Following a browser update in early 2024, the hybridized Kyber algorithm under TLS 1.3 was set to default enabled in the modern browsers including Google Chrome, Firefox, and Edge (see below table for the details). This change, intended to enhance security measures, unfortunately led to compatibility issues that affected access to Splashtop Gateway web console.
Affected Browsers
Browser |
Windows |
Mac |
Linux |
ChromeOS |
Android |
iOS |
---|---|---|---|---|---|---|
Chrome |
Chrome 124 |
Chrome 124 |
Chrome 124 |
Chrome 124 |
10% since Chrome 118 |
n/a |
Firefox |
about:config |
about:config |
about:config |
n/a |
about:config |
n/a |
Safari |
Unavailable |
Unavailable |
Unavailable |
n/a |
n/a |
Unavailable |
Table last updated 2024-05-06
-
All browsers on iOS internally use WebKit, and so the rollout is dependent on Apple.
-
There is no Firefox or Safari for ChromeOS.
-
There is no Safari for Android.
Why the Bug ?
The Internet is currently transitioning to post-quantum cryptography (PQC), a necessary shift given the potential of future quantum computers to break most existing public-key cryptosystems. This transition aims to secure digital communications against such advanced threats before quantum computers become operational.
The TLS protocol allows a server and client to negotiate cryptographic algorithms based on mutual compatibility. Ideally, servers that do not yet support post-quantum algorithms should ignore these options and default to classical algorithms instead.
The complication arises with TLS ClientHello messages, which are significantly larger when offering post-quantum cryptography than their classical counterparts. This increase in size can result in messages that exceed the single-packet transmission threshold, which breaks the TLS handling mechanism applied in our server.
Typical behavior when the bug is hit
When navigating the Splashtop Gateway Web Portal, some pages fail to open with error messages similar to the one below displayed at the bottom of the window.
"Connect to remote server failure!: Http failure response for /api/web/vi/sys/status?info=0: 0 Unknown Error"
How to fix the issue
A quick workaround is to disable "TLS 1.3 hybridized Kyber support" from the browser.
Edge browser:
Please put in "edge://flags/" in the address bar on top and look for the option "TLS 1.3 hybridized Kyber support". Change the option from default to disabled and relaunch the browser.
From Chrome browser
Please put in "chrome://flags/" in the address bar and enter.
Look for the same exact option "TLS 1.3 hybridized Kyber support", change it from default to disabled, and relaunch the browser.
To completely fix the issue, please upgrade the Splashtop Gateway to the latest v3.28.2. Downloads of the Gateway installer and instructions to perform the upgrade are available in the link below:
Kindly be reminded to take a backup of the Splashtop Gateway before executing the upgrade.