GOOGLE HAS ANNOUNCED that it improved HTTPS connections for Chrome for Android, making it three times faster and stronger against future security vulnerabilities like Heartbleed.
"Earlier this year, we deployed a new TLS cipher suite in Chrome that operates three times faster than AES-GCM on devices that don't have AES hardware acceleration, including most Android phones, wearable devices such as Google Glass and older computers," Google anti-abuse research lead Elie Bursztein explained.
Bursztein said that the update improves the user experience, reducing latency and saving battery life by cutting the amount of time spent encrypting and decrypting data.
He added, "To make this happen, Adam Langley, Wan-Teh Chang, Ben Laurie and I began implementing new algorithms - Chacha 20 for symmetric encryption and Poly1305 for authentication - in OpenSSL and NSS in March 2013."
The effort required implementing a new abstraction layer in OpenSSL in order to support the Authenticated Encryption with Associated Data (AEAD) encryption mode properly.
"AEAD enables encryption and authentication to happen concurrently, making it easier to use and optimize than older, commonly-used modes such as CBC. Moreover, recent attacks against RC4 and CBC also prompted us to make this change," Bursztein said.
Google said the benefits of this new cipher suite include better security, as Chacha20 is immune to padding-oracle attacks, which affect CBC mode as used in TLS. By design, Chacha20 is also immune to timing attacks.
The new cipher also delivers better performance, because Chacha20 and Poly1305 are very fast on mobile and wearable devices, as their designs are able to leverage common CPU instructions, including ARM vector instructions.
"Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes," Bursztein added. "This represents a 16 percent reduction of the TLS network overhead incurred when using older ciphersuites such as RC4-SHA or AES-SHA."
Google plans to make it available as part of Android in a future release. µ
Facebook has more influence than meets the eye
Attackers could 'easily compromise' an entire company by exploiting AV security flaws
Nobody knows it, but you've got a secret smiley
Plummeting pound forces firm's hand