Google has moved Chrome 66 to the stable channel and starting earlier today has begun updating users to the browser's new major version — Chrome 66.0.3359.117.

While today's release contains a bunch of fixes and a broad spectrum of new APIs and features, its most noticeable additions are all security-related.

Distrust of Symantec certs

The biggest change is that Google Chrome will start showing SSL certificate errors for all Symantec certs issued before June 1, 2016. This is "stage two" of Google's long-term plan on distrusting Symantec certificates altogether.

In the long term, Google plans to completely distrust Symantec certs in Chrome 70, set to be released in October, this year.

If you update today and you suddenly can't access a bunch of sites because of SSL errors, the sites are still up and running, and you're probably going to be able to access them via another browser.

Rollout of Strict Site Isolation feature

A second security-focused feature that will go live with Chrome 66 is something called "Strict Site Isolation."

The feature has been available in Chrome since version 63, but it was turned off by default and was hidden behind a Chrome flag. Now, Google says it will turn on this security feature for a small percentage of users to prepare for a broader upcoming launch.

To diagnose whether an issue is caused by Site Isolation, use chrome://flags#site-isolation-trial-opt-out as described here. Please report any trial-specific issues to help us fix them before Site Isolation is launched more broadly.

Even if not developed for this purpose, Strict Site Isolation was one of the security features that helped Chrome mitigate the Spectre CPU vulnerability in early January, and many users have already enabled it back then.

Preventing code injection inside Chrome

Last but not least, starting with today's Chrome 66 release, Google will show warnings to users when third-party software —usually antivirus engines and other security or debug tools— are injecting code into Chrome's process.

Google Chrome alert for code injections

Google plans to block third-party code injections for good starting with Chrome 72, to be released in January 2019. An intermediary phase will take place with Chrome 68 when Google plans to block third-party software from injecting code into Chrome but will allow the injection if Chrome can't start otherwise.

Users interested in finding out what else was included with Chrome 66 can check this blog post from the Chromium team or Chrome 66's full changelog (slow-loading link). The security-related bugs fixed in Chrome 66 are detailed in a separate blog post, here. This month, the Chrome team fixed 62 security issues.

Related Articles:

Chrome Enterprise gets Premium security but you have to pay for it

Google fixes one more Chrome zero-day exploited at Pwn2Own

New Chrome feature aims to stop hackers from using stolen cookies

Google agrees to delete Chrome browsing data of 136 million users

Google fixes Chrome zero-days exploited at Pwn2Own 2024