Google Chrome and Edge's new post-quantum cryptography may break TLS connections

Last week, Google released Chrome 124, which introduced the quantum-resistant X25519Kyber768 encapsulation mechanism enabled by default. This update is a significant step towards securing traffic against future quantum cryptanalysis but has also led to some connectivity issues for users. This post delves into the changes, the problems encountered, and how to mitigate them.

The New Quantum-Resistant Mechanism

To future-proof encrypted communications, Google integrated the Kyber768 quantum-resistant key agreement algorithm into Chrome 124. This mechanism is designed to protect TLS 1.3 and QUIC connections from potential quantum cryptanalysis attacks, aiming to safeguard users from "store now, decrypt later" attacks, where encrypted data is collected with the hope that future quantum computers will enable decryption.

Compatibility Issues

Despite the security benefits, the rollout of Chrome 124 has caused connectivity issues. System administrators and users have reported problems connecting to websites, servers, and firewalls. These issues stem from the TLS handshake process, where some web servers cannot handle the larger ClientHello messages generated by the new quantum-resistant mechanism. This has caused connections to drop, particularly affecting security appliances, firewalls, and network devices from vendors like Fortinet, SonicWall, Palo Alto Networks, and AWS. The issue is not a bug in Chrome but rather due to web servers' inability to handle the updated TLS ClientHello messages.

Troubleshooting and Mitigation

For users and administrators facing connection issues, the following steps can help mitigate the problem:

Disable the Quantum-Resistant Mechanism in Chrome:

• Users can navigate to chrome://flags/#enable-tls13-kyber and disable the TLS 1.3 hybridized Kyber support.

• Administrators can configure GPO to disable the setting. If you don't see the settings, you will have to update or add the GPO templates (ADMX/ADML).

  • Chrome: Computer Configuration > Policies > Administrative Templates > Google > Google Chrome > Enable post-quantum key agreement for TLS > Disabled

  • Edge: Computer Configuration > Policies > Administrative Templates > Microsoft Edge> Enable post-quantum key agreement for TLS > Disabled

Update Servers and Network Devices:

• Administrators should contact their vendors to obtain updates that support the new TLS mechanism. Ensuring that servers and middleboxes are post-quantum-ready will prevent these connection issues.
  

Testing Servers:

• Admins can test their servers by manually enabling the feature in Chrome 124 using the chrome://flags/#enable-tls13-kyber flag and checking for any "ERR_CONNECTION_RESET" errors.

A resource is available at tldr.fail, which explains how larger post-quantum ClientHello messages can break connections and offers guidance on resolving these issues.

The Future of Post-Quantum Security

Disabling the quantum-resistant feature is a temporary solution. Post-quantum secure ciphers will eventually become a necessity, and the enterprise policy allowing the disabling of this feature will be removed in future Chrome versions. As quantum computing progresses, securing data against future decryption methods becomes increasingly critical.

In conclusion, while Chrome 124's new quantum-resistant mechanism represents a significant advancement in securing encrypted traffic, it has also revealed compatibility challenges. By updating servers and network devices, administrators can ensure continued secure connections while preparing for a future where post-quantum cryptography is standard.