Chrome 6 might break your Gmail (when behind proxies in corporate environments)

This morning, following the release of Chrome 6, I decided to upgrade to the latest version.

But as soon as I tried going to Gmail I got the following error:

SSL connection error. Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

Error 128 (net::ERR_SSL_UNSAFE_NEGOTIATION): The SSL renegotiation extension was missing from the secure handshake. For some sites, which are known to support the renegotiation extension, Chrome requires a more secure handshake to prevent a class of known attacks. The omission of this extension suggests that your connection was intercepted and manipulated in transit.

This happens because “starting with 6.0.453.1 Chrome began requiring the TLS renegotiation extension from a small number of sites (Gmail included). This extension is required to prevent TLS renegotiation attacks”. This means that if you use Gmail (or any other Google application, like Docs, Reader and so on) over HTTPS and you are behind a proxy that alters in some way the data passed (like MITM proxies), you will not be able to access Gmail any more.

This problem has been reported on Google Chrome forums and also in the issue tracker of Chromium, but has been marked as invalid because they are now trying to increase the security, implementing the renegotiation extension.

While this is a good thing, most companies are not always up to date with the latest technologies, and since this extension is standard since “just” 6 months, Google cannot expect everyone to have it implemented already.

What you should do if you have already installed and you get the SSL Connection Error?

[UPDATE] After having commented on the Chromium bug, Adam Langley answered that if you manually specify a proxy, the check is disabled automatically. And if you have a transparent proxy (so no proxy configured in the options) you can disable the check using the command-line option: --allow-ssl-mitm-proxies.

Thank you Adam for also commenting here with the complete explanation of the problem.

The only thing you can do is revert Google Chrome back to version 5. Unfortunately this requires you to uninstall Chrome, and reinstall the old version using the offline installer that you can download from Google site at the following address: ~~http://dl.google.com/chrome/install/375.55/chrome_installer.exe~~

Unfortunately uninstalling Chrome means you loose all your stored passwords and some other things because a Chrome 6 profile cannot be read from Chrome 5. So if you are unsure, do a backup of your profile folder before trying to update to Chrome 6.

I hope Chrome either allow users to “ignore” some errors, like they do when the certificate is not valid, and that in meantime all MITM proxies get updated to support the renegotiation extension (and all IT guys install the updated version).

Tags: Chrome,MITM,proxy