[TheRecord] Google pauses quantum security feature in Chrome because of buggy middleware

Google said on Tuesday that it temporarily disabled its quantum computer-resistant security feature in Chrome after it received bug reports that faulty networking middleware devices have been causing unexpected website connection failures for the few users where this feature was enabled.

Known as Combined Elliptic-Curve and Post-Quantum 2, or CECPQ2, the idea behind this feature was to improve the cryptography around TLS connections so when quantum computers would be widely available in the near future, threat actors wouldn’t be able to decrypt historical HTTPS traffic and access past secure communications.

First developed in 2016, together with Cloudflare engineers, CECPQ2 was enabled in Chrome 91 released in May this year, where it activated itself for all domains that started with the letter “A,” so Google engineers could test its behavior while they still worked out the kinks.

Under the hood, the feature functioned by adding an isogeny-based key agreement to Chrome’s TLS negotiation component in order to harden an encrypted HTTPS connection.

The bug occurred because CECPQ2 created larger TLS packets.

Google said on Tuesday that some middleware devices couldn’t handle these packets, resulting in unexpected connection failures or timeouts.

With the release of Chrome 93 yesterday, the browser vendor said it was temporarily disabling CECPQ2 for all users in order to work with middleware vendors and release patches for the affected devices.

Google said the CECPQ2 will remain disabled for the Chrome 93 and 94 release cycles but wouldn’t commit to re-enabling it in Chrome 95 just yet.

Users who would still like to use CECPQ2 can manually re-enable the feature right now, and for all domains, by toggling the following Chrome flag to “Enabled.”

chrome://flags/#post-quantum-cecpq2

According to a document [PDF] published last month, the US National Security Agency said it wasn’t aware of any quantum computer capable of breaking current encryption algorithms.

The post Google pauses quantum security feature in Chrome because of buggy middleware appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[TheRecord] Hackers steal $29 million from crypto-platform Cream Finance

Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations. The company confirmed the hack earlier today, half an hour after blockchain security firm PeckShield noticed signs of an ongoing attack. C.R.E.A.M. v1 market on […]

Read More

Daily NCSC-FI news followup 2019-11-19

Why Were the Russians So Set Against This Hacker Being Extradited? krebsonsecurity.com/2019/11/why-were-the-russians-so-set-against-this-hacker-being-extradited/ The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States.. When Israeli authorities turned down requests to send him back to Russia supposedly to face separate […]

Read More

[ZDNet] AXA pledges to stop reimbursing ransom payments for French ransomware victims

All posts, ZDNet

One of Europe’s biggest insurers is now suspending policies in France that reimburse victims for ransomware payments. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.