Google today released Chrome 48 for Windows, Mac, and Linux. Chrome 48 adds custom notification buttons and removes support for unsecure RC4 encryption. If you have Google Chrome installed, your browser should have silently updated already. You can confirm it by looking at the version number displayed in the About window. You can also manually check for update using the same. Chrome’s built-in updater will start updating your browser if it has not done it yet. You can also download Chrome directly from google.com/chrome.
Chrome apps and extensions have supported push notifications on desktop since May 2010 (first added in Chrome 5). More recently, webpages gained the ability to send push notifications to users with the release of Chrome 42 while the desktop notification center was removed in Chrome 47. My Technology Guide uses Chrome notifications to update its readers about latest post updates. You can subscribe to our notifications if you do not have yet.
According to Google, Chrome now delivers more than 350 million push notifications every day. This is a huge number so with Chrome 48, Google takes this a step further by allowing websites to add custom buttons to notifications. This will help users complete various tasks entirely within the notification without going anywhere.
Chrome 48 no longer supports the RC4 cipher over HTTPS connections. RC4 stream cipher was designed in 1987 and since has been widely supported across multiple browsers for encryption. The days of RC4 is over with the discovery of multiple vulnerabilities over the years. This has made it a very bad choice for encryption of data as it is now possible to crack within days or even hours.
After new attacks on RC4 emerged in February 2015, the Internet Engineering Task Force (IETF) prohibited the use of RC4 with TLS. All three major browser developer companies, Google, Microsoft, and Mozilla promised to drop RC4 support in their respective browsers this year. Chrome seems to be the first one to drop support for RC4. The drop of RC4 support by Chrome will surely now push admins managing websites still using the outdated cipher to beef up their security. From now on, in Chrome 48, if you try to visit any website that uses the unsecure RC4 cipher, you will get the following error:
For developers, Chrome 48 now lets use of
NetworkInformation.downlinkMax event handler to detect a device’s maximum bandwidth and
NetworkInformation.onChange event handler to respond to connection speed changes. Using these information, developers can now send optimal resources for the given connection. Other features included for developers in Chrome 48 includes:
- New DevTools security panel: Enables developers to understand the security state of a page. This will help them migrate their websites to HTTPS.
- Developers can now build websites using
FontFaceSetfor more flexibly with several new iteration methods.
- WebRTC now supports the VP9 video codec, and can serve HD video at almost half the bandwidth of VP8 or H264.
MediaStreamTrack.remoteattribute allows sites to detect if a media stream is from a remote source.
- Sites can now detect key presses from a user without worrying about browser type or operating system using the
min-height:autonow work for flex items without
getAll()methods have been added to
IndexedDBto simplify bulk interactions.
ServiceWorkerRegistration.update()no longer bypasses the cache for update checks within 24 hours, improving spec compliance.
- The error attribute on
DOMErrorto improve Chrome’s spec compliance.
MediaStreamTrack.getSources()method has been deprecated in favor of
SVGGraphicsElement.getTransformToElementhas been removed to match the SVG spec.
getSVGDocument()has been removed from
HTMLFrameElement.prototypeto match the SVG spec.
glyph-orientation-verticalproperties have been removed in favor of the CSS text-orientation property.
SVGPathSeginterfaces have been removed to improve spec compliance.
- The CSS plus-darker composite operator has been removed to increase spec compliance.
item()method has been removed from
TextTrackCueListto improve spec compliance.
- Developers can now build robust RTL text experiences using CSS Writing Modes Level 3 without prefixes.
font-feature-settingsare no longer prefixed.
Chrome 48 also includes 37 security fixes, of which Google chose to highlight the following:
- High CVE-2016-1612: Bad cast in V8.
- High CVE-2016-1613: Use-after-free in PDFium.
- Medium CVE-2016-1614: Information leak in Blink.
- Medium CVE-2016-1615: Origin confusion in Omnibox.
- Medium CVE-2016-1616: URL Spoofing.
- Medium CVE-2016-1617: History sniffing with HSTS and CSP.
- Medium CVE-2016-1618: Weak random number generator in Blink.
- Medium CVE-2016-1619: Out-of-bounds read in PDFium.
- CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch (4.8.271.17).