{"id":4869,"date":"2017-09-14T12:31:54","date_gmt":"2017-09-14T16:31:54","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=4869"},"modified":"2020-12-09T16:33:32","modified_gmt":"2020-12-09T21:33:32","slug":"google-chrome-63-tls-interception-warning","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/google-chrome-63-tls-interception-warning\/","title":{"rendered":"TLS Interception Warnings Coming in Google Chrome 63"},"content":{"rendered":"

Google\u2019s browser will warn users about Man-in-the-Middle attacks starting in Chrome 63.<\/h2>\n

Google Chrome will add an interstitial warning notifying users of HTTPS interception starting in Chrome 63. The warning can currently be viewed in Chrome\u2019s dev browser, Canary, with a quick tweak. The stable version of Chrome 63 is set to go live December 5, 2017.<\/p>\n

Now let\u2019s hash out what this means, and why it\u2019s relevant. <\/span><\/p>\n

As you\u2019re aware, the internet is moving rapidly towards universal encryption. The \u201chttp\u201d protocol you see at the front of URLs is being replaced by \u201chttps,\u201d which allows all data being transmitted to be secured with encryption. To aid in the proliferation of HTTPS, Google and the other browsers have incentivized it. Websites that add SSL and migrate to HTTPS have been given perks like small SEO boosts, access to advanced browser features and the promise of HTTP\/2.<\/p>\n

Google\u2019s decision to add this warning is a different approach that aims to accomplish the same thing: complete encryption.<\/p>\n

And one thing that interrupts complete encryption is HTTPS interception, sometimes called TLS interception.<\/p>\n

\"Google<\/p>\n

Two Kinds of TLS Interception<\/h2>\n

For the sake of this discussion, we\u2019re going to divide TLS Interception into two main categories: Man-in-the-Middle attacks, which this alert will actively warn users about, and HTTPS Interception.<\/p>\n

A Man-in-the-Middle attack is where an attacker is able to position him or herself between a user and the server that user is communicating with. As the name suggests, the man-in-the-middle can intercept and inspect all data transmitted between the two parties it’s spying on. It can even manipulate that information if it wants to.<\/p>\n

SSL prevents a great number of MITM attacks just by virtue of adding encryption in the first place. But it is possible for an attacker to intercept the encryption and perform a MITM attack even when SSL is in place. Often times this sort of vulnerability occurs because of misconfiguration on the part of the site administrator, but it\u2019s a threat nonetheless. In many cases, an affected user may not even know that an attack has taken place beyond getting a few TLS errors during their browsing experience.<\/p>\n

Google\u2019s decision to add a TLS interception warning will help alleviate that by presenting users with an unpassable interstitial warning anytime interception is detected. It will flag whenever it notices an AV CA that is not in its trust store (h\/t to Patrick Figel<\/a> for this correction<\/em>).<\/p>\n

The Other Kind of HTTPS Interception<\/h2>\n

Now let\u2019s talk about the other reason to intercept HTTPS traffic<\/a>. Technically, this category still constitutes MITM, but its aim is a little different. In this instance, you\u2019re intercepting HTTPS traffic to inspect it for security purposes.<\/p>\n

Now, this type of HTTPS interception is controversial. While many of the security companies that sell it claim that it is harmless, there have been studies that show HTTPS Interception weakens the overall security of users\u2019 data<\/a>.<\/p>\n

When HTTPS interception is being done for security reasons, an intercepting device is placed between the client and the server. In this arrangement, two connections are needed, one between the client and the interceptor, and one between the interceptor and the server. \u00a0The reason for intercepting is to inspect traffic for malware and malicious requests.<\/p>\n

Frankly, the topic of HTTPS Interception as a security practice is a completely different debate for another time. There are valid points on both sides, but the evidence tends to point towards the practice being harmful. I’m just mentioning it to help complete this discussion.<\/p>\n

Either way, this type of HTTPS interception is unlikely to trigger Google’s new TLS Interception warning.<\/p>\n

 <\/p>\n

How to Enable TLS Interception Warnings on Canary<\/h2>\n

While you\u2019ll have to wait for Chrome 63 in December for these changes to show up on their own, you can enable Google\u2019s TLS Interception warning on Chrome\u2019s dev browser, Canary. Here\u2019s how to do it:<\/p>\n

    \n
  1. Find the Google Chrome Canary icon\/shortcut and double click on it.<\/li>\n
  2. Choose “Properties” from the drop-down menu.<\/li>\n
  3. In the “Target” field, add the following text “–enable-features=MITMSoftwareInterstitial” and hit “Save.”<\/li>\n<\/ol>\n

    What We Hashed Out (For Skimmers)<\/h2>\n

    Here are the key points we covered in today\u2019s discussion:<\/p>\n

      \n
    • Google will add a TLS Interception warning to its browser starting in Chrome 63<\/li>\n
    • TLS Interception, sometimes called HTTPS Interception, involves placing a \u201cman-in-the-middle\u201d between a client and a server to inspect traffic or inject content<\/li>\n
    • The TLS Interception warning will be available in December 2017, but can be added to Canary today<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

      Google\u2019s browser will warn users about Man-in-the-Middle attacks starting in Chrome 63. Google Chrome will add an interstitial warning notifying users of HTTPS interception starting in Chrome 63. The warning…<\/p>\n","protected":false},"author":6,"featured_media":4870,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[4069,131,155,506],"class_list":["post-4869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-chrome-63","tag-google","tag-google-chrome","tag-https-interception","post-with-tags"],"views":16023,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/09\/iStock-471502911.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=4869"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4869\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/4870"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=4869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=4869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=4869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}