Google Chrome is the most popular web browser; 65% of all people surf the web using it. Chrome has many features such as cross-device syncing, third-party extensions for further enhancements, powerful developer tools for web app creators, and its custom protocol to enhance speeds on Google’s services, such as YouTube. Chrome also takes security very seriously; the browser can detect and block malicious websites, emails and downloads, pop-up blocking, auto-updating, cookie protection, sandboxing and insecure encryption warnings, among many more. Last week’s Chrome update has a few changes that impact security that web site owners and operators will have to address.
As of Chrome version 79, released last week, Chrome will start support and start enabling DNS Over HTTPS (DoH), and sites using TLS 1.0 and TLS 1.1 certificates for encryption will be marked as insecure. The marking of sites on TLS 1.0, is significant because 68% of websites still support TLS 1.0 which is insecure due to multiple vulnerabilities. If your web site uses a TLS 1.0 or 1.1 website, as of January 13, 2020 it will display the following warning, and in 2021 Chrome will not load websites with TLS 1.0 or 1.1.
Figure 1: Chrome Certificate Warning
Why is this Happening?
Security protocols are much like software; they require continuous updates and enhancements. TLS 1.0 is an old and outdated protocol; in fact it dates back to 1999. TLS stands for “Transport Layer Security” and ensures communications are encrypted for security and privacy, read more on what TLS/SSL is here. Without these protections, any credit card used at a POS in-store or in an online purchase or your credentials when logging into a website or email would be exposed to attackers. Some of the most prevalent vulnerabilities relating to TLS include Heartbleed, POODLE, BEAST, CRIME, which have been used in notable breaches. The Heartbleed vulnerability was used in several attacks against the Government of Canada, including a breach of taxpayer information from the CRA.
Vulnerabilities in these protocols can allow attackers to intercept and tamper data between websites and their users. This could include credit card data, intellectual property, credentials; all are attacker’s prime targets. The PCI DSS compliance deadline for TLS 1.0 was in June 2018, any organization in violation of the PCI security standards can face up to $100,000 in monthly fines. TLS 1.1 dates back to 2006, and shortly after, TLS 1.2 was developed to address numerous security concerns in TLS 1.0 and TLS 1.1. TLS 1.2 is still secure to this day, TLS 1.3 has been released with improvement to both security and performance.
What do I need to do?
The good news is that the majority of websites already use the secure TLS 1.2 or, more recently, TLS 1.3. Many major websites have already disabled support for TLS 1.0 and 1.1, such as DigiCert, Microsoft’s Office 365, Cloud.gov, and the Cloudflare API. The majority of website operators will likely need to disable support for TLS 1.0 and 1.1, while other operators will need to configure web servers to support and prefer TLS 1.2 and disable TLS 1.0 and 1.1. New certificates do not need to be bought; certificates support all existing TLS versions. In Short:
Enable TLS 1.2 support if not enabled
Disable support for TLS 1.0 and TLS 1.1
How do I know if my website is configured securely?
Qualys provides a free SSL Server Test tool that can be used to assess your websites encryption protocols and implementation. Input your website’s into the Hostname field; for privacy and confidentiality of results, it is recommended to check the “Do not show the results on the boards” box. Refer to the screenshot below as an example.
Figure 2: ssllabs.com Scan
Within a minute or two, the results will be tabulated and given a grade-letter ranking. Any warnings or issues will appear with appropriate visual cues. A complete breakdown of the findings is reported to help website operators improve the security of their website’s encryption.
Figure 3: ssllabs Scan Results
Why it Matters
Businesses should seek to have the highest grade possible, an A+ for multiple reasons, the first being security. Protecting your customers and employees is a primary concern, in the aftermath of a cybersecurity breach, 65% of customers explore moving their businesses and 31% actually do. Cybersecurity plays an important role in preserving your brand. In fact, search engines like Google use TLS as a factor in search results. Search engines want to protect their customers, if a website has questionable security and may expose users the search engines will rank sites as lower in the results.
Properly implemented TLS is not enough to securely protect your website and users. Web applications, including sites, run on a Content Management System like WordPress should undergo a penetration test to discover vulnerabilities that attackers can exploit to breach systems.