Skip to main content

Google's Chrome Browser to Introduce Quantum-Resistant Encryption in Version 116, Enhancing Security TLS Security

 Google has revealed its intentions to incorporate support for encryption algorithms resistant to quantum attacks in its Chrome browser, starting with version 116.


In a recent announcement, Devon O'Brien mentioned, "Chrome will start endorsing X25519Kyber768 for establishing symmetric secrets in TLS, commencing with Chrome 116, and accessible behind a flag in Chrome 115."


Kyber was selected by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) as a potential candidate for comprehensive encryption, aiming to counteract future cyber threats posed by the rise of quantum computing. Kyber-768 holds security levels comparable to AES-192.


Numerous tech giants have already embraced the encryption algorithm, including Cloudflare, Amazon Web Services, and IBM.


X25519Kyber768 operates as a hybrid algorithm, amalgamating the outputs of X25519, a widely utilized elliptic curve algorithm for key agreement in TLS, and Kyber-768, resulting in a robust session key to encrypt TLS connections.


O'Brien elaborated, "Hybrid mechanisms like X25519Kyber768 offer the flexibility to introduce and evaluate new quantum-resistant algorithms while ensuring that connections remain safeguarded by established secure algorithms."


Although quantum computers are projected to pose substantial risks in the foreseeable future, it might take several years, possibly even decades. However, certain encryption methods are susceptible to "harvest now, decrypt later" attacks, where encrypted data collected today could be decrypted later using anticipated cryptographic advancements.


This vulnerability paves the way for quantum computers, which can efficiently execute certain computations that effortlessly undermine existing cryptographic implementations.



O'Brien clarified, "In TLS, although symmetric encryption algorithms protecting data in transit are deemed secure against quantum cryptanalysis, the creation of symmetric keys is not."


"Consequently, Chrome's early adoption of quantum-resistant session keys for TLS is aimed at safeguarding user network traffic from potential future quantum cryptanalysis."


For organizations encountering compatibility issues with network appliances post-rollout, Chrome recommends temporarily disabling X25519Kyber768 using the PostQuantumKeyAgreementEnabled enterprise policy, available starting from Chrome 116.


This development aligns with Google's shift from bi-weekly to weekly Chrome security updates, intended to narrow the attack window and address the growing patch gap dilemma, giving threat actors less time to exploit published n-day and zero-day vulnerabilities.


Furthermore, Google's commitment to security is evident in their move to enforce default key pinning in Chrome 106 for Android, introduced in September 2022, adding an additional layer of protection against certificate authority (CA) compromise.

Labels:

Popular posts from this blog

Signal Introduces Usernames for Encrypted Messaging: A Secure Way to Connect

Signal, the encrypted messaging service, is launching a new feature in the coming weeks: support for usernames. This beta feature allows users to establish unique usernames, enabling connections without divulging phone numbers. source: Signal Blog To create a username, navigate to your settings and select "Profile." Once you've chosen a unique username, generate a QR code or link to share with others. Recipients can connect by entering your username into the chat bar. Usernames can be changed at any time, though previous usernames may be claimed by others. Signal began testing usernames last fall. Unlike social media platforms, Signal usernames do not serve as logins or public handles. They offer a discreet means of communication without revealing personal phone numbers. While a phone number is required to register for Signal, sharing it is optional. Usernames remain private and do not appear on profiles or in chats unless shared explicitly. As Randall Sarafa, Signal'...
Read more

AT&T Resets Millions of Customer Passcodes After Data Leak: What You Need to Know

AT&T recently confirmed a significant data breach affecting over 7.6 million current customers and 65 million former customers. The leaked information, which dates back to 2019 or earlier, includes personal details like names, addresses, phone numbers, and social security numbers. Fortunately, financial information and call history were not compromised. In response to the breach, AT&T has reset passcodes for affected customers. Passcodes, usually four-digit numbers, serve as an additional layer of security when accessing accounts. However, security experts warn that the encrypted passcodes leaked alongside customer information could be easily deciphered, posing a risk of unauthorized account access. Affected customers are advised to set up free fraud alerts with major credit bureaus and remain vigilant for any suspicious activity related to their accounts. AT&T is proactively reaching out to impacted customers via email or letter to inform them about the breach and the meas...
Read more

Apple sues former iOS engineer for allegedly leaking confidential product details

Apple has taken legal action against a former employee, Andrew Aude, for allegedly leaking confidential information to journalists and employees of other companies. The lawsuit, filed in California state court, accuses Aude of divulging undisclosed details about Apple's Journal app, the development of the VisionOS headset, regulatory compliance strategies, employee headcounts, and other product hardware characteristics. According to the lawsuit, Aude reportedly communicated extensively with a Wall Street Journal journalist, referred to as "Homeboy," over 1,400 times using an encrypted messaging app between June and September 2023. He also shared a final feature list for an unannounced Apple product with "Homeboy" over the phone and exchanged over 10,000 text messages with another journalist at The Information, even traveling across the continent to meet her. Apple alleges that Aude leaked a list of finalized features for Apple's Journal app in a phone call w...
Read more