[TheRecord] Google pauses quantum security feature in Chrome because of buggy middleware

Google said on Tuesday that it temporarily disabled its quantum computer-resistant security feature in Chrome after it received bug reports that faulty networking middleware devices have been causing unexpected website connection failures for the few users where this feature was enabled.

Known as Combined Elliptic-Curve and Post-Quantum 2, or CECPQ2, the idea behind this feature was to improve the cryptography around TLS connections so when quantum computers would be widely available in the near future, threat actors wouldn’t be able to decrypt historical HTTPS traffic and access past secure communications.

First developed in 2016, together with Cloudflare engineers, CECPQ2 was enabled in Chrome 91 released in May this year, where it activated itself for all domains that started with the letter “A,” so Google engineers could test its behavior while they still worked out the kinks.

Under the hood, the feature functioned by adding an isogeny-based key agreement to Chrome’s TLS negotiation component in order to harden an encrypted HTTPS connection.

The bug occurred because CECPQ2 created larger TLS packets.

Google said on Tuesday that some middleware devices couldn’t handle these packets, resulting in unexpected connection failures or timeouts.

With the release of Chrome 93 yesterday, the browser vendor said it was temporarily disabling CECPQ2 for all users in order to work with middleware vendors and release patches for the affected devices.

Google said the CECPQ2 will remain disabled for the Chrome 93 and 94 release cycles but wouldn’t commit to re-enabling it in Chrome 95 just yet.

Users who would still like to use CECPQ2 can manually re-enable the feature right now, and for all domains, by toggling the following Chrome flag to “Enabled.”

chrome://flags/#post-quantum-cecpq2

According to a document [PDF] published last month, the US National Security Agency said it wasn’t aware of any quantum computer capable of breaking current encryption algorithms.

The post Google pauses quantum security feature in Chrome because of buggy middleware appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Front page of Kirjuri

Kirjuri, a forensic evidence item management application

Forensics, Kirjuri

SECURITY UPDATE (7.5.2021) As this project has been inactive for years, it was inevitable that some of the dependencies will become out of date. There are several security vulnerabilities in the dependencies involved, and some of the dependencies, like Twig, don’t play nice with the newest version of PHP. IF you wish to install and […]

Read More

Daily NCSC-FI news followup 2020-10-04

Ttint is a new form of IoT botnet that also includes remote access tools-like (RAT) features, rarely seen in these types of botnets before www.zdnet.com/article/new-ttint-iot-botnet-caught-exploiting-two-zero-days-in-tenda-routers For almost a year, a threat actor has been using zero-day vulnerabilities to install malware on Tenda routers and build a so-called IoT (Internet of Things) botnet. Google offers up […]

Read More

[ThreatPost] WhatsApp’s End-to-End Encryption Isn’t Actually Broken

All posts, ThreatPost

WhatsApp’s moderators sent messages flagged by intended recipients. Researchers say this isn’t concerning — yet. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.