com, and so on. By separating out the rendering processes by site, Chrome can prevent directly reading memory across processes, and utilize the built-in operating system protections against Spectre (which still isn’t very clear).

RELATED: How Will the Meltdown and Spectre Flaws Affect My PC?

This also means that all iframes on a page (generally for ads) are put into a separate process than the parent frame, further increasing memory usage, but increasing security at the same time. They deployed a similar technology a year ago to move extensions to out-of-process iframes to protect malicious web pages from being able to use extensions to gain extra privileges.

The bottom line, for people that open a ton of tabs, this is going to dramatically increase memory usage. You might need to consider using a tab manager extension.

How to Check Whether Site Isolation is Enabled in Chrome

Assuming you have a ton of tabs open already, you can open up Google Chrome’s Task Manager (Under Menu -> More Tools) and look for processes that say “Subframe:” and show a URL that is clearly not something you’re browsing directly—for instance doubleclick.net or 2mdn.net, which are iframes for ads.

As long as you see the subframe processes, Site Isolation is enabled on your system.

How to Enable or Disable Site Isolation in Chrome (But You Shouldn’t Disable It)

To check whether this is enabled, or disable it should you choose (which we don’t recommend), you can head to chrome://flags#enable-site-per-process  in your location bar, and then set the toggle for Strict Site Isolation to either Enabled or Disabled. You could also add a command line flag to start Chrome with –site-per-process, but that’s a lot of work.

You’d think the first option would control it, but even if site isolation is set to Disabled, the option below for “Site isolation trial opt-out” actually controls whether you’ve been opted into it. As of right now, Google has enabled Site isolation for almost everybody, so you’ll need to set the “trial opt-out” setting to “Opt-out” in order to turn this off. Which, again, you should not mess with.

It’s worth noting that even if you disable it, at some point Google will probably make this the default behavior and remove the ability to disable it, because site isolation is a lot more secure.


Mitigating Spectre with Site Isolation in Chrome [via Thurrott]



READ SOURCE

SHARE

LEAVE A REPLY

Please enter your comment!
Please enter your name here