Google this week released a Chrome update…Chrome 72, a refresh that includes no new notable user-facing features but does take a first step toward ending support for older web encryption protocols.
Chrome 72 also patches 58 vulnerabilities reported by security researchers, who were paid a total of $50,500 in bug bounties.
Chrome updates in the background, so most users can just relaunch the browser to install the latest iteration. To manually update, select “About Google Chrome” from the Help menu under the vertical ellipsis at the upper right; the resulting tab either shows the browser has been updated or displays the download process before presenting a “Relaunch” button. Those new to Chrome can download version 72 in versions for Windows, macOS and Linux from this Google website. Google updates Chrome every six to seven weeks. It last upgraded the browser Dec. 4.
Dump TLS 1.0 and 1.1, Step 1
Last year, all of the major browser makers announced that their wares would drop support for the TLS (Transport Layer Security) 1.0 and 1.1 encryption protocols by early 2020.
TLS was the successor to the still-better-known SSL (Secure Socket Layer) encryption protocol; SSL and TLS secured data communications between browser and the destination server so that criminals could not read the traffic, and by doing so, spy on users or steal valuable information. Both TLS 1.0 and 1.1 – the former turned 20 this month – have been rendered obsolete by successors, TLS 1.2 and 1.3. All four browsers now support TLS 1.2, and Chrome and Firefox also support the enhanced TLS 1.3.
Most websites support TLS 1.2; almost 95%, according to Qualys’ latest survey._
Each browser maker set its own schedule for de-supporting TLS 1.0 and 1.1 last year. Google at the time said that Chrome 72 would start the process, and Chrome 81 would pull the plug. In a document spelling out changes to Chrome 72, Google said, “Removal is expected in Chrome 81 (early 2020),” confirming the plan remains on schedule. As of Chrome 81, the browser will not connect to websites supporting just TLS 1.0 and 1.1.
In Chrome 72, a warning displays in the Developer Tools view when the browser has been pointed at sites that only support TLS 1.0 and 1.1.
Strips out other stuff, too. Chrome 72 also drops other bits from the browser. One is “HTTP-based Public Key Pinning,” aka HPKP, which Google explained was “intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site’s certificate chain.”
HPKP is a security measure meant to combat fraudulent certificate usage by criminals. But Google said it had dangerous side effects and, by the way, was little used. “Although it provides security against certificate misissuance, it also creates risks of denial of service and hostile pinning,” Google argued.
Chrome began the process of getting out from under the FTP protocol, too, with version 72.
FTP, which stands for “File Transfer Protocol,” is a legacy protocol from the earliest days of the Internet, used for exactly its defined purpose: Moving files.
But it’s ancient. Noting that “when even the Linux kernel is migrating off FTP, it’s really time for us to move on,” Google said it’s time to remove support for the little-used protocol. A first step, Google decided, was to download non-directory listings, such as an image hosted at an FTP link, rather than rendering them within the browser itself. Chrome 72 debuted that behavior.
Google has not publicly disclosed when all support for FTP within Chrome will be yanked. Chrome’s next upgrade, version 73, will reach users on or about March 12.
Author: Gregg Keizer