Chrome 48 Released With Custom Notification Buttons, Removes RC4 Cipher
Google today released Chrome 48 for Windows, Mac, and Linux. Chrome 48 adds custom notification buttons and removes support for unsecure RC4 encryption. If you have Google Chrome installed, your browser should have silently updated already. You can confirm it by looking at the version number displayed in the About window. You can also manually check for update using the same. Chrome’s built-in updater will start updating your browser if it has not done it yet. You can also download Chrome directly from google.com/chrome.
Chrome apps and extensions have supported push notifications on desktop since May 2010 (first added in Chrome 5). More recently, webpages gained the ability to send push notifications to users with the release of Chrome 42 while the desktop notification center was removed in Chrome 47. My Technology Guide uses Chrome notifications to update its readers about latest post updates. You can subscribe to our notifications if you do not have yet.
According to Google, Chrome now delivers more than 350 million push notifications every day. This is a huge number so with Chrome 48, Google takes this a step further by allowing websites to add custom buttons to notifications. This will help users complete various tasks entirely within the notification without going anywhere.
Chrome 48 no longer supports the RC4 cipher over HTTPS connections. RC4 stream cipher was designed in 1987 and since has been widely supported across multiple browsers for encryption. The days of RC4 is over with the discovery of multiple vulnerabilities over the years. This has made it a very bad choice for encryption of data as it is now possible to crack within days or even hours.
After new attacks on RC4 emerged in February 2015, the Internet Engineering Task Force (IETF) prohibited the use of RC4 with TLS. All three major browser developer companies, Google, Microsoft, and Mozilla promised to drop RC4 support in their respective browsers this year. Chrome seems to be the first one to drop support for RC4. The drop of RC4 support by Chrome will surely now push admins managing websites still using the outdated cipher to beef up their security. From now on, in Chrome 48, if you try to visit any website that uses the unsecure RC4 cipher, you will get the following error:
For developers, Chrome 48 now lets use of NetworkInformation.downlinkMax
event handler to detect a device’s maximum bandwidth and NetworkInformation.onChange
event handler to respond to connection speed changes. Using these information, developers can now send optimal resources for the given connection. Other features included for developers in Chrome 48 includes:
- New DevTools security panel: Enables developers to understand the security state of a page. This will help them migrate their websites to HTTPS.
- Developers can now build websites usingÂ
FontFaceSet
 for more flexibly with several new iteration methods. - WebRTC now supports the VP9 video codec, and can serve HD video at almost half the bandwidth of VP8 or H264.
- Web Audio JavaScript syntax can now be shortened and simplified with method chaining forÂ
AudioNode.connect()
 andÂAudioParam.connect()
automation methods. - TheÂ
MediaStreamTrack.remote
 attribute allows sites to detect if a media stream is from a remote source. - Sites can now detect key presses from a user without worrying about browser type or operating system using theÂ
KeyboardEvent.code
 attribute. - Developers can now leverage JavaScript language behaviors not before exposed in ES5 or below using the well-known
symbols@@isConcatSpreadable
,@@toPrimitive
, and@@toStringTag
. min-width:auto
 andÂmin-height:auto
 now work for flex items withoutÂflex-basis:auto
.- SeveralÂ
getAll()
 methods have been added toÂIndexedDB
 to simplify bulk interactions. ServiceWorkerRegistration.update()
 no longer bypasses the cache for update checks within 24 hours, improving spec compliance.- The error attribute onÂ
IDBRequest
 andÂIDBTransaction
 will nowreturnDOMException
 instead ofÂDOMError
 to improve Chrome’s spec compliance. - TheÂ
MediaStreamTrack.getSources()
 method has been deprecated in favor ofMediaDevices.enumerateDevices()
. SVGGraphicsElement.getTransformToElement
has been removed to match the SVGÂ spec.getSVGDocument()
has been removed fromHTMLFrameElement.prototype
to match the SVGÂ spec.- SVGÂ
glyph-orientation-horizontal
 andÂglyph-orientation-vertical
 properties have been removed in favor of the CSS text-orientation property. SVGElement.offset*
 properties andÂSVGPathSeg
 interfaces have been removed to improve spec compliance.- The CSS plus-darker composite operator has been removed to increase spec compliance.
- The
item()
method has been removed fromÂTextTrackList
 andTextTrackCueList
 to improve spec compliance. - Developers can now build robust RTL text experiences using CSS Writing Modes Level 3 without prefixes.
- CSSÂ
font-feature-settings
 are no longer prefixed.
Chrome 48 also includes 37 security fixes, of which Google chose to highlight the following:
- High CVE-2016-1612: Bad cast in V8.
- High CVE-2016-1613: Use-after-free in PDFium.
- Medium CVE-2016-1614: Information leak in Blink.
- Medium CVE-2016-1615: Origin confusion in Omnibox.
- Medium CVE-2016-1616: URL Spoofing.
- Medium CVE-2016-1617: History sniffing with HSTS and CSP.
- Medium CVE-2016-1618: Weak random number generator in Blink.
- Medium CVE-2016-1619: Out-of-bounds read in PDFium.
- CVE-2016-1620: Various fixes from internal audits, fuzzing and other initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch (4.8.271.17).
Chrome for Android and iOS are soon going to get updated to Chrome 48, but no release date is yet available.