Some ​Google Chrome users report having issues connecting to websites, servers, and firewalls after Chrome 124 was released last week with the new quantum-resistant X25519Kyber768 encapsulation mechanism enabled by default. Google started testing the post-quantum secure TLS key encapsulation mechanism in August and has now enabled it in the latest Chrome version for all users. The new version utilizes the Kyber768 quantum-resistant key agreement algorithm for TLS 1.3 and QUIC connections to protect Chrome TLS traffic against quantum cryptanalysis. "After several months of experimentation for compatibility and performance impacts, we're launching a hybrid postquantum TLS key exchange to desktop platforms in Chrome 124," the Chrome Security Team explains. "This protects users' traffic from so-called 'store now decrypt later' attacks, in which a future quantum computer could decrypt encrypted traffic recorded today." Store now, decrypt later attacks are when attackers collect encrypted data and store it for the future when there may be new decryption methods, such as using quantum computers or encryption keys become available. To protect against future attacks, companies have already started to add quantum-resistant encryption to their network stack to prevent these types of decryption strategies from working in the future. Some companies that have already introduced quantum-resistant algorithms include Apple, Signal, and Google. However, as system admins have shared online since Google Chrome 124 and Microsoft Edge 124 started rolling out on desktop platforms last week, some web applications, firewalls, and servers will drop connections after the ClientHello TLS handshake. The issue also affects security appliances, firewalls, networking middleware, and various network devices from multiple vendors (e.g., Fortinet, SonicWall, Palo Alto Networks, AWS). "This appears to break the TLS handshake for servers that do not know what to do with the extra data in the client hello message," one admin said. "Same problem here since version 124 of Edge, it seems to go wrong with the SSL decryption of my palo alto," said another admin. These errors are not caused by a bug in Google Chrome but instead caused by web servers failing to properly implement Transport Layer Security (TLS) and not being able to handle larger ClientHello messages for post-quantum cryptography. This causes them to reject connections that use the Kyber768 quantum-resistant key agreement algorithm rather than switching to classic cryptography if they don't support X25519Kyber768. A website named tldr.fail was created to share additional information on how large post-quantum ClientHello messages can break connections in buggy web servers, with details on how developers can fix the bug. Website admins can also test their own servers by manually enabling the feature in Google Chrome 124 using the chrome://flags/#enable-tls13-kyber flag. Once enabled, admins can connect to their servers and see if the connection causes an "ERR_CONNECTION_RESET" error. Affected Google Chrome users can mitigate the issue by going to chrome://flags/#enable-tls13-kyber and disabling the TLS 1.3 hybridized Kyber support in Chrome. Administrators can also disable it by toggling off the PostQuantumKeyAgreementEnabled enterprise policy under Software > Policies > Google > Chrome or contacting the vendors to get an update for servers or middleboxes on their networks that aren't post-quantum-ready. Microsoft has also released information on how to control this feature via the Edge group policies. However, it's important to note that long-term, post-quantum secure ciphers will be required in TLS, and the Chrome enterprise policy allowing disabling it will be removed in the future. "Devices that do not correctly implement TLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or the resulting larger messages," Google says. "This policy is a temporary measure and will be removed in future versions of Google Chrome. It may be Enabled to allow you to test for issues, and may be Disabled while issues are being resolved." Following this and other developing stories on OUR FORUM.

When Microsoft revealed in January that foreign government hackers had once again breached its systems, the news prompted another round of recriminations about the security posture of the world’s largest tech company. Despite the angst among policymakers, security experts, and competitors, Microsoft faced no consequences for its latest embarrassing failure. The United States government kept buying and using Microsoft products, and senior officials refused to publicly rebuke the tech giant. It was another reminder of how insulated Microsoft has become from virtually any government accountability, even as the Biden administration vows to make powerful tech firms take more responsibility for America’s cyber defense. That state of affairs is unlikely to change even in the wake of a new report by the Cyber Safety Review Board (CSRB), a group of government and industry experts, which lambasts Microsoft for failing to prevent one of the worst hacking incidents in the company’s recent history. The report says Microsoft’s “security culture was inadequate and requires an overhaul.” Microsoft’s almost untouchable position is the result of several intermingling factors. It is by far the US government’s most important technology supplier, powering computers, document drafting, and email conversations everywhere from the Pentagon to the State Department to the FBI. It is a critical partner in the government’s cyber defense initiatives, with almost unparalleled insights about hackers’ activities and sweeping capabilities to disrupt their operations. And its executives and lobbyists have relentlessly marketed the company as a leading force for a digitally safer world. These enviable advantages help explain why senior government officials have refused to criticize Microsoft even as Russian and Chinese government-linked hackers have repeatedly breached the company’s computer systems, according to cybersecurity experts, lawmakers, former government officials, and employees of Microsoft’s competitors. These people—some of whom requested anonymity to candidly discuss the US government and their industry’s undisputed behemoth—argue that the government’s relationship with Microsoft is crippling Washington’s ability to fend off major cyberattacks that jeopardize sensitive data and threaten vital services. To hear them tell it, Microsoft is overdue for oversight. Microsoft has a long track record of security breaches, but the past few years have been particularly bad for the company. In 2021, Chinese government hackers discovered and used flaws in Microsoft’s email servers to hack the company’s customers, later releasing the flaws publicly to spark a feeding frenzy of attacks. In 2023, China broke into the email accounts of 22 federal agencies, spying on senior State Department officials and Commerce Secretary Gina Raimondo ahead of multiple US delegation trips to Beijing. Three months ago, Microsoft revealed that Russian government hackers had used a simple trick to access the emails of some Microsoft senior executives, cyber experts, and lawyers. Last month, the company said the attack also compromised some of its source code and “secrets” shared between employees and customers. On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that those customers included federal agencies, and issued an emergency directive warning agencies whose emails were exposed to look for signs that the Russian hackers were attempting to use login credentials contained in those emails. These incidents occurred as security experts were increasingly criticizing Microsoft for failing to promptly and adequately fix flaws in its products. As by far the biggest technology provider for the US government, Microsoft vulnerabilities account for the lion’s share of both newly discovered and most widely used software flaws. Many experts say Microsoft is refusing to make the necessary cybersecurity improvements to keep up with evolving challenges. Microsoft hasn’t “adapted their level of security investment and their mindset to fit the threat,” says one prominent cyber policy expert. “It’s a huge fuckup by somebody that has the resources and the internal engineering capacity that Microsoft does.” The Department of Homeland Security’s CSRB endorsed this view in its new report on the 2023 Chinese intrusion, saying Microsoft exhibited “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report also criticized Microsoft for publishing inaccurate information about the possible causes of the latest Chinese intrusion. The recent breaches reveal Microsoft’s failure to implement basic security defenses, according to multiple experts. Adam Meyers, senior vice president of intelligence at the security firm CrowdStrike, points to the Russians’ ability to jump from a testing environment to a production environment. “That should never happen,” he says. Another cyber expert who works at a Microsoft competitor highlighted China’s ability to snoop on multiple agencies’ communications through one intrusion, echoing the CSRB report, which criticized Microsoft’s authentication system for allowing broad access with a single sign-in key. Complete details are posted on OUR FORUM.