14 DAY TRIAL // Google's latest Chrome update caused a lot of problems for users who were left unable to reach the web. The problem extended to Chromebooks, which are highly used in schools where the Internet connection is protected by proxies such as Symantec's BlueCoat.
The problem, however, doesn't seem to stem from Google itself, but rather from Symantec's BlueCoat, a man-in-the-middle SSL web proxy used by an entire school system in Maryland where some 120,000 Chromebooks and multiple PCs running the Chrome web browser were affected.
The BlueCoat Symantec system uses ProxySG technology to examine Secure-Socket Layer (SSL), and Transport Layer Security (TLS) encrypted web content, which is obviously a very handy feature. The problem, it seems, was that BlueCoat doesn't come with support for the newest standard web security protocol, namely TLS 1.3.
This clears up the problem about whose fault it is and who's to blame since it's nothing Google could have done about it, aside from not upgrading its security standards for the rest of the users. Google itself puts the blame solely on BlueCoat and other web proxy vendors who had been made aware of the upgrade in TLS months ago, but did not prepare accordingly.
Better protection, but not yet supported
TLS, as you know, is SSL's trusty successor, protecting everyone as best as possible. In fact, the TLS 1.3 version, which is still being finalized, blocks attacks that worked against the 1.2 version, as well as any earlier security protocols. In addition, it helps speed up web connections.
This new TLS update is a major overhaul bringing both security and speed, and it's not really a big surprise that support is not yet universal.
In fact, TLS 1.3 is currently supported by Firefox, Chrome and Opera, while Apple and Microsoft are working on supporting it in Internet Explorer 11, Edge and Safari. For its part, however, Google decided its latest update to fully support only TLS 1.3, which is why the problem occurred.
Google and Mozilla predicted this type of TLS decryption problems were going to happen a long time ago given how badly vendors were found to handle TLS inspections. BlueCoat, for instance, blocks the Internet connection when Chrome tries to connect via TLS 1.3 instead of displaying a successful connection.
Fixing the problem
The problem has some fixes. The manual way to resolve the problem is to force Chrome 56 to use TLS 1.2 with the flag: chrome://flags/#ssl-version-max, and from the next screen to change the flag from Default to TLS 1.2.
The problem is that this only works for the current user and it can't be done over and over on thousands of Chromebooks or PCs, especially in the school system.
For now, Google has announced that it set Chrome so that, when it can check in, it will receive instructions to disable TLS 1.3. In order to get Chrome to do this, you have to set your web proxy so it doesn't intercept TLS traffic until all devices have been upgraded.