Data Scientists Worry Over TLS Post-Quantum Strength

Legacy versions of the transport layer security protocol are struggling to keep up with many of the modern threats that netizens face on a daily basis, which is why Blink-based browsers now include a flag to enforce deprecation of these older versions. In spite of this, both TLS 1.0 and 1.1 are still widely used by a number of sites, though browser developers do plan to completely remove support for both of these technologies in the near future. Post-quantum confidentiality concerns are of special interest to data scientists debating continued support for these legacy versions, due in part to the fact that they are more or less compromised even as far as pre-quantum computing algorithms are concerned.

Users have been given the option to enable a flag in Chromium and its many derivatives that will force a CECPQ2-based key exchange algorithm in TLS. This exchange is more resistant to quantum computing hardware than the traditional algorithm would have been, which should help to reduce the risk of cyberattacks that make use of this kind of advanced hardware. That being said, the system isn’t necessarily foul proof seeing as it’s clearly designated as an experiment by developers.

Moreover, data scientists are concerned that many users who do have it switched on might still be utilizing older versions of TLS that compromise any mitigation that this feature might stand to offer.

TLS 1.0 & 1.1 in a Post-Quantum World

The need to upgrade to TLS 1.2 or greater is well-known and has been a goal now of the Mozilla Foundation as well as those who code browsers designed to work with the Blink engine. On the other hand, individual users might have still switched these compromised protocols on, in part because they’re needed to access certain sites. If a favored web app through up an error message each time a particular user tried to visit, then there might be some reason for doing so. While this may be excusable in some specific corporate Intranet settings, it isn’t really an acceptable practice by and large.

As a result, specialists are concerned that quantum computer-based attacks would actually focus more on browsers that still allow the use of these protocols as opposed to figuring out ways to deal with the challenges raised by post-quantum cryptographic algorithms. Most data thieves are naturally going to attempt to go for the low hanging fruit in almost any scenario, thus making TLS 1.0-enabled machines a particularly attractive option.

Site operators, however, can help to reduce the risk of this happening by ensuring that their own back-end software is updated and not reliant on any dated protocols that are making it more difficult for netizens to leave these technologies behind.

Updating TLS & SSL Services Locally

Considering that getting a free SSL certificate isn’t at all difficult, there’s no reason why more sites shouldn’t be using the technology. Unfortunately, a shockingly large number of sites online are using expired certificates if they even have any at all. Users who rely on resources tied to these systems are therefore in a weird place where they have to pick between sacrificing their own privacy and using a resource that they might have to.

Nevertheless, some site administrators may actually be using older security technologies simply because their users have raised complaints. Those who continue to open their browsers on machines running Mac OS X El Capitan or older might not be able to access some sites due to the fact that a blanket security certificate expired. The expiration of this certificate itself isn’t necessarily a negative force, considering that it was done to help protect users in order to ensure that they themselves would be safe in a post-quantum digital world.

However, some people more than likely have complained due to this and administrators responded by lowering their own protocols to encourage users of these platforms to continue to work with their web apps. That’s particularly concerning due to the fact that a new type of malware can attack Chrome on Macintosh machines.

A few data specialists have suggested that individual netizens may be able to force changes by flipping controls on their own machines.

Editing Flags to Make the World Safer

It only takes a few seconds to change flags in Blink and V8-based browsers that would immediately discontinue their allowance of TLS 1.0 and 1.1 connections while also enabling a post-quantum level of encryption. By changing these and letting site operators know when doing so breaks things, users can be a powerful force that may encourage change and cause administrators to install packages that they might have otherwise missed out on. Eliminating unnecessary extensions as well as NPM packages may also help, especially because doing so may force site operators to eliminate any requirements that they had for users to download and install these things before working with their sites. Support for a number of different APIs as well as file transfer systems now exist in all of the major open source browsers, which makes it unlikely that there’s any real need for this kind of technology in most cases.

Considering that a majority of users may be unfamiliar with doing so, it may be left up to organizational IT departments to actually go around flipping flags and making internal edits. While the official documentation for most browsers currently discourages that behavior, there’s no reason to believe it might not be praised in the near future. That’s especially true if doing so ends up making more sites upgrade their existing SSL certificates than ever before.

After all, there are plenty of sites still on the web that haven’t done so in quite a long time.

PKI-Security Engineer & security blogger at gbhackers.com. She is passionate about covering cybersecurity and Technology.

Leave a Reply