It has come to the attention of SEP2 that a recent update to the Chromium browser engine version 124 and above that changes a default setting to enable the new quantum-resistant X25519Kyber768 encapsulation mechanism, known as TLS 1.3 Hybridized Kyber Support, has been causing issues on many security vendors network based TLS categorisation ability to perform policy-based decisions based upon URLs/hostnames, where TLS inspection is not set.

Security Issue Identified

Known effected Chromium based browsers are Google Chrome, ARC, Brave, Opera and Microsoft Edge, however, any other variant or fork of this browser engine based on version 124 or above will be susceptible unless the default behaviour has been explicitly changed.

Common behaviours of this results in firewall application and URL filtering policies incorrectly classifying sites. This affects security vendors identifying and categorising websites based on certificate CN or TLS Server Name Identifier (SNI) . Check Point refers to this method as “TLS Classification”

Note : This does not affect customers employing full TLS interception

As an example, taken from a Check Point firewall in the SEP2 lab network – Please note that other vendors have similar problems, this is not Check Point specific but used for demonstration purposes only.

A drop log clearly shows the gambling website to be blocked:

However, both Chrome and Edge actually were allowed to connect to the blocked site:

The Firefox browser and any forked code based on Firefox are not showing the same behaviours, this is Chromium based browser specific only.

How Can You Test

For any customers utilising application and URL filtering technologies, simply make an attempt to connect to a blocked category using a Chromium based browser in your secure network. Were you able to connect to a known blocked site ?

If in doubt about testing, please seek appropriate approvals from your line management so not to raise concerns via your respective security teams about your online behaviours.

What Can You Do

An immediate fix for managed end points would be to set the control flags in the Chromium based browsers to disable the TLS 1.3 Hybridized Kyber Support.

When using full SSL decryption, this issue is not presented to the customer and security policy evaluations for websites functions as per your policy definitions configured today. Only when using certificate-based checks on the SAN and SNI for domain, server name and reputation-based lookups will your user estate potentially be affected. Enabling full SSL decryption where it is not currently does require some planning and thought about trusted certificate distribution as well as considerations for additional load overhead on the firewall systems in scope of conversation.

The Firefox browser is not currently presenting the same issues; however, corporate management and control of the Firefox browser should be high on your list of considerations. Can you control user behaviours as per your security policies using Firefox ? Are applications fully tested in Firefox ? Can you manage your certificates through Firefox in the same way you do today ?

For any customers who find this issue to be present in their environment, please log a call with the SEP2 helpdesk and we will reach out to your respective vendor support to understand our immediate options for patching of your estates where a fix has been made available by the vendor. SEP2 are still in the process of understanding which vendors have public fixes versus private fixes available upon request only.

External Reading

https://www.techradar.com/pro/security/google-chromes-new-post-quantum-cryptography-is-causing-some-issues

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OiLCAU&lang=en_US

https://live.paloaltonetworks.com/t5/general-topics/ssl-inspection-issues-with-globalprotect-users/td-p/584535

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filter-is-not-blocking-websites-on-Google/ta-p/297956
https://community.checkpoint.com/t5/Security-Gateways/Blocked-Porn-is-getting-through/m-p/212581#M40368

Chrome 124 Breaks TLS Handshake
byu/snakeasaurusrexy insysadmin

https://www.sonicwall.com/support/knowledge-base/websites-randomly-gets-blocked-or-allowed-with-no-changes-made-after-browser-upgrades-v124/240422222041287/

https://learn.microsoft.com/en-us/answers/questions/1659673/microsoft-edge-versions-123-and-124-are-encounteri

SEP2 Support

If in any doubt, please speak with SEP2 as your trusted support partner or Wingman service provider to discuss the best options forwards for your environment where this issue is currently presenting itself in your network.

For all questions around this release please send via the SEP2 Technical Services helpdesk via [email protected], calling in via 0330 043 5737 or using the SEP2 helpdesk portal located via https://www.sep2.support/ whereby a member of the Technical Services team will respond to you accordingly.