Ignore the overhead, enjoy Site Isolation – a defense against side-channel attacks
Last year, Google deployed Site Isolation in desktop versions of its Chrome browser as a defense against CPU side-channel attacks like Spectre. The technique renders websites in separate processes to prevent one from interfering with or snooping on another, augmenting browser sandboxing defenses.
On Thursday this week, the Chocolate Factory said it has activated the security mechanism in the Android version of Chrome 77, which debuted last month. The ad biz also extended Site Isolation defenses to protect against fully compromised renderer processes and universal cross-site scripting bugs on desktop versions of Chrome.
The Site Isolation in Android comes with some qualifications because the technique imposes memory overhead of about 3 to 5 per cent. So mobile devices must have at least 2GB of RAM to use Site Isolation, and even then, the defense is only activated when visiting websites with a login mechanism and only for 99 per cent of Chrome for Android users – 1 per cent of devices are excluded to provide a monitoring and performance baseline.
"Once Chrome observes a password interaction on a website, future visits to that site will be protected by Site Isolation," said Google software engineers Alex Moshchuk and Łukasz Anforowicz in a blog post. "That means the site will be rendered in its own dedicated renderer process, walled off from other sites."
Users not content with devoting such a small portion of memory to better security can set a flag (via chrome://flags/#enable-site-per-proces) to activate Site Isolation for all sites, not just sites with login forms.