Sunday , February 28 2021

Chrome 72 released with 58 security fixes, debugging TLS 1.0 and 1.1

Google has released Chrome 72 on the stable desktop channel, which makes it available to everyone to download. This version eliminates support for TLS 1.0 and TLS 1.1 and for the fixation of public keys based on HTTP, and will also stop rendering resources from FTP servers.

Chrome 72 will also not allow popups to appear during the download of pages, which the built-in popup blocker was already making, but will now be blocked by default if the popup blocker is activated or not.

Windows, Mac and Linux desktop users can upgrade to Chrome 72.0.3626.81 when you go to Configuration -> Help -> About Google Chrome and the browser will automatically check the new update and install it if it is available.

Google Chrome 72
Google Chrome 72

TLS 1.0 and 1.1 obsolete

Although support for TLS 1.0 and 1.1 has only been advised against the current version of Chrome, it will be completely removed in early 2020 with the release of Chrome 81.

According to Google, "During the advisory period, sites that use these protocols will show a warning to DevTools. After the advisory period, 2020 will not be connected if they have not been upgraded to TLS 1.2 at this time."

The deprecation and eventual elimination of the secure communication protocols TLS 1.0 and 1.1 was announced during October 2018 as part of a coordinated Google, Microsoft, Apple and Mozilla announcement.

Google also decided to eliminate support for the HTTP-based public key (HPKP) feature that was designed to "allow web sites to send an HTTP heading that pops one or more of the public keys present to the chain of site certificates ".

However, due to its low number of adoptions and the fact that it generates denial of service and hostile risk fixation, HPKP is no longer present both in desktop and mobile versions, after its initial deprecation to Chrome 65.

Block third-party applications from injection code

By removing the representation of FTP resources in Chrome 72, the web browser will continue generating FTP directories, but files from the directory will no longer be loaded into the browser.

From this stable version, the Google web browser offers an internal page designed to allow users to see all the interstitial warnings or notifications that can be displayed during Internet browsing with Chrome.

Chrome will also block third-party applications from injecting code into the browser. The most affected by this change are antivirus programs and other security programs that often use the code injection into the local user's browser process to intercept and scan malware, fishing pages and other threats.

With the help of this feature, you can see a list of incompatible applications by entering chrome: // settings / incompatibleApplications in the Chrome address bar where a list of all the detected programs will be displayed and will be applied to delete them.

Notice about injection code in Chrome
Warning about problematic apps in Chrome

They have corrected critical and high-severity security issues

The update of Chrome 72 also includes 58 security fixes, with a critical security patch that solves "improper implementation in QUIC networks" and 17 high-impact patches provided by external researchers.

The rest of the security fixes added to Chrome 72 were found and contributed to internal audits, fuzzing with the AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Integrity control flow, libFuzzer or AFL and other initiatives.

A complete list of all changes to this version is available in the Chrome 72 change log and more details on development features can be found on the Google Chrome Developers platform.

Source link