Security bug in Edge password manager
So in Edge password manager, you took care of this problem by showing a fixed number of stars to prevent unauthorized users from seeing the exact number of characters in each password. but the problem is, you can still see the total number of password characters when you go to each website. notice the upper password has 3 characters more and I checked and confirm that the number of stars correctly represent the number of characters in the unmasked password. and since an attacker can see the websites names in plain text in Edge password manager: edge://settings/passwords all they have to do is to go to that website, click on the username/password field to view the exact number of password characters. using Edge dev Version 87.0.664.8 (Official build) dev (64-bit) (also sent using feedback button on Edge)New Feature | Automatic HTTPS switching added to Edge browser
Automatic HTTPS Enables support for Automatic HTTPS, which switches connections to websites from HTTP to HTTPS. The feature can then be turned on/off or further configured at edge://settings/privacy. – Mac, Windows, Linux #edge-automatic-https Microsoft Edge Version 92.0.877.0 (Official build) canary (64-bit) edge://flags/#edge-automatic-https[FIXED] Need someone from Edge team answer why Edge mobile is using Chromium version 77 ?
Edge on Android is now on the latest version, the same as Edge desktop, everything is new and up to date. https://techcommunity.microsoft.com/t5/discussions/new-edge-canary-mobile-version-available-now-updated-chromium/m-p/2275690 I'm really concerned about security patches and updates that latest Chromium gets (which is version 86 as of this moment) but Edge mobile (Android) is using Chromium 77 which is almost 1 year old! not only that, each Chromium version has more features compared to the previous one but Edge mobile is missing all of that. why is this happening? why Edge Android is not using up to date version of Chromium?Introducing Edge Master Password | New feature
it's this feature: it's controlled feature rollout available in Edge canary, was added few versions ago. this helps your passwords stay safe, by requiring you to enter your Windows Pin/Password when you want to autofill your credentials on a web page. using the same strong authentication method Windows uses to secure your login screen, secure your disks pre-logon etc. next in line is this I'm already seeing some bits of it in Edge canary, but not fully implemented just yet.[Resolved] Adding cookies to the Allow list makes them bypass the 3rd party cookie blocking !?
When I turn on 3rd party cookie blocking, and add [*.]youtube.com [*.]google.com to the allow list of cookies this causes Google and YouTube cookies to be read and accessed in Reddit and other sites, Even though 3rd party Cookie blocking is enabled. Edge (or Chromium in general, since it happens on Chrome 88 stable too) is confused. that Allow list is for allowing certain cookies to enter or stay in the browser, the Allow list is Not a 3rd party cookie bypass list. my actual setup and configuration was more complex but I had to do lots of testing to find out why Reddit still detects and asks me to sign into my Google account when 3rd party cookie blocking is enabled![FIXED] How long can Edge mobile keep using Chromium 77 and still receive updated security patches?
Edge on Android is now on the latest version, the same as Edge desktop, everything is new and up to date. https://techcommunity.microsoft.com/t5/discussions/new-edge-canary-mobile-version-available-now-updated-chromium/m-p/2275690 Edge beta mobile (Android) is using Chromium 77.0.3865.116 at the moment how long can it stick to version 77 and still receive security patches, bug fixes for zero-day threats etc.? like this one and what's so special about version 77 of Chromium? what made Edge team choose that and stick with it for such a long time!? lastly, is there ever going to be a time where we will be using up to date Chromium engine in Edge mobile, just like on computer? i really need someone from Edge team answer to this, I'm using it on my own device and also made others close to me to switch over to Edge too, so I'm a little concerned here. and this is something many people in different topics talked about.New improvement on Strong password suggestion feature in Edge
It's a controlled feature rollout, Edge has got a new option in right-click that will let you generate strong password when you right-click on a password field. Edge is already using Machine Learning to automatically suggest strong passwords on sign up pages but this option is there for pages that it doesn't happen on automatically, yet. There is also a form where you can submit web pages where Edge doesn't automatically suggest strong password on. https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR123cdFSKdZItI7mcVwhTx1UM1FNWDRQVk9CTUFMU09DUkVaTjdETzIzNS4uWhy all of these HTML5 features are turned off in the last few builds of Edge canary?
Web Cryptography API Content Security Policy 1 Audio track selection Video track selection ObjectRTC API for WebRTC Enumerate devices Screen Capture Access the webcam Credential Management Source? I compared the current Edge canary Version 83.0.478.0 (Official build) canary (64-bit) with the results of a previous version: https://techcommunity.microsoft.com/t5/discussions/very-impressive-edge-insider-canary-results-in-html5-test-plus/m-p/877787 Edge now scores 473 http://html5test.com/ I haven't disabled any flags, I'm using the same flags that I have always enabled, there are of course more flags enabled right now than there were before but nothing disabled by me. the score has been that low in the past 2 weeks, so you can say since the past 5-6 canary builds.New security feature: Passwords Length are now Hidden in Edge Password Manager
Microsoft Edge Version 83.0.474.0 (Official build) canary (64-bit) Now the Password Length is hidden in Edge browser's password manager: edge://settings/passwords Previously even if you couldn't see the characters, you could still see how long the password is: Now the Password Length is also hiddenMicrosoft advisory shows whether Edge keeps up with Chrome's patching
Microsoft advisory shows whether Edge keeps up with Chrome's patching The advisory will be updated when Microsoft releases a new version of Edge that includes publicly disclosed security updates from the Chromium project. Microsoft has posted a security advisory that will record all updates to its new Chromium-based Edge browser, giving customers a way to monitor whether the company keeps up with Google's patching of Chrome. "This advisory will be updated whenever Microsoft releases a version of Microsoft Edge which incorporates publicly disclosed security updates from the Chromium project," the Redmond, Wash. firm wrote on the support document. As of mid-day Wednesday, only one listing populated the advisory. The item, dated Jan. 17, called out four CVE-identified vulnerabilities. (CVE, for "Common Vulnerabilities and Exposures," is the most-used bug-naming standard.) The advisory also noted the Edge version number that included the patches and the corresponding version of Chromium that also quashed the bugs. Because Chrome assumes Chromium's version numbers without change - for some reason, Edge does not - the advisory was the first way that was found to link a specific version of Edge to one of Chrome. This security advisory is supposed to list all Edge security updates. Comparing the version number of Edge to that of Chrome lets customers monitor whether Microsoft has kept up with Chromium's/Chrome's fixes. Google released Chrome 79.0.3945.130 - the Chromium version listed in the advisory - on Jan. 16, saying here that the interim update included patches for 11 vulnerabilities. As usual, Google only identified four of the 11 by CVE. The quartet matched the four CVEs that Microsoft said were addressed in Edge. Meanwhile, the Edge update, which Microsoft released Jan. 17 - one day after Chrome's - was marked as version 79.0.309.68. (That's not the most current Edge; Microsoft updated the browser again on Jan. 23 to 79.0.309.71. However, there was no sign that that version patched any vulnerabilities. For a complete listing of Edge updates, users can steer to the Microsoft Update Catalog; pre-filtered the results to show only those for the Stable build of the browser.) Edge 79.0.309.68 thus equals Chrome 79.0.3945.130. Microsoft patched Edge just a day after Google refreshed Chrome, indicating that the former browser will not substantially lag behind the latter. If it had, attackers might have been able to use the interval to reverse engineer a patch, uncover the vulnerability and craft an exploit. Still unknown is the size of the gap between Google promoting a new version of Chrome to the Stable branch and Microsoft following suit with Edge. On Tuesday, Google released Chrome 80 - specifically, version 80.0.3987.87 - with new features as well as 56 security fixes. Google listed 37 of the 56 with CVE identifiers. Ten of the 37 were marked "High," the second-most-serious ranking in Chrome's four-step rating system. As of 2 p.m. ET Wednesday, Microsoft had not updated Edge to reflect the Chrome's shift to version 80. Source: Microsoft advisory shows whether Edge keeps up with Chrome's patching
