Google Chrome 56's crypto tweak 'borked thousands of computers' using Blue Coat security The availability of Transport Layer Security protocol version 1.3 was supposed to make network encryption faster and more secure. TLS 1.3 dispenses with a number of older cryptographic functions that no longer offer adequate protection, and reduces the amount of time required to negotiate "handshakes" between devices. Google …
"While the post is missing the "/s" mark, it IS sarcastic."
Yes, here in the UK our sarcasm detectors are fine tuned from birth, so tags are implicitly not required (unless translation is needed for a leftpondian audience.)
Especially when the subject of said sarcasm is the cauldron of ineptitude that is Symantec...
So it is totally their fault, no reason to rollback at all, nosiree.Yes, it is quite obviously their fault, but maybe you could offer a rollback option anyway, just to show how l33t and magnanimous you are while letting over 16000 people get on with their lives ?
Just an idea.
Chrome has over 50% market share. If my arithmetic is correct 16,000 people is 0.001% of their user base. Not many manufacturers would go out of their way to work around a problem in another manufacturer's product with such a tiny impact.
Not many manufacturers would go out of their way to work around a problem in another manufacturer's product with such a tiny impact.
... and yet, had this been a Microsoft issue, you can bet your life that there would be the usual lemongrab-esque flood of outrage on here....
>maybe you could offer a rollback option anyway,
BTRFS anyone? Well, who trusts software vendors to do the right thing?
It did take me ages to work out why my laptop (Suse) was apparently out of disk space when df said there was loads left, but it is very, very cool.
As for Bluecoat... resting on their laurels for far too long. Seriously, if network security is your game, at least put some effort in. If Google can put it in a browser for free, you can do it when people pay you for support.
I know it is accepted Internet SOP to hate Google and blame them for everything (when it is not MS, Apple, Facebook or Twitter ...... and on standby UBER!!!)
In this case I think Google are right to NOT roll-back Chrome.
If they do it will set an expectation that Google will accomodate 'other peoples' s/w issues when 'their' testing has not been as effective as it should have been.
It would also be used as 'big stick' to beat Google when the majority 'upgrade' to a new version only for Company 'X' to request the same people are forced to roll-back.
It does highlight that you should not allow updates to happen until you have tested it does not 'Bork' something. This means Google, Bluecoat Security and the anyone who has 100's to 1000's of users using a critical configuration etc.
This is exactly the reason I do not like windows 10 ......... forced updates at random times with liitle or no control.
[I claim my £10 for managing to bring windows 10 into the conversation !!! :) :) :) ]
Indeed, in all the arguing whether to blame Google or Symantec, it seems the main fault lies with the admin who rolled out an update to nearly 100,000 devices without checking if it actually worked first.
While it may have been Googles fault for releasing a browser utilising that latest TLS release, Blue Coats ability to trip up over almost every SSL/TLS change in recent years suggests they are desperately clinging to old, flawed methods of handling SSL/TLS that keep hurting their customers.
While it may have been Googles fault for releasing a browser utilising that latest TLS release, Blue Coats ability to trip up over almost every SSL/TLS change in recent years suggests they are desperately clinging to old, flawed methods of handling SSL/TLS that keep hurting their customers.
This - Blue Coat had already had warning. Google released TLS1.3 in Chrome 56 but they'd released TLS GREASE in Chrome 55. GREASE was designed to test whether TLS implementations (which the standard says should be interoperable and version tolerant) actually deal properly with unknown extensions, and Blue Coat customers were complaining back then that GREASE was tripping up their systems.
Blue Coat's response was "the Proxy is not able to process this request as we don't support this unknown , nonstandard RFC extension". Which betrays a total failure to understand how TLS is actually designed to work - i.e. if a client sends an unknown extension, the server should just ignore it and they negotiate down to a mutually acceptable extension like TLS1.2. It shouldn't throw the entire connection.
1. Blue Coat should have seen TLS 1.3 coming
2. Blue Coat should be implementing TLS properly. It's literally their job.
Why are so many flawed security products called "Blue"?
Remember the ill-fated "Blue Security" and the highly dubious "Bluebox Security Scanner", and now Google's "Bluecoat"?
Is this some psychobabble that a marketeer monkey came up with during a PowerPoint presentation, where it was decided that "blue" induces feelings of confidence?
Is this some psychobabble that a marketeer monkey came up with during a PowerPoint presentation, where it was decided that "blue" induces feelings of confidence?
Think "Blue Plate Special"* or "Blue Light Special"* or "Big Blue (IBM)"... and then there's the perception that any device with a blue LED is very high tech. So yeah... marketing psychobabble.
* I know.. no quality there, just low price stuff. But somewhere, someone in marketing thought differently.
Blue is the corporate color par excellence. It symbolizes trust, loyalty, authority,
conservatism, business in Western cultures:
https://www.six-degrees.com/pdf/International-Color-Symbolism-Chart.pdf
https://www.flickr.com/photos/philgyford/56867986/
The headline is wrong, this is clearly Bluecoat's fault for misimplementing TLS 1.3, and not testing it against the browser with 50% market share. If they had not implemented TLS 1.3 at all, the browsers would have fallen back to TLS 1.2.
Like the Blue Duck!
(Oh, Gawd, I just saw it next to the Twitter bird and now I feel sad. And a little dirty.)
I fail to see the need for all the dick-measuring over this. Forgetting for a second that Google is arrogant and everything Google is in perpetual beta, and Symantec does have a reputation for ruining everything useful, both are implementing a standard which is still in draft. These are the kinds of things we should expect to happen on occasion and instead of childish mud-slinging and disparagement, the cooperative spirit of the Internet should emerge.
Try to read that with a straight face.
Their company was originally called "Cacheflow", and apparently changed their name to Blue Coat after some brand consultancy told them it would evoke associations with law enforcement (i.e. policing your network). Unfortunately, in blighty the new name just brings to mind charity-run schools, or possibly Pontins holiday camp attendants, so wasn't really the marketing coup they were looking for.
You could argue that this was actually slightly less damaging than being associated with plod, of course.
I don't use Blue Coat but it feels like the admin enabled a "Require TLS 1.3" option on the proxy thinking bigger numbers means better security. I see this all the time when non-security people get involved in security configurations.
While the spec for TLS 1.3 may be finalized, there are going to be implementation problems in the products for years.
So that vendors know what to implement? TLS 1.3 is still a draft, the RFC was last updated 4 days ago.
How can the makers of network security tools and hardware be expected to support it when Google just rolled out their own implementation unilaterally?
How am I supposed to debug it? The latest development version of Wireshark can't digest TLS 1.3 because *it's stil a draft*.
What they're deploying is GoogleTLS 1.3.
That "GoogleTLS" is also supported by Mozilla Firefox and Cloudflare...
TLS has integrated mechanism for backwards compatibility since it was called SSL 2, over 20 years ago. If you're making errors reintroducing 20 year old bugs into your software, maybe, just maybe, programming is not a job for you. Oh, and I'd suggest against farming either, because this kind of errors makes it likely that arrival of winter every year is a surprise for you.
You don't understand how corporate security, or proxies, work. You work with what is known, you deal with known SSL/TLS extensions and anything that does not comply with approved standards, you deny. This is just what happened. From a security point of view, would you support anything new, regardless of what it is? Of course you wouldn't, and if you did, I question your competence. Again, the problem isn't with TLS itself, but with a manufacturer unilaterally rolling out something that hasn't been generally approved. What if there was an undiscovered problem wiith 1.3? What would you say then?
So that vendors know what to implement? TLS 1.3 is still a draft, the RFC was last updated 4 days ago.
How can the makers of network security tools and hardware be expected to support it when Google just rolled out their own implementation unilaterally?
They're not expected to support it. As an unknown extension they're expected to ignore it and negotiate gracefully down to TLS1.2. That's how TLS works - the server says "I don't know what <extension> is, how about TLS 1.2?".
NOT
"I don't know what <extension> is. I'll close the connection now."
If your TLS implementation doesn't support extensions gracefully, then you don't have a TLS implementation - you have a proprietary security suite that looks and works a bit like TLS but isn't actually compliant with the TLS standard.
Rollback, with Google, never.
You must be on the latest & greatest
Accelerated obsolesecence for all.
I have a gmail address for throw away use, on one of my machines (an old mac), if I access it via web interface on chrome I get message telling me browser unsupported and I must upgrade to a newer version...
Except that Google no longer provide any more chrome updates for that particular OS (and hardware requirements for newer MAc OS versions mean that the mac is at max OS version it can actually physically run)
"Attempts to reach the administrator via phone and email were unsuccessful"
The guy just had over 17000 chromebooks say they don't want to play. I assume interviews by various journo's is quite low on his list of priorities.
I would lay the blame with Symantic in this case, OTOH it's something to consider when considering Chromebooks... I haven't used one, but is it possible to run another browser ?
Reminds me of the old M$ joke, maybe not as apt, you SHOULD be able to deliver an update with the assumption that a standard has been followed but anyway...
Q) How many Google engineers does it take to change a light-bulb?
A) None! They just make darkness the industry standard......
Correction to above post - latest development snapshot of the 2.3.0 branch of Wireshark does understand TLS 1.3.
And yeah, Bluecoat should have handled this better, but Google lately is reminding me of Microsoft in the 1990s, unilaterally deploying new protocols rather than going through channels. The big difference of course is that Google publishes the specs to these things, but they're still acting like the 800-lb gorilla forcing everyone to adapt to their way or else.
> unilaterally deploying new protocols rather than going through channels.
And who should they ask for their blessing before deploying open, standard protocols in their own products? You?
> Google publishes the specs to these things
No, IETF publishes the specs for these "things," as with many other widely used protocols on the Internet.
TLS 1.3 is no agreed standard yet. If Google decide to roll out a working draft on their development branch of Chrome, and only when talking to select servers, that's their prerogative. Blue Coat/SYMC not yet supporting it actually makes sense. If you are in the security business, you work with established standards, not on the whim of a single manufacturer. Google should have known that and acted accordingly (i.e. downgrade to 1.2 if 1.3 isn't supported). I do agree that 1.3 is a big step forward, but let's get real, without an established and agreed standard, it doesn't make sense to support it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
