Google Chrome 72 removes HPKP, deprecates TLS 1.0 and TLS 1.1

Google security engineers also fixed 58 security bugs.

Google's changes to Chrome have users and experts up in arms Browser maker faces backlash for failing to inform users about Chrome Sync behavioral change. Read more: https://zd.net/2xym3FL

Hours after Mozilla released Firefox 65 earlier today, Google has done the same and put out its latest Chrome version, v72, with updates for Windows, Mac, Linux, and Android users.

Also: Google Chrome to add drive-by-download protection

While during the past three-four releases Google has spoiled users with changes on the UI & UX (user interface & user interaction) side of Chrome, today's release is heavy with changes to the browser's underlying Web APIs and protocols.

Of all the changes, there are three important updates that users need to be aware of in Chrome 72. The most important of the three is the complete removal of support for the HTTP-Based Public Key Pinning (HPKP) standard (RCF 7469).

Google previously announced its long-term plans on HPKP in October 2017, and first deprecated the standard in Chrome 65, released in March 2018.

While deprecated, Chrome showed errors in the developer console for site owners. Now that it's removed, Chrome won't support sites that use HPKP at all, refusing to pin public keys. Fortunately, this won't affect that many websites, since HPKP was a pain to implement, and a very small fraction of websites ever used it anyway.

Website owners currently supporting HPKP should probably stop doing so, since Chrome, the world's most popular browser won't honor key pins anymore.


Must read


The second major change in version 72 is that Chrome won't render any resources loaded via the FTP protocol.

Chrome will continue to display FTP directory listings, but when a website is loading an image or JavaScript file hosted on an FTP link, Chrome will prompt the user to download it instead of rendering the image or running the file.

The third major change in Chrome 72 is the deprecation of the ancient TLS 1.0 and TLS 1.1 standards. This move is just the first step taken to remove support for the two standards by Chrome 81, scheduled for release in early 2020.

Google previously announced these plans last year, together with Apple, Microsoft, and Mozilla, which said they'd be doing the same thing for their respective browsers.

Chrome 72 is only deprecating TLS 1.0 and TLS 1.1, meaning that when users access an HTTPS site using legacy TLS 1.0 or 1.1 certificates, Chrome will show an error in its developer console, but not block users from accessing the site. This will happen starting with Chrome 81.

With today's release, Chrome's new version number is 72.0.3626.81. Windows, Mac, Linux, and Android users should be able to install the update using Chrome's built-in updater. The full Chrome 71 changelog is available here (slow-loading link).

Google also patched 58 security bugs in Chrome 72, detailed here. Two blog posts from the Chromium and Google Developers teams detail Chrome 72's developer-centric features (also detailed in the video below).

Related stories:

More browser coverage: