geometrix - Fotolia
Controversial Chrome login feature to be partially rolled back
Google will modify the next version of Chrome in an attempt to appease critics of the browser's cookie retention functionality and automatic Chrome login feature.
Google says it has heard the criticism to recent changes in its Chrome browser, and the company will make some changes in order to appease users.
Google recently came under fire for changes to its Chrome login feature. Previously, users could choose whether or not to sign in to the browser itself, separately from signing in to Google's various web properties. However, in Chrome version 69, Google connected those separate login functions so the browser would automatically sign-in to the user's Google account when that user signed into a Google product like Gmail or Youtube.
Many people criticized the new Chrome login functionality and Google has announced it will at least partially change how Chrome login works.
"While we think sign-in consistency will help many of our users, we're adding a control that allows users to turn off linking web-based sign-in with browser-based sign-in -- that way users have more control over their experience," Zach Koch, product manager for Chrome, wrote in a blog post. "For users that disable this feature, signing into a Google website will not sign them into Chrome."
A Google spokesperson confirmed that the forced Chrome login feature will still be turned on by default and users will need to opt out. The changes are planned for Chrome version 70 due out in mid-October.
One of the loudest critics of the Chrome login change, Matthew Green, cryptography expert and professor at Johns Hopkins University's Information Security Institute, praised Google on Twitter for its swift response but added that the automatic sign-in was still "much more invasive" than the browser had been.
It’s pretty obvious that the company has changed direction in a pretty significant way in the past couple of years. I think a few expert “don’t log me in” features are nice, but if they represent an overall privacy loss for most users, it’s hard to really get behind them.
— Matthew Green (@matthew_d_green) September 26, 2018
Cookie time
In addition to the Chrome login controversy, Google was called out for an odd practice with Chrome cookies. Christoph Tavan, CTO and co-founder of ContentPass, based in Berlin, discovered that Chrome's default when a user chose to clear all cookies was to clear all cookies except for those from Google, which were retained so the user would stay logged in to Google services.
Tavan said that Chrome notified users on the "Clear Browsing Data" settings page that they wouldn't be signed out of Google services, implying those cookies wouldn't be deleted, but on the settings page to view cookies, Chrome showed a "remove all" button that did not have a similar warning.
Brief correction: Cookies seem to get removed and re-created immediately. At least the cookie content and creation date seems to change. Nonetheless: After hitting the "remove all" button you still don't end up with an empty cookie jar.
— Christoph Tavan (@ctavan) September 25, 2018
Koch said Chrome version 70 would change this behavior as well.
"We're also going to change the way we handle the clearing of auth cookies. In the current version of Chrome, we keep the Google auth cookies to allow you to stay signed in after cookies are cleared," Koch wrote. "We will change this behavior that so all cookies are deleted and you will be signed out."
