Bulletproof TLS Newsletter

Bulletproof TLS Newsletter delivers fresh SSL/TLS and Internet PKI
news straight to your inbox, once a month.

• Issue #67 - Intermediate certificates with OCSP capability cause trouble30 Jul 2020

Previous Issues

• Issue #66 - Expired AddTrust certificate causes trouble30 Jun 2020
• Issue #65 - Private key of DigiCert Certificate Transparency log compromised28 May 2020
• Issue #64 - GCC code analyzer finds bug in OpenSSL30 April 2020
• Issue #63 - The Let’s Encrypt Certificate Authority Authorization incident31 March 2020
• Issue #62 - One-year certificate lifetimes are coming27 February 2020
• Issue #61 - Vulnerability in Windows allows certificate forgery with elliptic curves30 January 2020
• Issue #60 - New factoring and discrete log records, but RSA stays safe31 December 2019
• Issue #59 - Testing of delegated credentials begins28 November 2019
• Issue #58 - Elliptic curve implementations vulnerable to Minerva timing attack31 October 2019
• Issue #57 - Mozilla and Chrome about to enable DNS over HTTPS26 September 2019
• Issue #56 - Firefox and Chrome will remove GUI indicator for Extended Validation certificates29 August 2019
• Issue #55 - Kazakhstan intercepts TLS traffic30 July 2019
• Issue #54 - Network Time Security (NTS) could finally bring support for authenticated network time27 June 2019
• Issue #53 - Certificate Authority Certinomis removed from Firefox browser 30 May 2019
• Issue #52 - Gmail starts using MTA-STS 30 April 2019
• Issue #51 - Trouble with a missing random bit in serial numbers 28 March 2019
• Issue #50 - DarkMatter from the United Arab Emirates operates a certificate authority 28 February 2019
• Issue #49 - Disabling insecure Let’s Encrypt validation will cause broken HTTPS setups for Debian and Ubuntu users 31 January 2019
• Issue #48 - Google starts CECPQ2, a new postquantum key exchange for TLS 3 January 2019
• Issue #47 - Attacking cryptography with side channels 29 November 2018
• Issue #46 - The end of TLS 1.0 and 1.1 30 October 2018
• Issue #45 - Visa certificate authority in trouble 27 September 2018
• Issue #44 - TLS 1.3 is here 30 August 2018
• Issue #43 - Chrome now says “not secure” for HTTP web pages 31 July 2018
• Issue #42 - Does TLS have to change constantly to make it future-proof? 28 Jun 2018
• Issue #41 - Domain fronting: Cloud providers stop censorship-circumvention tool 31 May 2018
• Issue #40 - Certificate Transparency logging is now mandatory 30 April 2018
• Issue #39 - Trustico debacle shows risk of key generation by resellers 29 March 2018
• Issue #38 - Chrome will mark HTTP pages as not secure 28 February 2018
• Issue #37 - Cloud provider vulnerability causes Let's Encrypt to disable SNI domain validation 31 January 2018
• Issue #36 - Private keys in software from Blizzard, Electronic Arts, Microsoft, and the German Federal Bar 3 January 2018
• Issue #35 - Return of Bleichenbacher's Oracle Attack (ROBOT) 12 December 2017
• Issue #34 - Comodo gets controversial new owner 30 November 2017
• Issue #33 - Why TLS 1.3 isn’t there yet 31 October 2017
• Issue #32 - CAA is now mandatory 28 September 2017
• Issue #31 - Symantec sells certificate business to DigiCert 31 August 2017
• Issue #30 - Leaked private keys and revocations based on fake private keys 31 July 2017
• Issue #29 - Cisco and Spotify ship private keys in applications 29 June 2017
• Issue #28 - Let's Encrypt downtime 31 May 2017
• Issue #27 - Certificate Transparency requirement delayed 28 April 2017
• Issue #26 - Google plans to distrust all current Symantec certificates 30 March 2017
• Issue #25 - SHA-1 is broken 28 February 2017
• Issue #24 - Firefox and Chrome start warning about insecure login forms 31 January 2017
• Issue #23 - 2016: The year HTTPS became dominant 4 January 2017
• Issue #22 - TLS 1.3 in final stages and SHA-1 deprecation 30 November 2016
• Issue #21 - Certificate Transparency for all new certs, backdoors in primes, WoSign and Comodo incidents 27 October 2016
• Issue #20 - Mozilla no longer trusts WoSign and StartCOM, Comodo issues top level sb and tc certificates 29 September 2016
• Issue #19 - SWEET32, HEIST/TIME, PAC and WPAD leak HTTPS URLs 31 August 2016
• Issue #18 - Version Intolerance and TLS 1.3, Google uses Post-Quantum Cryptography, StartEncrypt vulnerabilities 28 July 2016
• Issue #17 - Let's Encrypt trademark dispute, discrete logarithm record, ChaCha20 and TLS version fallbacks 30 June 2016
• Issue #16 - Nonce reuse in GCM, another Padding Oracle, HTTPS by default and Post-Quantum Cryptography news 26 May 2016
• Issue #15 - WordPress.com and others enable HTTPS by default 28 April 2016
• Issue #14 - SMTP Strict Transport Security may improve transport encryption for email 31 March 2016
• Issue #13 - DROWN attack shows danger of supporting old SSL v2 protocol 1 March 2016
• Issue #12 - OpenSSL security update and the trouble with non-safe primes 25 February 2016
• Issue #11 - New SLOTH and CurveSwap attacks against TLS discovered 27 January 2016
• Issue #10 - CloudFlare and Facebook propose to delay SHA1 deprecation 21 December 2015
• Issue #9 - eDellRoot certificate endangers users of Dell computers 30 November 2015
• Issue #8 - RC4 finally going away 15 September 2015
• Issue #7 - Logjam attack against weak DH key exchange 21 May 2015
• Issue #6 - FREAK attacks SSL/TLS clients 06 March 2015
• Issue #5 - SHA1 deprecation continues 13 February 2015
• Issue #4 - New POODLE attack on TLS discovered 08 December 2014
• Issue #3 - Support for SSL v3 is eroding 28 November 2014
• Issue #2 - POODLE attack on SSL 3 16 October 2014
• Issue #1 - SHA1 Deprecation 02 October 2014