Updated The availability of Transport Layer Security protocol version 1.3 was supposed to make network encryption faster and more secure.
TLS 1.3 dispenses with a number of older cryptographic functions that no longer offer adequate protection, and reduces the amount of time required to negotiate “handshakes” between devices.
Google introduced support for TLS 1.3 in Chrome 56, which began rolling out for Linux, macOS, and Windows in late January, and reached Android and iOS devices a few days later.
The specification is still being finalized, but Google has been open about its plan to implement it. Now it seems at least one security vendor ignored the memo. Chromium’s bug tracker indicates that Symantec’s Blue Coat 6.5 security software can’t handle TLS 1.3.
Six days ago, an IT administrator with Montgomery County Public Schools in Maryland reported that following the update to Chrome version 56, almost a third of the 50,000 Chromebooks he manages became “stuck in a state of flickering between a login screen and a ‘Network not available’ screen.” He also said that some of the roughly 45,000 Windows PCs he manages were affected. The admin said Blue Coat 6.5 doesn’t appear to support TLS 1.3.
Attempts to reach the administrator via phone and email were unsuccessful and Montgomery County Public Schools’ CTO Sherwin Collette did not respond to a request for comment.
According to Google engineer David Benjamin, the issue is that Blue Coat implements TLS 1.3 incorrectly. “[Blue Coat was] made aware of TLS 1.3 several months ago, but evidently did not test [its] software per our instructions,” he wrote. Benjamin did not respond to further requests for comment.
A spokesperson for Symantec, which acquired Blue Coat last year, told The Register in an email, “Symantec has been alerted of a potential issue with TLS 1.3 on select devices. We’re investigating now and are working to resolve the issue.”
Symantec’s spokesperson did not respond to a request to explain why the issue has gone unaddressed for so long. Another Google employee posting to the list wrote that a customer using iBoss’s security software also encountered problems following the Chrome update.
However, an iBoss spokesperson told The Register that the company was aware of only one report and believes the problem in that instance is related to a customer configuration issue rather than the implementation of its software.
Benjamin mentions “a list of buggy products.” But Google did not respond to a request for further details.
The Chromium team considered a rollback, but appears to have decided against it because TLS, when properly implemented, should be backwards compatible. “That these products broke is an indication of defects in their TLS implementations,” wrote Benjamin. ®
Updated to add
Google has told The Register it has paused its TLS 1.3 deployment, and is working with various vendors to address issues that have emerged. TLS 1.3 support has been rolled out to about a tenth of Chrome users, we’re told.
Source: SANS ISC SecNewsFeed @ February 27, 2017 at 06:15PM