back to article Google Chrome 56's crypto tweak 'borked thousands of computers' using Blue Coat security

The availability of Transport Layer Security protocol version 1.3 was supposed to make network encryption faster and more secure. TLS 1.3 dispenses with a number of older cryptographic functions that no longer offer adequate protection, and reduces the amount of time required to negotiate "handshakes" between devices. Google …

  1. Anonymous Coward
    Anonymous Coward

    A Symantec product is total shit

    I'm shocked. How could this have happened? Symantec products are usually so high quality.

    1. Halfmad

      Re: A Symantec product is total shit

      They are when they initially buy the company which produces it, then it's merged, screwed with and forgotten about and of course the original coders behind it leave. Job done - the Symantec way.

      1. Amos1

        Re: A Symantec product is total shit

        No, no. After they totally bork it they can sell it at a loss.

        Like buying the Verisign certificate business for $1.25 billion in 2010 and then selling it for $950 million in 2017.

    2. Tomato42
      Boffin

      Re: A Symantec product is total shit

      While the post is missing the "/s" mark, it IS sarcastic.

      1. TitterYeNot

        Re: A Symantec product is total shit

        "While the post is missing the "/s" mark, it IS sarcastic."

        Yes, here in the UK our sarcasm detectors are fine tuned from birth, so tags are implicitly not required (unless translation is needed for a leftpondian audience.)

        Especially when the subject of said sarcasm is the cauldron of ineptitude that is Symantec...

  2. Pascal Monett Silver badge

    "That these products broke is an indication of defects in their TLS implementations,"

    So it is totally their fault, no reason to rollback at all, nosiree.Yes, it is quite obviously their fault, but maybe you could offer a rollback option anyway, just to show how l33t and magnanimous you are while letting over 16000 people get on with their lives ?

    Just an idea.

    1. Mage Silver badge

      Re: "That these products broke is an indication of defects in their TLS implementations,"

      Astounding arrogance

      1. bazza Silver badge

        Re: "That these products broke is an indication of defects in their TLS implementations,"

        Having slagged off Bluecoat, it would be a bit embarrassing for Google if it turns out that Google had got it wrong...

    2. Adam 52 Silver badge

      Re: "That these products broke is an indication of defects in their TLS implementations,"

      Chrome has over 50% market share. If my arithmetic is correct 16,000 people is 0.001% of their user base. Not many manufacturers would go out of their way to work around a problem in another manufacturer's product with such a tiny impact.

      1. RyokuMas
        Facepalm

        Re: "That these products broke is an indication of defects in their TLS implementations,"

        Not many manufacturers would go out of their way to work around a problem in another manufacturer's product with such a tiny impact.

        ... and yet, had this been a Microsoft issue, you can bet your life that there would be the usual lemongrab-esque flood of outrage on here....

    3. P. Lee

      Re: "That these products broke is an indication of defects in their TLS implementations,"

      >maybe you could offer a rollback option anyway,

      BTRFS anyone? Well, who trusts software vendors to do the right thing?

      It did take me ages to work out why my laptop (Suse) was apparently out of disk space when df said there was loads left, but it is very, very cool.

      As for Bluecoat... resting on their laurels for far too long. Seriously, if network security is your game, at least put some effort in. If Google can put it in a browser for free, you can do it when people pay you for support.

    4. Anonymous Coward
      Anonymous Coward

      Re: "That these products broke is an indication of defects in their TLS implementations,"

      I know it is accepted Internet SOP to hate Google and blame them for everything (when it is not MS, Apple, Facebook or Twitter ...... and on standby UBER!!!)

      In this case I think Google are right to NOT roll-back Chrome.

      If they do it will set an expectation that Google will accomodate 'other peoples' s/w issues when 'their' testing has not been as effective as it should have been.

      It would also be used as 'big stick' to beat Google when the majority 'upgrade' to a new version only for Company 'X' to request the same people are forced to roll-back.

      It does highlight that you should not allow updates to happen until you have tested it does not 'Bork' something. This means Google, Bluecoat Security and the anyone who has 100's to 1000's of users using a critical configuration etc.

      This is exactly the reason I do not like windows 10 ......... forced updates at random times with liitle or no control.

      [I claim my £10 for managing to bring windows 10 into the conversation !!! :) :) :) ]

      1. frank ly

        Re: "That these products broke is an indication of defects in their TLS implementations,"

        "... managing to bring windows 10 into the conversation ..."

        Is this an example of Godwindows law?

        1. Frumious Bandersnatch

          Re: "That these products broke is an indication of defects in their TLS implementations,"

          This is the Register. Windows 10 Trumps^Htrumps Godwin.

        2. Anonymous Coward
          Anonymous Coward

          Re: "That these products broke is an indication of defects in their TLS implementations,"

          Frank ly@,

          Well Played Sir.

          Have an Upvote and a Beverage of your choice !!! :)

          [I will buy it out of the £10 I won ...... :) ]

      2. Cuddles

        Re: "That these products broke is an indication of defects in their TLS implementations,"

        Indeed, in all the arguing whether to blame Google or Symantec, it seems the main fault lies with the admin who rolled out an update to nearly 100,000 devices without checking if it actually worked first.

        1. George Costanza

          Re: "That these products broke is an indication of defects in their TLS implementations,"

          These are Chromebooks. They update automatically unless you pin them to a specific version (no older than n-3) using Chrome Device Management.

      3. Pedigree-Pete
        FAIL

        Re: "That these products broke is an indication of defects in their TLS implementations,"

        Well done with the Windows 10 ref, where do I send the £10 AC? PP

    5. theblackhand

      Re: "That these products broke is an indication of defects in their TLS implementations,"

      While it may have been Googles fault for releasing a browser utilising that latest TLS release, Blue Coats ability to trip up over almost every SSL/TLS change in recent years suggests they are desperately clinging to old, flawed methods of handling SSL/TLS that keep hurting their customers.

      1. rh587

        Re: "That these products broke is an indication of defects in their TLS implementations,"

        While it may have been Googles fault for releasing a browser utilising that latest TLS release, Blue Coats ability to trip up over almost every SSL/TLS change in recent years suggests they are desperately clinging to old, flawed methods of handling SSL/TLS that keep hurting their customers.

        This - Blue Coat had already had warning. Google released TLS1.3 in Chrome 56 but they'd released TLS GREASE in Chrome 55. GREASE was designed to test whether TLS implementations (which the standard says should be interoperable and version tolerant) actually deal properly with unknown extensions, and Blue Coat customers were complaining back then that GREASE was tripping up their systems.

        Blue Coat's response was "the Proxy is not able to process this request as we don't support this unknown , nonstandard RFC extension". Which betrays a total failure to understand how TLS is actually designed to work - i.e. if a client sends an unknown extension, the server should just ignore it and they negotiate down to a mutually acceptable extension like TLS1.2. It shouldn't throw the entire connection.

        1. Blue Coat should have seen TLS 1.3 coming

        2. Blue Coat should be implementing TLS properly. It's literally their job.

  3. Oh Homer
    Paris Hilton

    The curse of "Blue" security

    Why are so many flawed security products called "Blue"?

    Remember the ill-fated "Blue Security" and the highly dubious "Bluebox Security Scanner", and now Google's "Bluecoat"?

    Is this some psychobabble that a marketeer monkey came up with during a PowerPoint presentation, where it was decided that "blue" induces feelings of confidence?

    1. Anonymous Coward
      Anonymous Coward

      Re: The curse of "Blue" security

      and now Google's "Bluecoat"?

      From the article: "A spokesperson for Symantec, which acquired Blue Coat last year"

      1. Oh Homer

        Re: The curse of "Blue" security

        Google, Symantec, whatever. It's still "blue".

    2. Mark 85

      Re: The curse of "Blue" security

      Is this some psychobabble that a marketeer monkey came up with during a PowerPoint presentation, where it was decided that "blue" induces feelings of confidence?

      Think "Blue Plate Special"* or "Blue Light Special"* or "Big Blue (IBM)"... and then there's the perception that any device with a blue LED is very high tech. So yeah... marketing psychobabble.

      * I know.. no quality there, just low price stuff. But somewhere, someone in marketing thought differently.

    3. Fazal Majid

      Re: The curse of "Blue" security

      Blue is the corporate color par excellence. It symbolizes trust, loyalty, authority,

      conservatism, business in Western cultures:

      https://www.six-degrees.com/pdf/International-Color-Symbolism-Chart.pdf

      https://www.flickr.com/photos/philgyford/56867986/

      The headline is wrong, this is clearly Bluecoat's fault for misimplementing TLS 1.3, and not testing it against the browser with 50% market share. If they had not implemented TLS 1.3 at all, the browsers would have fallen back to TLS 1.2.

      1. Alan W. Rateliff, II
        Coat

        Re: The curse of "Blue" security

        Like the Blue Duck!

        (Oh, Gawd, I just saw it next to the Twitter bird and now I feel sad. And a little dirty.)

        I fail to see the need for all the dick-measuring over this. Forgetting for a second that Google is arrogant and everything Google is in perpetual beta, and Symantec does have a reputation for ruining everything useful, both are implementing a standard which is still in draft. These are the kinds of things we should expect to happen on occasion and instead of childish mud-slinging and disparagement, the cooperative spirit of the Internet should emerge.

        Try to read that with a straight face.

      2. TeeCee Gold badge
        Coat

        Re: The curse of "Blue" security

        Except in the automotive industry where it means "looks green when tested".

        1. Anonymous Coward
          Anonymous Coward

          Re: The curse of "Blue" security

          Or in movies, where "blue" means "contains lots of fleshtones".

          Mines the big raincoat with the box of kleenex in the pocket.

    4. Anonymous Coward
      Anonymous Coward

      Re: The curse of "Blue" security

      Their company was originally called "Cacheflow", and apparently changed their name to Blue Coat after some brand consultancy told them it would evoke associations with law enforcement (i.e. policing your network). Unfortunately, in blighty the new name just brings to mind charity-run schools, or possibly Pontins holiday camp attendants, so wasn't really the marketing coup they were looking for.

      You could argue that this was actually slightly less damaging than being associated with plod, of course.

  4. Sitaram Chamarty
    WTF?

    can anyone explain...

    ...how a *browser* update causes problems for the login screen?

    Has Chrome become as essential to the working of an OS as MS used to claim IE was in the old days?

    (This is a genuine question by the way; I'm not being snarky or something)

    1. hazzamon

      Re: can anyone explain...

      The release of Chrome 56 is not just a desktop browser, it also includes updates to Chrome OS included on Chromebooks.

    2. Amos1

      Re: can anyone explain...

      I don't use Blue Coat but it feels like the admin enabled a "Require TLS 1.3" option on the proxy thinking bigger numbers means better security. I see this all the time when non-security people get involved in security configurations.

      While the spec for TLS 1.3 may be finalized, there are going to be implementation problems in the products for years.

  5. Sebastian A

    X blames Y, Y blames X, and the customer gets shafted.

  6. Anonymous Coward
    Anonymous Coward

    Where is this TLS 1.3 specification?

    So that vendors know what to implement? TLS 1.3 is still a draft, the RFC was last updated 4 days ago.

    How can the makers of network security tools and hardware be expected to support it when Google just rolled out their own implementation unilaterally?

    How am I supposed to debug it? The latest development version of Wireshark can't digest TLS 1.3 because *it's stil a draft*.

    What they're deploying is GoogleTLS 1.3.

    1. Tomato42
      Boffin

      Re: Where is this TLS 1.3 specification?

      That "GoogleTLS" is also supported by Mozilla Firefox and Cloudflare...

      TLS has integrated mechanism for backwards compatibility since it was called SSL 2, over 20 years ago. If you're making errors reintroducing 20 year old bugs into your software, maybe, just maybe, programming is not a job for you. Oh, and I'd suggest against farming either, because this kind of errors makes it likely that arrival of winter every year is a surprise for you.

      1. Digi1234

        Re: Where is this TLS 1.3 specification?

        You don't understand how corporate security, or proxies, work. You work with what is known, you deal with known SSL/TLS extensions and anything that does not comply with approved standards, you deny. This is just what happened. From a security point of view, would you support anything new, regardless of what it is? Of course you wouldn't, and if you did, I question your competence. Again, the problem isn't with TLS itself, but with a manufacturer unilaterally rolling out something that hasn't been generally approved. What if there was an undiscovered problem wiith 1.3? What would you say then?

    2. rh587

      Re: Where is this TLS 1.3 specification?

      So that vendors know what to implement? TLS 1.3 is still a draft, the RFC was last updated 4 days ago.

      How can the makers of network security tools and hardware be expected to support it when Google just rolled out their own implementation unilaterally?

      They're not expected to support it. As an unknown extension they're expected to ignore it and negotiate gracefully down to TLS1.2. That's how TLS works - the server says "I don't know what <extension> is, how about TLS 1.2?".

      NOT

      "I don't know what <extension> is. I'll close the connection now."

      If your TLS implementation doesn't support extensions gracefully, then you don't have a TLS implementation - you have a proprietary security suite that looks and works a bit like TLS but isn't actually compliant with the TLS standard.

    3. bolac

      Re: Where is this TLS 1.3 specification?

      >security tool

      There is your oxymoron already.

  7. tiggity Silver badge

    Never Rollback

    Rollback, with Google, never.

    You must be on the latest & greatest

    Accelerated obsolesecence for all.

    I have a gmail address for throw away use, on one of my machines (an old mac), if I access it via web interface on chrome I get message telling me browser unsupported and I must upgrade to a newer version...

    Except that Google no longer provide any more chrome updates for that particular OS (and hardware requirements for newer MAc OS versions mean that the mac is at max OS version it can actually physically run)

  8. Anonymous Coward
    WTF?

    So Google balme Bluecoat...

    Hey Google, how about WAITING for it to be, you know, finalaised and agreed, before rolling out draft protocols and then blaming others for not doing the same.

    Typical Google arrogance.

    1. bolac

      Re: So Google balme Bluecoat...

      It agreed already. Firefox will have it in the next release as well. That was announced months ago.

  9. Tabor

    reaching the admin

    "Attempts to reach the administrator via phone and email were unsuccessful"

    The guy just had over 17000 chromebooks say they don't want to play. I assume interviews by various journo's is quite low on his list of priorities.

    I would lay the blame with Symantic in this case, OTOH it's something to consider when considering Chromebooks... I haven't used one, but is it possible to run another browser ?

  10. Gordon Pryra
    Joke

    Reminds me of the old M$ joke

    Reminds me of the old M$ joke, maybe not as apt, you SHOULD be able to deliver an update with the assumption that a standard has been followed but anyway...

    Q) How many Google engineers does it take to change a light-bulb?

    A) None! They just make darkness the industry standard......

  11. rlrevell

    Correction to above post - latest development snapshot of the 2.3.0 branch of Wireshark does understand TLS 1.3.

    And yeah, Bluecoat should have handled this better, but Google lately is reminding me of Microsoft in the 1990s, unilaterally deploying new protocols rather than going through channels. The big difference of course is that Google publishes the specs to these things, but they're still acting like the 800-lb gorilla forcing everyone to adapt to their way or else.

    1. Anonymous Coward
      Anonymous Coward

      > unilaterally deploying new protocols rather than going through channels.

      And who should they ask for their blessing before deploying open, standard protocols in their own products? You?

      > Google publishes the specs to these things

      No, IETF publishes the specs for these "things," as with many other widely used protocols on the Internet.

  12. George Costanza

    F5 had a similar bug...

    ...which they fixed and released a patch for back in 2015, before there were any TLS 1.3 clients outside of development environments.

    https://support.f5.com/csp/article/K17400

    What's BlueCoat's excuse?

  13. Digi1234

    TLS 1.3 is no agreed standard yet. If Google decide to roll out a working draft on their development branch of Chrome, and only when talking to select servers, that's their prerogative. Blue Coat/SYMC not yet supporting it actually makes sense. If you are in the security business, you work with established standards, not on the whim of a single manufacturer. Google should have known that and acted accordingly (i.e. downgrade to 1.2 if 1.3 isn't supported). I do agree that 1.3 is a big step forward, but let's get real, without an established and agreed standard, it doesn't make sense to support it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like