If you’re in the Montgomery County area, you probably already know the news.
Montgomery County schools have already taken in and adopted to Chromebooks with wide-open arms, with over 120,000 of these units or PCs running Chrome’s Internet browser.
A recent security issue caused about 30% of these devices to fail in the login authentication process. Many desktops also couldn’t connect to the Internet.
Last updated: 6/1/17.
This all happened when Chrome was updated to version 56. It was a sudden and instant disconnect, so there’s no other reason to attribute it to.
However, it wasn’t really Google’s fault, though.
Montgomery County schools use BlueCoat, which is a basically a “gateway” that protects its users by standing in the middle of the connection.
So you have something like this (simplified, of course):
Chrome device > BlueCoat > Internet
Technically speaking, it’s a man-in-the-middle SSL web proxy. It uses sophisticated software to check for SSL certificates and TLS web content. It’s basically a giant web filter that’s made to block out restricted websites that the district wants to be censored from its computers and students.
However, BluecCoat (a company owned by Symantec), doesn’t support TLS 1.3- the newest web security protocol. This causes issues.
TLS is the new SSL. Version 1.3 is the newest update and blocks out many security issues that 1.2 had. It’s also improved and tuned for performance, as it’s much faster than TLS 1.2. It basically improves request speeds by reducing a round-trip from the user to the server and speeds up page load times by about 20%.
Nick Sullivan, a security expert from the well-known CDN service Cloudflare, states:
“This update, the first since 2008, is a major overhaul that provides both increased security and enhanced speed, especially on mobile networks…TLS 1.3 improves request speeds by requiring one less round trip to connect to an internet application, compared to previous versions, and can decrease page load times by 20 percent.”
If the TLS version updates, so must the browsers as well. Firefox, Chrome, and Opera already support TLS 1.3. Other browsers, such as Microsoft’s Edge and Apple’s Safari are currently working on implementing it.
For our interests, Chrome was updated to TLS 1.3 in the Chrome 56 update.
So what’s the actual problem causing the login errors?
Well, with BlueCoat, what happens is that when it tries to work with TLS 1.3, it basically downgrades to TLS 1.2. It just hiccups and stutters. Instead of processing the request as is, it handles it as 1.2.
When Chrome tries to connect as TLS 1.3, BlueCoat says “nope” and stops the connection.
How do I fix it the TLS 1.3 issue?
Well, you shouldn’t have to.
It’s mainly on BlueCoat’s part for not updating their security protocols. Chrome stated that they’ve already announced TLS 1.3 support on their Chromium blog well ahead of it rolling out, but BlueCoat didn’t follow up.
BlueCoat’s response is that they’re already aware of the issue and are working to resolve it.
Chrome has made a fix where it’ll default back to TLS 1.2 due to this issue. If you’re on a Chromebook, logging into it will fix the issue. If you’re on a desktop, you’ll have to go to any Google site (YouTube, Gmail, etc.) and it should fix it.
If you want to force Chrome 56 to go back to TLS 1.2, you can do so by typing in:
And then changing the option from “Default” to “TLS 1.2.”
This will force your version of Chrome to go back a step. It should work if you’re blocked out of any site.
Later on, the newer versions should be utilizing TLS 1.3 when all these bugs are worked out. Many security vendors are having the same issue, not just BlueCoat.
As for now, we’ll just wait for the issue to be fixed as BlueCoat and Co. catch up. With so many school districts turning to Chromebooks, you’d think it should be something that’s prevented and well thought over before it ends up in a huge mess, like this one.
Update: Google has announced to The Register that it’s currently halted TLS 1.3 rollout to Chromebooks because of the compatibilities with BlueCoat and others. They’re working with vendors to fix it in the meantime. Only about 10% of Chrome users have the TLS 1.3 update, so the rest of the userbase shouldn’t be affected by the update. I’ll keep in touch with updates until this is resolved.