Security Changes in Chrome 63: TLS 1.3, Site Isolation Security & More
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Security Changes in Chrome 63: TLS 1.3, Site Isolation Security & More

What are the new security changes in Chrome 63? Let’s find out.

There are myriad security changes in Chrome 63 – a host of updates & improvements, and of course, the much-awaited TLS 1.3. This new version of Chrome is likely to be rolled out in the upcoming days/weeks. As far as the security changes go, there are lots of them. Whether it’s security patches, UI changes, or developer features, Chrome has taken strides in almost every department. Unsurprisingly, two of these enhancements have grabbed the most attention – Site Isolation Security and TLS 1.3. Let us hash out these features for you.

Site Isolation: One Process for One site

One of the biggest security changes in Chrome 63 is Site Isolation. The Site Isolation feature is exactly what it sounds like – it isolates a site. Admins will be able to activate this feature for one or more sites to ensure that these sites run on separate processes. Once activated, Chrome processes each open website’s content as a separate process.

Or, to put it more simply, every tab you open will now be running independently, rather than sharing resources.

Because it treats each site as an individual process, the chances of one site crashing your browser are almost eliminated. If one tab crashes, your operations in other tabs will remain unaffected, so no more banging your head against your desk when you get that error and your browser freezes.

The main reason behind introducing this feature (apart from maintaining your head symmetry) is the security needs of Chrome’s enterprise/corporate users where security is of paramount importance. Site Isolation creates a “wall” between the pages that doesn’t let two or more pages communicate with each other (Yes, they do gossip!). As a result, attacks that target Chrome’s renderer process by infusing malevolent code in Chrome’s Sandbox process can be circumvented.

Every good thing comes at a price and Site Isolation is no different. Enabling it may increase your Chrome’s memory usage by 10-20 percent.

An excellent feature nonetheless!

TLS 1.3 is finally here (Well, almost!)

Another big security change in Chrome 63 – the biggest as it pertains to us – is support for TLS 1.3.

Yes sir, after a long wait, TLS 1.3 is finally ready to go public. Granted, there were some platforms already running TLS 1.3, but it’s a whole new ball game when a platform as popular as Chrome adopts it. For now, Google is rolling out TLS 1.3 only for Gmail as of right now.

In 2018, Google will roll out TLS 1.3 to the entire web, making encrypted communications faster and more secure.

If you’re just hearing about TLS 1.3, it’s the long-awaited successor to TLS 1.2 (duh) and it should improve security and performance considerably over its predecessors. We’ll likely have additional coverage and advice as we see wider TLS 1.3 adoption.

TLS 1.3 improves performance, efficiency, and security by removing support for older broken cryptographic protocols, ciphers and algorithms such as:

  • CBC Mode Ciphers
  • SHA-1 Hash function
  • Various Diffie-Hellman groups
  • RSA Key Transport
  • RC4 stream cipher
  • Export ciphers

It also improves speed by simplifying the TLS handshake, making it take just one roundtrip, rather than the two it took in previous versions. Remember, there’s a lot going on in the handshake, a lot of server calls being made, it takes time and processing power. By simplifying the handshake it will decrease latency and improve performance.

Some Other Notable Security Changes in Chrome 63

  • Chrome 63 will allow users to block/restrict extensions based on the permission they ask. So, if you want to block all extensions that have the authority to access your webcam, you can.
  • Chrome 63 will warn you of Man-in-the-middle (MiTM) attacks.
  • The launch of Chrome 56 saw SSL certificate details moving from the padlock to Developer tools. Not many people liked it. It seems Google has learned its lesson and moved the SSL certificate details back where it belongs. Although, you’d have to click on Valid once you click the padlock.
  • Chrome 63 will now force .dev domains to use HTTPS using HSTS preload list.
  • With Chrome 63, Google has implemented 37 security fixes.


Jay Thakkar

After graduating from university with an engineering degree, Jay found his true passion as a writer…specifically, a cybersecurity writer. He’s now a Hashed Out staff writer covering encryption, privacy, cybersecurity best practices, and related topics.