{"id":9622,"date":"2019-01-30T11:45:31","date_gmt":"2019-01-30T16:45:31","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=9622"},"modified":"2020-08-24T15:00:05","modified_gmt":"2020-08-24T19:00:05","slug":"google-chrome-72-deprecates-support-for-tls-1-0-tls-1-1","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/google-chrome-72-deprecates-support-for-tls-1-0-tls-1-1\/","title":{"rendered":"Google Chrome 72 deprecates support for TLS 1.0, TLS 1.1"},"content":{"rendered":"\n

The update also completely removed support for HPKP.<\/h2>\n\n\n\n

Google Chrome 72 was released yesterday, just hours after the release of Firefox 65. And while Google has been pre-occupied with UI\/UX changes over its previous few releases, this update focuses much more on security updates, tweaks to APIs and support for various protocols<\/a>. <\/p>\n\n\n\n

Obviously, we\u2019re mostly interested in the SSL\/TLS-related\nstuff, which is good because there are several big changes in store for Windows,\nMac, Linux and Android users.<\/p>\n\n\n\n

So, today we\u2019ll discuss those changes and how you can harden\nyour own personal security in conjunction with one of those updates.<\/p>\n\n\n\n

Let\u2019s hash it out.<\/p>\n\n\n\n

Bye bye HPKP<\/h2>\n\n\n\n

HTTP-based Public Key Pinning (HPKP) is a practice that pins one or more of a website\u2019s public keys in an HTTP header. It\u2019s a great idea in theory as it helps defend against mis-issuance, but in practice it can be incredibly dangerous. Ok, that may be a bit hyperbolic, but HPKP is challening to use correctly because it\u2019s difficult to build a set of pinned key that is guaranteed to work on account of the ever-evolving nature of the digital certificate industry and the variance in user trust stores. <\/p>\n\n\n\n

As a result, HPKP can cause websites to break. It causes a lot of errors. And it can actually be weaponized, though there has never been a confirmed case of this happening.<\/p>\n\n\n\n

Google had already announced it planned to deprecate HPKP, now support has been removed entirely in Chrome 72.<\/p>\n\n\n\n

PKP offers a way to defend against certificate misissuance, by providing a Web-exposed mechanism (HPKP) for sites to limit the set of certificate authorities (CAs) that can issue for their domain. However, this exposes as part of the Open Web Platform considerations that are external to it: specifically, the choice and selection of CAs is a product-level security decision made by browsers or by OS vendors, and the choice and use of sub-CAs, cross-signing, and other aspects of the PKI hierarchy are made independently by CAs. As a consequence, site operators face difficulties selecting a reliable set of keys to pin to, and adoption of PKP has remained low. When site operators\u2019 expectations don\u2019t match the reality of trust anchors on real world client machines, users suffer. Unexpected or spurious pinning errors can result in error fatigue rather than user safety.<\/p>Chris Palmer, Security Engineer, Google<\/a><\/cite><\/blockquote>\n\n\n\n

We\u2019ve written about how HPKP was a failed concept before<\/a>, and that\u2019s backed up by the fact that neither Apple nor Microsoft support it anymore. Now Google has completely removed support in Chrome 72.<\/p>\n\n\n\n

RIP HPKP.<\/p>\n\n\n<\/span><\/span>\n\n\n\n

Deprecating support for TLS 1.0 and TLS 1.1<\/h2>\n\n\n\n

At the end of last year, in a fairly unprecedented joint announcement,<\/a> the major browser makers \u2013 Google, Apple, Microsoft & Mozilla \u2013 announced their decision to deprecate support for TLS 1.0 and TLS 1.1 in early 2020. <\/p>\n\n\n\n

With the release of Chrome 72, Google is laying the foundation for that final deprecation. For now, traveling to sites that still only support TLS 1.0 or TLS 1.1 will simply show a warning in the Dev Tools. Starting with the release of Chrome 81<\/a> users won\u2019t be able to connect with sites that have not upgraded to TLS 1.2.<\/p>\n\n\n\n

This isn\u2019t anything surprising, TLS 1.0 and TLS 1.1 are being widely deprecated as a result of known vulnerabilities. Last year PCI DSS dictated<\/a> that any website that accepts payment cards needed to deprecate TLS 1.0 with a strong recommendation for removing TLS 1.1, too. <\/p>\n\n\n\n

Unfortunately, despite the fact TLS 1.2 has been out for about ten years and we\u2019ve now moved on to TLS 1.3, too many websites are still only supporting outmoded versions of the SSL and TLS protocols<\/a>.<\/p>\n\n\n\n

Here\u2019s a breakdown of the Alexa top 100,000 by the highest\nprotocol supported:<\/p>\n\n\n\n

\"Nearly<\/figure>\n\n\n\n

Oddly, there are more than 40 times as many sites whose\nhighest level of support is TLS 1.0 than TLS 1.1. Overall though, that\u2019s about\n2.3% of the Alexa top 100,000 that will effectively be unreachable if they\nhaven\u2019t upgraded by Chrome 81. <\/p>\n\n\n\n

If you\u2019re running a website, now would be a good time to turn\noff server support for these older protocol versions, too. It\u2019s great that you\nsupport newer, more secure versions of the protocol but continuing to support\noutmoded versions opens you up to downgrade attacks. <\/p>\n\n\n\n

Disabling support for TLS 1.0 and TLS 1.1 in Google Chrome<\/h2>\n\n\n\n

As for regular Chrome users, now would be a good time for you to drop support for TLS 1.0 and TLS 1.1 on the browser side, too. One of the best ways to force the stragglers to upgrade their support is to stop visiting sites that don\u2019t support TLS 1.2 or higher. <\/p>\n\n\n\n

UPDATE: The correct way to adjust these settings for Microsoft users are in Windows\u2019 native TLS stack, not Chrome. Chrome only picks up its proxy settings from there (h\/t David Benjamin). <\/p>\n\n\n\n

So, to do that, open your control panel and select Internet Options. Navigate to the Advanced Tab and then scroll down to the security settings and untoggle TLS 1.0 and TLS 1.1<\/p>\n\n\n\n

\"Google<\/figure><\/div>\n\n\n\n

Here\u2019s how to drop support for TLS 1.0 and TLS 1.1 through Chrome.<\/p>\n\n\n\n

  • Click the vertical ellipsis (three dots) in the upper\nright-hand corner of the browsers and select settings.<\/li><\/ul>\n\n\n\n
    \"Google<\/figure>\n\n\n\n
    • Scroll down and click \u201cAdvanced.\u201d<\/li><\/ul>\n\n\n\n
      \"Google<\/figure>\n\n\n\n
      • Scroll down to the \u201cSystem\u201d section and click \u201cOpen\nproxy settings.\u201d<\/li><\/ul>\n\n\n\n
        \"Google<\/figure>\n\n\n\n
        • Click on the advanced tab and scroll down to security, de-select TLS 1.0 and TLS 1.1 (you should also have SSL 3.0 and SSL 2.0 disabled, too). Notice this is actually the Windows Internet Properties menu that you’re altering.<\/li><\/ul>\n\n\n\n
          \"Google<\/figure><\/div>\n\n\n\n
          • Click OK.<\/li><\/ul>\n\n\n\n

            I\u2019ll admit, doing this could render some of the sites you\nvisit regularly unreachable. You can always click through the warnings when\nthat happens, just keep in mind that TLS 1.2 has been out for a decade now, which\nshould give you an idea of how much the website you\u2019re trying to visit prioritizes\nsecurity. <\/p>\n\n\n\n

            At any rate, expect to see more updates like this to other browsers over the coming months. <\/p>\n\n\n\n

            As always, leave any comments or questions below…<\/em><\/p>\n\n\n\n

            \"Hashed<\/figure>\n","protected":false},"excerpt":{"rendered":"

            The update also completely removed support for HPKP. Google Chrome 72 was released yesterday, just hours after the release of Firefox 65. And while Google has been pre-occupied with UI\/UX…<\/p>\n","protected":false},"author":6,"featured_media":9627,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[155,7639,8998],"class_list":["post-9622","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-google-chrome","tag-tls-1-0","tag-tls-1-1","post-with-tags"],"views":102213,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/bigstock-Montreal-Canada-October-261826534.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/9622","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=9622"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/9622\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/9627"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=9622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=9622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=9622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}