Skip to main content

Google's Chrome Browser to Introduce Quantum-Resistant Encryption in Version 116, Enhancing Security TLS Security

 Google has revealed its intentions to incorporate support for encryption algorithms resistant to quantum attacks in its Chrome browser, starting with version 116.


In a recent announcement, Devon O'Brien mentioned, "Chrome will start endorsing X25519Kyber768 for establishing symmetric secrets in TLS, commencing with Chrome 116, and accessible behind a flag in Chrome 115."


Kyber was selected by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) as a potential candidate for comprehensive encryption, aiming to counteract future cyber threats posed by the rise of quantum computing. Kyber-768 holds security levels comparable to AES-192.


Numerous tech giants have already embraced the encryption algorithm, including Cloudflare, Amazon Web Services, and IBM.


X25519Kyber768 operates as a hybrid algorithm, amalgamating the outputs of X25519, a widely utilized elliptic curve algorithm for key agreement in TLS, and Kyber-768, resulting in a robust session key to encrypt TLS connections.


O'Brien elaborated, "Hybrid mechanisms like X25519Kyber768 offer the flexibility to introduce and evaluate new quantum-resistant algorithms while ensuring that connections remain safeguarded by established secure algorithms."


Although quantum computers are projected to pose substantial risks in the foreseeable future, it might take several years, possibly even decades. However, certain encryption methods are susceptible to "harvest now, decrypt later" attacks, where encrypted data collected today could be decrypted later using anticipated cryptographic advancements.


This vulnerability paves the way for quantum computers, which can efficiently execute certain computations that effortlessly undermine existing cryptographic implementations.



O'Brien clarified, "In TLS, although symmetric encryption algorithms protecting data in transit are deemed secure against quantum cryptanalysis, the creation of symmetric keys is not."


"Consequently, Chrome's early adoption of quantum-resistant session keys for TLS is aimed at safeguarding user network traffic from potential future quantum cryptanalysis."


For organizations encountering compatibility issues with network appliances post-rollout, Chrome recommends temporarily disabling X25519Kyber768 using the PostQuantumKeyAgreementEnabled enterprise policy, available starting from Chrome 116.


This development aligns with Google's shift from bi-weekly to weekly Chrome security updates, intended to narrow the attack window and address the growing patch gap dilemma, giving threat actors less time to exploit published n-day and zero-day vulnerabilities.


Furthermore, Google's commitment to security is evident in their move to enforce default key pinning in Chrome 106 for Android, introduced in September 2022, adding an additional layer of protection against certificate authority (CA) compromise.

Labels:

Popular posts from this blog

Signal Introduces Usernames for Encrypted Messaging: A Secure Way to Connect

Signal, the encrypted messaging service, is launching a new feature in the coming weeks: support for usernames. This beta feature allows users to establish unique usernames, enabling connections without divulging phone numbers. source: Signal Blog To create a username, navigate to your settings and select "Profile." Once you've chosen a unique username, generate a QR code or link to share with others. Recipients can connect by entering your username into the chat bar. Usernames can be changed at any time, though previous usernames may be claimed by others. Signal began testing usernames last fall. Unlike social media platforms, Signal usernames do not serve as logins or public handles. They offer a discreet means of communication without revealing personal phone numbers. While a phone number is required to register for Signal, sharing it is optional. Usernames remain private and do not appear on profiles or in chats unless shared explicitly. As Randall Sarafa, Signal'
Read more

AT&T Resets Millions of Customer Passcodes After Data Leak: What You Need to Know

AT&T recently confirmed a significant data breach affecting over 7.6 million current customers and 65 million former customers. The leaked information, which dates back to 2019 or earlier, includes personal details like names, addresses, phone numbers, and social security numbers. Fortunately, financial information and call history were not compromised. In response to the breach, AT&T has reset passcodes for affected customers. Passcodes, usually four-digit numbers, serve as an additional layer of security when accessing accounts. However, security experts warn that the encrypted passcodes leaked alongside customer information could be easily deciphered, posing a risk of unauthorized account access. Affected customers are advised to set up free fraud alerts with major credit bureaus and remain vigilant for any suspicious activity related to their accounts. AT&T is proactively reaching out to impacted customers via email or letter to inform them about the breach and the meas
Read more

Safeguarding Internet Privacy: Supreme Court of Canada Upholds Protection of IP Addresses

In a recent ruling, the Supreme Court of Canada affirmed the significance of privacy rights concerning internet addresses. The court declared that police cannot simply obtain a suspect’s IP address without a court order, emphasizing the expectation of privacy that Canadian residents hold for such information. The court's decision stemmed from a case in 2017 involving Calgary police investigating fraudulent online activities at a liquor store. Initially, police demanded IP addresses from a credit card processor, which eventually led to obtaining subscriber information from Telus. This information was pivotal in making arrests and securing convictions in multiple offenses. Despite previous convictions, the accused contested the legality of obtaining IP addresses without proper authorization. The Supreme Court, in a 5-4 decision, asserted that IP addresses carry a reasonable expectation of privacy, necessitating judicial approval before access. The ruling emphasizes that obtaining jud
Read more