Chrome 69 was a massive update, as it brought a brand new interface to both desktop and mobile. Now that v69 is on stable, the beta channel has been updated to version 70. This isn’t as big of an update as the previous release, but it still has a few important improvements – particularly for security.
Web Authentication improvements
Chrome 67 added initial support for the Web Authentication API, which allows sites to use something other than usernames and passwords for logging in. For example, you could use a fingerprint or a Bluetooth key (like the Google Titan) as the sole login method. However, the feature was limited to Chrome on desktop platforms.
In Chrome 70, the API is enabled by default on Android. When you visit a site that supports Web Authentication, Chrome will prompt you to use a security key. Google says fingerprints will also work (on both Android and Macs with Touch ID), but I was unable to test that.
Shape Detection API
The Shape Detection API is in Chrome 70 as an “origin trial,” meaning it’s not ready for widespread use. The API can detect three types of objects in images – faces, barcodes, and text. At the moment, compatibility varies from platform to platform, because this requires the host operating system to have the proper object detection APIs. Android and macOS support all three objects, but Windows 10 only supports face and text detection.
You can try a demo of the Shape Detection API here.
Transport Layer Security, or TLS for short, is the protocol that allows data to be transferred over the internet securely. When you’re on an HTTPS site, the data is most likely being sent over TLS. Chrome 70 includes support for version 1.3 of TLS, which was finalized last month.
A list of the changes can be found here, but in summary, it improves both efficiency and security. Fewer round-trips are required to establish a secure connection, so you might see a slight improvement in load times (if the site you’re visiting supports TLS 1.3). Here’s a graphical representation of the change from CloudFlare:
TLS 1.3 also drops support for a few legacy features, like support for SHA1 and MD5. Google said this on the Chrome Platform Status page:
TLS 1.3 was a multi-year project spanning contributions across the industry, academic research groups, and other participants in the standards process. We previously experimented with earlier drafts of the standard and, with the final standard done, are now excited to ship to it in Chrome.
Like always, Chrome 70 includes changes for both users and developers. Here are some smaller features that ship with this update:
- The decoder for AV1 video is now enabled by default on all platforms.
- The speech synthesis API will no longer work unless the page has already been interacted with. This is commonly used by spamware popups on mobile, since it wasn’t included in Chrome 66’s new autoplay policy.
- If a page is in fullscreen mode and displays a popup, the page will now exit fullscreen.
- AppCache no longer works on non-HTTPS pages.
- On Android devices, the OS build number (e.g. ‘NJH47F’) is no longer in the user agent string, to prevent fingerprinting. Chrome on iOS will freeze the build number at ’15E148′ instead of completely removing it, to follow Safari’s implementation.
- Opus audio is now supported in MP4, Ogg, and WebM container files.
- WebUSB now uses dedicated worker contexts, which should improve performance.
- Web Bluetooth now works on Windows 10.
- There is a new sync dialog on desktop platforms (thanks Edric).
The APK is signed by Google and upgrades your existing app. The cryptographic signature guarantees that the file is safe to install and was not tampered with in any way. Rather than wait for Google to push this download to your devices, which can take days, download and install it just like any other APK.