Remove TLS 1.0 support from Chrome
Reported by
markare...@gmail.com,
Jan 30 2018
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Steps to reproduce the problem: 1. Nothing to reproduce. TLS 1.0 is enabled by Default 2. Not Talking about TLSfallback. Just Give us the ability to turn off TLS 1.0 3. What is the expected behavior? For Chrome to be on Par with Internet Explorer and Firefox for TLS Security Protocol support, or lack thereof. What went wrong? TLS 1.0 is supported by Chrome. TLS 1.0 is insecure and supports insecure Ciphers. TLSfallback was removed, because bug reports say that feature is insecure. The solution would be to remove TLS 1.0 support all together or to implement the ability to configure a minimum level of support. This can be easily done in Internet Explorer by unchecking a box in the advanced settings. Or you could take a step forward by configuring SCHANNEL to remove TLS 1.0 support altogether. Unfortunately Chrome ignores SCHANNEL. It is easier to configure the browser to block insecure protocols than it is to fix hundreds of millions of poorly configured websites. https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls Did this work before? N/A Chrome version: ALL Channel: n/a OS Version: 10.0 Flash Version: Shockwave Flash 28.0 r0
,
Jan 30 2018
Issue #765161 tracks restoring the SSLVersionMin admin policy. While it would be lovely to remove all kinds of legacy insecure options by default, there are still too many legacy sites out there. Hopefully PCI's June 2018 deadline will help drive the numbers down enough to remove it (and TLS 1.1) completely.
,
Jan 30 2018
Completely understandable. I have to field dozens of repeated calls a week for users being unable to access insecure legacy websites due to Internet Explorer and Firefox being configured blocking TLS 1.0. However, we do have savvy and snappy users that are proud to violate security policy by using Chrome. We also have Web Admins who refuse to upgrade their internal servers because Chrome still allows TLS 1.0. Instead of removing insecure options by default, giving us the option to disable it, would certainly be lovely. Internal discussions are occurring now and we are learning towards forcing the removal of Chrome on thousands of systems in order to comply with CJIS Security policy.
,
Feb 7 2018
,
Feb 27 2018
Merging this into the policy bug and fixing it. |
|||
►
Sign in to add a comment |
|||
Comment 1 by elawrence@chromium.org
, Jan 30 2018Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Feature
Summary: Remove TLS 1.0 support from Chrome (was: Remove TLS 1.0 support from Chrome. )