New version of Chrome guards against Spectre-like attacks, but eats more memory

Topic

New Reply

We still haven’t seen a commercial implementation of the Meltdown or Spectre security vectors, but Google’s had this “site isolation” technology in th
[See the full post at: New version of Chrome guards against Spectre-like attacks, but eats more memory]

4 users thanked author for this post.

Laptop Boy, HiFlyer, Elly, satrow

Reply | Quote

Replies

Thanks Woody.

Do we know if the extra memory usage is permanent (i.e while running in the background) or only when the browser is open? Is it further increased if additional browser windows are opened?

Reply | Quote

I’ve had site isolation enabled in Chrome via the flags menu for a couple months now and in all honesty I haven’t noticed any extra memory use or slowdown. I actually think it may make Chrome run better. However if there is any extra memory in use it would/should go back down once Chrome has been closed. As to your extra window question, that would also depend on what those extra windows were being used for (the amount of memory used streaming video vs just checking email etc) not just the impact of the site isolation.

1 user thanked author for this post.

Seff

Reply | Quote

Nipping Spectre in the browser sure beats the all-on assault that’s unfolding in the rest of the ecosystem.

That sounds good, but perhaps the nipping should be pushed even further back…

Ask yourself: Who benefits from software running on my computer via my browser?

You might feel that your Internet experience will be enhanced by the ability of web applications to deliver more glitz to you, but really, what glitz do we really need?

Playing videos.

Okay, what else?

Weather maps that move? Animated web pages that help direct you to what you want to buy? Online games?

In reality, when you’re surfing the web, where do you see most of the actual active content? In ads, right? You probably DON’T see it in malware and tracking scripts and spyware, but you DO worry about surfing the net because of what might be delivered to your system. And make no mistake, a HUGE amount of the web content you download is there to track what you’re doing. Anyone who’s used a blocking add-on knows this. It slows things down a lot!

The fundamental question we should be aware exists boils down to this:

Do we all really NEED all kinds of software running without permission from wherever on our devices without some due process of our bringing it into our systems (e.g., automatically just by surfing to a site vs. by choosing to download an application we want to use)?

THAT is what’s at the crux of all this, and those who wish to make money off us try to make it beyond question in all of these conversations.

It really shouldn’t be beyond question that downloading and running active content should be allowed in the first place. I disallow it in general, and guess what? I still get the information (and videos and downloads) I want to access.

We really shouldn’t have to choose a browser implementation and security suite (and less efficient OS) that takes a computer to its knees just to access online content, within which is embedded traps and infections and spying that need policing out on a microsecond by microsecond basis.

-Noel

6 users thanked author for this post.

RamRod, Steve S., Richard Allen, satrow, Seff, Elly

Reply | Quote

First, my primary browser is Firefox or a fork since the day v3 was released. That said, I’ve had Chrome installed for years to keep up with development. I also have Chrome Dev and Nighlty installed.

One thing to be aware of is that those Not using a content blocker should expect to see some pages with a dozen or two subframe processes: twitter, facebook, youtube, a dozen different ad networks and so forth. Depends on how greedy the website is. I have a screenshot of a well known website taken yesterday that shows 25 subframe processes, other than my hosts file blocking malware and cryptomining there was no content blocking and all extensions were disabled. One tab, 28 total processes, 1.23GB of memory used. With site isolation disabled that same page used 551MB of RAM. With site isolation enabled it’s not uncommon to see webpage memory double vs site isolation disabled. Point being, if you don’t use content blocking you either need to limit the number of tabs open or have 8GB or more memory. Possibly more than 8.

With site isolation Enabled and with content blocking being used I’ve seen memory use increase 8.5-14% with 12 tabs open. Worst case scenario was 14% with 10 tabs using subframe processes. Content blocking has a huge impact on the number of subframe processes. The webpage in my screenshot went to 1 subframe process when using content blocking. That’s a huge difference!

Performance wise I’ve seen absolutely no improvement with site isolation enabled. Personally… I think performance was better earlier this year. Most noticeably in graphics rendering. I will often auto-scroll long graphics heavy webpages like Flickr/Explore and the stutter, lagging and hiccups are obvious and I have 125 Mbps download speeds. The same pages in FF can be scrolled ridiculously fast in comparison.

Google is saying since site isolation is now enabled that they can revert some other Spectre/Meltdown changes they made which will bring about some improvement. I think they definitely need to do something.
https://s22.postimg.cc/ttgu7cz0h/Site_Isolation_with_No_Content_Blocking.png

3 users thanked author for this post.

Noel Carboni, jburk07, Elly

Reply | Quote

Slow down on the edit/submit/edit/submit. It causes the post to get sent to the spambucked.

2 users thanked author for this post.

bjm, Richard Allen

Reply | Quote

LoL

Sorry about that. My proofreader is on vacation, apparently, and then some text was added by an evil gremlin when the first edit was made, and then… what’s up with “the menu id userscript…” being added?

<menu id=”userscript-search-by-image” type=”context”></menu>

Reply | Quote

Great illustration of what I was talking about – thanks.

A well known website taken yesterday that shows 25 subframe processes…

No doubt many of them reporting in to their respective data mining companies.

Unwanted ads/scripts/whatever don’t only load their own graphics and code, but also call upon yet other things… Sometimes I think it’s a wonder that a fully permissive browser ever converges on a given web page.

-Noel

1 user thanked author for this post.

Richard Allen

Reply | Quote

Sometimes I noticed huge differences and sometimes it was not significant. I suspect Google is trying to gain more enterprise use of Chrome and the site isolation is going to sell Chrome better to that market. Given that we have yet to see anything in the wild attacking any of the Spectre or Meltdown variants. Seems a bit over kill to implement it by default. Especially on a system with 4gb or less RAM.

Reply | Quote

I don’t think Pale Moon was ever vulnerable to these exploits. I switched to Pale Moon around the beginning of the year and haven’t looked back. Great browser, highly recommend it.Works with most Firefox addons.

I ditched Chrome because I got tired of updates removing features I liked and what I felt was general degradation of the product. Used too much memory which seemed to be the result of a memory leak. If I need a chromium-based browser, I have Slimjet as a second option which is also solid.

Reply | Quote

Noel Carboni wrote:

No doubt many of them reporting in to their respective data mining companies. 

Exactly! I have for years thought of the content blocker in my browsers as The most important security software on my system. My main priorities are performance and ease of use, followed by security and privacy when setting up a browser.  And I haven’t seen a single malware object in over 10 years. And, I’m not a NoScript enthusiast aka fanatic who wants to micromanage every network request. Just saying.

The ad ecosystem, as it is right now, is public enemy #1 for anyone that spends time online. Why does a webpage need to connect to 134 domains and have 1556 network requests in the first minute alone? Goes to show how much some publishers just do Not care about their visitors. Like I’m supposed to believe that all 100+ domains have been vetted and are trustworthy enough to run scripts on my computer?

This screenshot was taken the end of May and even I have a hard time believing it’s real. ALL content blocking is disabled on that page:
https://s22.postimg.cc/4pib6z5oh/60_seconds_after_opening_page.png

Reply | Quote