Wednesday , March 3 2021

Chrome 72 was released with 58 security fixes and discards TLS 1.0 and 1.1

Google has released Chrome 72 on the desktop channel Stable, which makes it available for everyone to download. This release removes support for TLS 1.0 and TLS 1.1 and HTTP-based Public Key Pinning and will also not render more FTP server resources.

Chrome 72 will also no longer allow pop-ups while downloading the page, something that the built-in pop-up blocker was already doing, but now they will be blocked by default regardless of whether or not the pop-up blocker is enabled.

Windows, Mac and Linux desktop users can upgrade to Chrome 72.0.3626.81 by accessing Definitions -> Help -> About Google Chrome and the browser will automatically check the new update and install it if and when available.

Google Chrome 72
Google Chrome 72

TLS 1.0 and 1.1 discontinued

Although support for TLS 1.0 and 1.1 has been discontinued in the current version of Chrome, it will be completely removed in early 2020 with the release of Chrome 81.

According to Google "During the period of depreciation, sites that use these protocols will display a warning in DevTools. After the disapproval period in 2020, they will not be able to connect if they have not upgraded to TLS 1.2 by then."

Disapproval and eventual removal of secure communication protocols TLS 1.0 and 1.1 was announced during October 2018 as part of a coordinated announcement from Google, Microsoft, Apple and Mozilla.

Google has also decided to remove support for the HTTP-based HPKP (public key pin) feature, which is designed to "allow sites to send an HTTP header that holds one or more public keys present in the site's certificate chain."

However, due to low adoption numbers and the risk of hostile denial of service and pinning, HPKP is no longer present in desktop and mobile versions after its initial depreciation in Chrome 65.

Blocks third-party applications against code injection

Removing FTP resource rendering on Chrome 72 will continue to generate FTP directory listings, but non-directory listings will no longer be loaded in the browser.

From this stable release, Google's web browser features an internal page designed to allow users to see all warnings or interstitial notifications that may be displayed while browsing the web with Google Chrome.

Chrome will now also block third-party applications from injecting code into the browser. Most affected by this change are anti-malware and other security softwares that typically use code injection in the user's local browser process to intercept and verify malware, phishing pages, and various other threats.

With the help of this feature, you can see a list of incompatible applications by entering chrome: // settings / incompatibleApplications in the Chrome address bar, which will display a list of all detected programs and prompt you to remove them.

Chrome Injection Warning in Chrome
Warning about problematic apps in Chrome

Critical and high severity security issues fixed

The Chrome 72 update also includes 58 security fixes, with a critical security patch that corrects an "Improper implementation on the QUIC network" and 17 high-severity patches provided by outside researchers.

The other security fixes added to Chrome 72 have been found and contributed by internal audits, with the help of AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer or AFL and other initiatives.

A complete list of all the changes in this release is available in the Chrome 72 changelog, and more details on the development features can be found on the Chrome developer platform.

Source link