Windows News and info 15th Anniversary 2009-2024

Social Media - Search Engines - Browsers => Browsers: Google Chrome | Opera | Safari | Firefox => Topic started by: javajolt on January 31, 2019, 04:14:43 PM

Title: Chrome 72 Released with 58 Security Fixes, Deprecates TLS 1.0 and 1.1
Post by: javajolt on January 31, 2019, 04:14:43 PM
(http://i.postimg.cc/RVffx10C/Google-Chrome.png)
Google has released Chrome 72 to the Stable desktop channel, which makes it available for everyone to download. This version removes support for TLS 1.0 and TLS 1.1 and HTTP-Based Public Key Pinning, and it will also no longer render resources from FTP servers.

Chrome 72 will also no longer allow popups during page unload, something that the built-in popup blocker was already doing, but now they will be blocked by default whether or not the popup blocker is enabled.

Windows, Mac, and Linux desktop users can update to Chrome 72.0.3626.81 by going to Settings -> Help -> About Google Chrome and the browser will automatically check for the new update and install it if and when available.

(http://i.postimg.cc/RZFGcKY9/Google-Chrome-72.jpg)

TLS 1.0 and 1.1 deprecated

While support for TLS 1.0 and 1.1 has only been deprecated in the current Chrome version, it will completely be removed during early 2020 with the released of Chrome 81.

According to Google "During the deprecation period, sites using those protocols will show a warning in DevTools. After the depreciation period, in 2020, they will fail to connect if they have not upgraded to TLS 1.2 by then.depreciationecation and eventual removal of the TLS 1.0 and 1.1 secure communication protocols was advertised during October 2018 as part of a coordinated Google, Microsoft, Apple, and Mozilla announcement.

Google also decided to remove support for the HTTP-Based Public Key Pinning (HPKP) feature which was designed to "allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain."

However, because of its low adoption numbers and the fact that it generates denial of service and hostile pinning risks, HPKP is now no longer present on both desktop and mobile versions, after its initial deprecation in Chrome 65.

Blocks third-party applications from injecting code

By removing the rendering of FTP resources in Chrome 72, the web browser will continue to generate FTP directory listings, but non-directory listings will no longer be loaded within the browser.

Starting with this stable release, Google's web browser features an internal page designed to allows users to see all interstitial warnings or notifications that may be displayed while browsing the web with Chrome.

Chrome will now also block third-party applications from injecting code into the browser. The most affected by this change are anti-malware and other security software that often use code injection into the user's local browser process to intercept and scan for malware, phishing pages, and various other threats.

With the help of this feature, you can see a list of incompatible applications by entering chrome://settings/incompatibleApplications into Chrome's address bar which will display a list of all detected programs and prompt to remove them.

(http://i.postimg.cc/jSnTMww0/Warning-about-Code-Injection-in-Chrome.png)
Warning about problem applications in Chrome

Critical and high severity security issues fixed

The Chrome 72 update also includes 58 security fixes, with one critical security patch which fixes an "Inappropriate implementation in QUIC Networking" and 17 high severity patches contributed by external researchers.

The rest of the security fixes added to Chrome 72 were found and contributed by internal audits, fuzzing with the help of AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL, and other initiatives.

A full list of all changes in this release is available in the Chrome 72 changelog and further details regarding development features can be found on the Google Chrome Developers platform.

source (http://www.bleepingcomputer.com/news/google/chrome-72-released-with-58-security-fixes-deprecates-tls-10-and-11/)