chrome.security

Evolving the Android & Chrome VRPs for the AI Era

2026-04-30T00:00:00+00:00

As the security research landscape evolves with AI, we're making changes in our programs to ensure we're rewarding the most challenging and impactful vulnerabilities in our products. This focus provides the most value to our security teams and helps keep users safe today, all while making sure security researchers continue to be rewarded for their efforts.

Protecting Cookies with Device Bound Session Credentials

2026-04-09T00:00:00+00:00

Following our April 2024 announcement, Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape.

Cultivating a robust and efficient quantum-safe HTTPS

2026-02-27T00:00:00+00:00

Today we’re announcing a new program in Chrome to make HTTPS certificates secure against quantum computers. The Internet Engineering Task Force (IETF) recently created a working group, PKI, Logs, And Tree Signatures (“PLANTS”), aiming to address the performance and bandwidth challenges that the increased size of quantum-resistant cryptography introduces into TLS connections requiring Certificate Transparency (CT). We recently shared our call to action to secure quantum computing and have written about challenges introduced by quantum-resistant cryptography and some of the steps we’ve taken to address them in earlier blog posts.

Fixing two ITW bugs in Chrome (Kawaiicon 2025)

2025-12-23T00:00:00+00:00

HTTPS certificate industry phasing out less secure domain validation methods

2025-12-10T00:00:00+00:00

Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers.

Architecting Security for Agentic Capabilities in Chrome

2025-12-08T00:00:00+00:00

Chrome has been advancing the web’s security for well over 15 years, and we’re committed to meeting new challenges and opportunities with AI. Billions of people trust Chrome to keep them safe by default, and this is a responsibility we take seriously. Following the recent launch of Gemini in Chrome and the preview of agentic capabilities, we want to share our approach and some new innovations to improve the safety of agentic browsing.

HTTPS by default

2025-10-28T00:00:00+00:00

One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secure Connections”. This means Chrome will ask for the user’s permission before the first access to any public site without HTTPS.

Advancing Protection in Chrome on Android

2025-07-08T00:00:00+00:00

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced Protection gives you the ability to activate Google’s strongest security for mobile devices, providing greater peace of mind that you’re better protected against the most sophisticated threats.

Advanced Protection acts as a single control point for at-risk users on Android that enables important security settings across applications, including many of your favorite Google apps, including Chrome. In this post, we’d like to do a deep dive into the Chrome features that are integrated with Advanced Protection, and how enterprises and users outside of Advanced Protection can leverage them.

Android Advanced Protection integrates with Chrome on Android in three main ways.

New permission prompt for Local Network Access

2025-06-09T00:00:00+00:00

Chrome is adding a new permission prompt for sites that make connections to a user’s local network as part of the draft Local Network Access specification. The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks, and to reduce the ability of sites to use these requests to fingerprint the user’s local network.

To understand how this change impacts the web ecosystem, the Chrome team is looking for feedback from developers who build web applications that rely on making connections to a user’s local network or to software running locally on the user’s machine. From Chrome 138, you can opt-in to these new restrictions by going to chrome://flags/#local-network-access-check and setting the flag to “Enabled (Blocking)”.

Fighting Unwanted Notifications with Machine Learning in Chrome

2025-05-08T00:00:00+00:00

Notifications in Chrome are a useful feature to keep up with updates from your favorite sites. However, we know that some notifications may be spammy or even deceptive. We’ve received reports of notifications diverting you to download suspicious software, tricking you into sharing personal information or asking you to make purchases on potentially fraudulent online store fronts.

To defend against these threats, Chrome is launching warnings of unwanted notifications on Android. This new feature uses on-device machine learning to detect and warn you about potentially deceptive or spammy notifications, giving you an extra level of control over the information displayed on your device.

When a notification is flagged by Chrome, you’ll see the name of the site sending the notification, a message warning that the contents of the notification are potentially deceptive or spammy, and the option to either unsubscribe from the site or see the flagged content.

An example of a notification flagged as possibly spam.

If you choose to see the notification you will still see the option to unsubscribe or you can choose to always allow notifications from that site and not see warnings in the future.

What you see when viewing a flagged notification.

How It Works

Chrome uses a local, on-device machine learning model to analyze notification content. This model identifies notifications that are likely to be unwanted. The model is trained on the textual contents of the notification, like the title, body, and action button texts.

Notifications are end to end encrypted. The analysis of each message is done on-device and notification contents are not sent to Google, to protect user privacy. Due to the sensitive nature of notifications content, the model was trained using synthetic data generated by the Gemini large language model (LLM). The training data was evaluated against real notifications Chrome security team collected by subscribing to a variety of websites that were then classified by human experts. To start, this feature is only available on Android as the majority of notifications are sent to mobile devices, however we will evaluate expanding to other platforms in the future.

This feature is just one of many ways Chrome works to reduce the number of potentially harmful notifications you receive. Other ways Chrome protects against potentially harmful notifications include:

Revoking Notification Permissions from Abusive Sites: When Google Safe Browsing identifies a site engaging in abusive behavior Chrome will automatically revoke the site’s notification permissions. You can find a list of revoked notification permissions in Chrome Safety Check. Learn more about how Safety Check takes proactive steps to keep you safe here.

In Safety Check you can review any notification permission revocations
- One Tap Unsubscribe on Android: You have the option to unsubscribe from notifications with one click on any Chrome notification sent to an Android phone, whether the notification contents are benign or potentially harmful. Limiting notifications from sites you no longer want updates from can reduce the amount of data and battery life you use daily. If you ever want to review what sites have the ability to send you notifications you can visit Chrome Settings-> Privacy and Security->Site Settings->Notifications.
Notification warnings are an important step in Chrome’s ongoing commitment to user safety. The Chrome Security team in partnership with Google Safe Browsing continually monitors threats to our users in order to evolve our defenses against abusive activity across the web. Keep an eye on our blog for updates on how we are helping you stay one step ahead of online threats.