Feisty Duck's RSS Generator Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. https://www.feistyduck.com/newsletter/ en-us Tue, 31 Mar 2026 08:00:00 -0000 Tue, 31 Mar 2026 08:00:00 -0000 https://www.feistyduck.com/newsletter/issue_135_web_pki_reimagined_with_merkle_tree_certificates https://www.feistyduck.com/newsletter/issue_135_web_pki_reimagined_with_merkle_tree_certificates Tue, 31 Mar 2026 08:00:00 -0000 In the past several years, the world has been busy with the migration to post-quantum cryptography, but you couldn’t hear much of Google's plans when it comes to Web PKI. However, work has been in progress for several years, going back to at least early 2023. In late 2025, joining with other interested parties, Google migrated its work to an IETF working group called PLANTS. Work is now ongoing to refine the design and validate it in collaboration with Cloudflare. Recently, Google published a blog post to officially announce this work and provide further details about its future steps. In short, the core design is baked, and the remainder of 2026 will be spent on validating the core technology. In 2027, Google will bootstrap the next-generation Web PKI. https://www.feistyduck.com/newsletter/issue_134_messaging_encryption_has_come_a_long_way_but_falls_short https://www.feistyduck.com/newsletter/issue_134_messaging_encryption_has_come_a_long_way_but_falls_short Thu, 26 Feb 2026 10:00:00 -0000 We’ve had a pretty good couple of years when it comes to messaging security. Initially, adopting encryption stopped passive surveillance. Later, adoption of end-to-end encryption by the dominant platforms gave us much needed privacy. Some platforms, such as Apple and Signal, even led the way when it comes to resilience against cryptographically relevant quantum computers. Compare this situation to the poor state of email encryption, and the difference is like night and day. Despite this, some structural problems remain, and we’re even in danger of regressing. https://www.feistyduck.com/newsletter/issue_133_lets_encrypts_six_day_certificates_generally_available https://www.feistyduck.com/newsletter/issue_133_lets_encrypts_six_day_certificates_generally_available Thu, 29 Jan 2026 13:30:00 -0000 In January 2025, Let’s Encrypt announced it would offer short-lived certificates and, this month, it did. If you’ve been following the drama about the reduction of certificate lifetimes to only forty-seven days, wondering what the fuss was about—then this will be great news for you. Now you can go as low as six days (and a few hours). In addition, for the first time ever, Let’s Encrypt is now issuing certificates for IP addresses. https://www.feistyduck.com/newsletter/issue_132_openssl_performance_still_under_scrutiny https://www.feistyduck.com/newsletter/issue_132_openssl_performance_still_under_scrutiny Tue, 30 Dec 2025 11:00:00 -0000 A lot changed when OpenSSL 3 was first released. This version was supposed to bring significant improvements and modernize the project after nearly thirty years of development. Instead, it introduced significant performance regressions, essentially breaking the project for any high-volume deployment. It didn’t help that the previous stable version, the 1.1.1 branch, had been promptly deprecated. https://www.feistyduck.com/newsletter/issue_131_the_legend_of_kipp_hickman https://www.feistyduck.com/newsletter/issue_131_the_legend_of_kipp_hickman Wed, 26 Nov 2025 11:00:00 -0000 Working on the short news for this month’s newsletter, I came across Cypherpunks Hall of Fame, which has a long list of people who have contributed to encryption, privacy, and similar causes. Looking at the list, I couldn’t help but feel that it’s missing one very important person that made a significant contribution. https://www.feistyduck.com/newsletter/issue_130_web_pki_ditches_tls_client_authentication https://www.feistyduck.com/newsletter/issue_130_web_pki_ditches_tls_client_authentication Thu, 30 Oct 2025 09:00:00 -0000 In February 2025, Chrome updated its root store policy to version 1.6. Among the changes was a move to dedicated CA hierarchies for TLS server authentication, which meant that a root certificate included in Chrome’s root store can’t be used for any other purposes, anywhere. As a result, use cases such as client authentication, S/MIME, and code signing won’t be allowed, effective June 15, 2026. Although we’re still far from the deadline, CAs are already implementing the changes. For example, DigiCert and Sectigo both stopped issuing client certificates earlier this month. Let’s Encrypt will follow in February 2026. Effectively, by the end of May 2026, Web PKI will be used exclusively for authentication of TLS servers. https://www.feistyduck.com/newsletter/issue_129_waiting_for_static_ct_logs https://www.feistyduck.com/newsletter/issue_129_waiting_for_static_ct_logs Tue, 30 Sep 2025 12:30:00 -0000 Certificate Transparency (CT) has been a resounding success. It took about a decade, but we went from a world in which we don’t know what certificates are issued, why, and to whom, to complete visibility—at least for Web PKI, where CT is mandatory. This combination of visibility with increased scrutiny, continuous improvements in the detailed technical requirements for issuance, and linting helped us largely get Web PKI in order. https://www.feistyduck.com/newsletter/issue_128_google_debuts_device_bound_session_credentials_against_session_hijacking https://www.feistyduck.com/newsletter/issue_128_google_debuts_device_bound_session_credentials_against_session_hijacking Thu, 28 Aug 2025 12:30:00 -0000 HTTP cookies were never intended for session management, but that’s what we ended up with. Modern-day applications may have shifted to other methods, such as JSON Web Tokens (JWTs), but the traditional session management approach is based around the concept of a session identifier, which is a temporary authentication (bearer) token that gives access to the application session state. This is not insecure in itself, but it’s problematic when session identifiers are transported using cookies, which were never designed for security. These weaknesses gave rise to session hijacking attacks. https://www.feistyduck.com/newsletter/issue_127_encrypted_client_hello_approved_for_publication https://www.feistyduck.com/newsletter/issue_127_encrypted_client_hello_approved_for_publication Thu, 31 Jul 2025 10:00:00 -0000 TLS 1.3, which took about five years to complete and was released in 2018, changed everything. Starting with a two-decade legacy of cruft, the designers brought modern cryptography to TLS while maintaining backward compatibility. As a result, the upgrade process was smooth and most network traffic is now well-protected. Today’s operators no longer have to wrestle with a bazillion TLS configuration options; TLS 1.3 is just boringly secure. https://www.feistyduck.com/newsletter/issue_126_internet_pki_to_integrate_dnssec https://www.feistyduck.com/newsletter/issue_126_internet_pki_to_integrate_dnssec Mon, 30 Jun 2025 12:00:00 -0000 We use digital certificates to secure our network communication, but have you ever considered that the issuance of the certificates themselves is essentially trust on first use (TOFU)? This acronym is commonly used to refer to a trust model that’s bootstrapped on the assumption that the first interaction is with the intended party, but this assumption is not fully validated. https://www.feistyduck.com/newsletter/issue_125_passkeys_gain_momentum https://www.feistyduck.com/newsletter/issue_125_passkeys_gain_momentum Thu, 29 May 2025 10:00:00 -0000 Passwords are ubiquitous, but their best days could be behind us. Their replacement, passkeys, have already been deployed—cautiously—by some of the biggest companies on the planet. Apple, Google, Microsoft, and many others are all in. If you haven’t noticed the changes happening in the last couple of years, that’s probably because most companies are first adopting them as the default authentication method for new accounts. https://www.feistyduck.com/newsletter/issue_124_certificate_lifetimes_to_shrink_to_just_forty_seven_days https://www.feistyduck.com/newsletter/issue_124_certificate_lifetimes_to_shrink_to_just_forty_seven_days Wed, 30 Apr 2025 10:00:00 -0000 Apple has done it again. In 2020, when CAs refused to voluntarily accept shorter certificate lifetimes, Apple forced the issue and made everyone accept lifetimes of 398 days. Because Apple is so dominant, CAs had no choice. Now, five years later, Apple has done it again and restricted certificate lifetimes to only forty-seven days. On this occasion, the decision formally happened through the CA/Browser Forum as it should have been, because there was little resistance from CAs. The conversation started in October of last year and went through several iterations. The final ballot was SC-081v3 (see the discussion and results). https://www.feistyduck.com/newsletter/issue_123_mozilla_fixes_certificate_revocation_checking https://www.feistyduck.com/newsletter/issue_123_mozilla_fixes_certificate_revocation_checking Mon, 31 Mar 2025 16:00:00 -0000 You may recall from our January 2025 newsletter, which was dedicated to the demise of OCSP revocation checking (The Slow Death of OCSP), that Let’s Encrypt is planning to stop supporting OCSP in early May—only one month from now. Let’s Encrypt is the leading CA in terms of issued certificates, so its withdrawal from OCSP creates a problem for user agents that still rely on this method of revocation checking. This impending deadline may have spurned one such agent—Mozilla—to complete the outstanding work required to replace OCSP with a novel solution called CRLite. https://www.feistyduck.com/newsletter/issue_122_qwac_technical_details_emerge https://www.feistyduck.com/newsletter/issue_122_qwac_technical_details_emerge Fri, 28 Feb 2025 10:00:00 -0000 Remember the European Union’s qualified website authentication certificates (QWACs)? Back in 2022 and 2023, browsers and the EU got into a fight over who controls website authentication; we covered the topic extensively. A document released recently (ETSI TS 119 411-5 V2.1.1) gives some information about how QWACs might be implemented by browsers. https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp Thu, 30 Jan 2025 10:00:00 -0000 Everybody is talking about OCSP now because, just last month, at the end of 2024, Let’s Encrypt announced it was going to stop supporting online certificate revocation checking. Beginning in early May 2025, there will no longer be any OCSP revocation information in Let’s Encrypt’s certificates. Once all its earlier certificates expire, Let’s Encrypt will shut down its OCSP servers. https://www.feistyduck.com/newsletter/issue_120_short-lived_certificates_are_coming_in_2025 https://www.feistyduck.com/newsletter/issue_120_short-lived_certificates_are_coming_in_2025 Tue, 31 Dec 2024 10:00:00 -0000 Judging from recent events, the focus in the next couple of years will be on adopting significantly reduced certificate lifetimes. We’ve known for a while that Google wants to reduce certificate lifetimes to ninety days, but earlier this year, Apple surprised everyone by pushing for as little as forty-five days (forty-seven in the latest proposal). Unlike Apple and Google, which are forcing everyone to follow their direction, Let’s Encrypt is approaching the problem from the other end by offering us a choice. https://www.feistyduck.com/newsletter/issue_119_nist_publishes_roadmap_for_post_quantum_transition https://www.feistyduck.com/newsletter/issue_119_nist_publishes_roadmap_for_post_quantum_transition Thu, 28 Nov 2024 10:30:00 -0000 NIST recently published NIST IR 8547, a report that outlines the proposed transition to post-quantum cryptography. In a nutshell, we have up to ten years to migrate all or most of the world’s cryptographic systems. Technically, NIST can’t tell the whole world what to do, but it’s been leading the way with good work, and it makes sense for everyone to synchronise their efforts. https://www.feistyduck.com/newsletter/issue_118_apple_wants_to_limit_certificates_to_forty_five_days https://www.feistyduck.com/newsletter/issue_118_apple_wants_to_limit_certificates_to_forty_five_days Thu, 31 Oct 2024 10:00:00 -0000 Are we ready for forty-five-day certificates? Apple seems to think so. On October 10, 2024, CA/B Forum ballot SC-81 appeared as pull request #553 in the Server Certificate Working Group’s repository. Just like that, without a warning. https://www.feistyduck.com/newsletter/issue_117_smart_tvs_are_watching_you https://www.feistyduck.com/newsletter/issue_117_smart_tvs_are_watching_you Thu, 26 Sep 2024 10:00:00 -0000 If you begin to understand the world of consumer electronics, it’s inevitable that you will begin to feel animosity toward all connected devices you bring into your homes. After all, we’ve all heard that manufacturers don’t care about what’s decent, only about what makes them money. One type of device in particular, so-called smart TVs, are ubiquitous, and they’re spying on all of us. https://www.feistyduck.com/newsletter/issue_116_post_quantum_cryptography_arrives https://www.feistyduck.com/newsletter/issue_116_post_quantum_cryptography_arrives Thu, 29 Aug 2024 10:00:00 -0000 The US National Institute of Standards and Technology (NIST) released its first three post-quantum cryptography (PCQ) standards earlier this month, on August 13, 2024. This release marks the first official results of the public competition that started eight years ago. Out of the three standards, one (ML-KEM, based on Kyber) is for key agreement, and the other two (ML-DSA and SLH-DSA) are for digital signatures. Another standard, which will be called FN-DSA, is expected by the end of the year. Because this type of encryption is fairly new, further backup standards are planned. For more details, read a blog post on the topic from Cloudflare. https://www.feistyduck.com/newsletter/issue_115_radius_udp_considered_harmful https://www.feistyduck.com/newsletter/issue_115_radius_udp_considered_harmful Tue, 30 Jul 2024 10:00:00 -0000 Despite being broken since 2004—yes, that’s twenty years ago exactly—the MD5 hash algorithm remains in use in both some obscure and some widely used protocols. One such protocol is RADIUS, which was very popular in the past for authentication of dial-up users, but remains in use today with assorted networking equipment. https://www.feistyduck.com/newsletter/issue_114_entrust_in_trouble https://www.feistyduck.com/newsletter/issue_114_entrust_in_trouble Thu, 27 Jun 2024 10:00:00 -0000 Entrust, one of the oldest Certification Authorities (CAs), is in trouble with Mozilla and other root stores. In the last several years, going back to 2020, there have been multiple persistent technical problems with Entrust’s certificates. That’s not a big deal when it happens once, or even a couple of times, and when it’s handled well. But according to Mozilla and others, it hasn’t been. Over time, frustration grew. Promises were made, then broken. Finally, in May, Mozilla compiled a list of recent issues and asked Entrust to formally respond. https://www.feistyduck.com/newsletter/issue_113_eu_clings_to_the_pervasive_surveillance_dream https://www.feistyduck.com/newsletter/issue_113_eu_clings_to_the_pervasive_surveillance_dream Tue, 30 May 2024 12:00:00 -0000 In Europe, politicians continue to push privacy-invasive legislation that won’t solve any real problems, but will enable the police to monitor and harass anyone that triggers inherently flawed algorithms, all the while excluding themselves from monitoring. Open letters penned by scientists are ignored. https://www.feistyduck.com/newsletter/issue_112_facebook_used_mitm_to_spy_on_competition https://www.feistyduck.com/newsletter/issue_112_facebook_used_mitm_to_spy_on_competition Tue, 30 Apr 2024 08:00:00 -0000 It’s been a few years since we’ve had a high-profile case, but companies running active network (man-in-the-middle) attacks against end users is nothing new. Antivirus tools claim to do it for security reasons, but most other companies do it to inject ads. Profit is king. Actively intercepting customer traffic in order to spy on the competition seems novel, definitely unethical, and potentially illegal. Now, a lawsuit from May 2023 claims that Facebook—now Meta—did exactly that from 2016 through 2019. https://www.feistyduck.com/newsletter/issue_111_european_union_starts_to_confront_digital_platforms_dominance https://www.feistyduck.com/newsletter/issue_111_european_union_starts_to_confront_digital_platforms_dominance Thu, 28 Mar 2024 10:00:00 -0000 Originally conceived in 2022, the European Union’s Digital Markets Act (DMA) entered into force on March 7, 2024. The first six designated gatekeepers—dominant companies in key digital markets—must now comply with their obligations. From now on, Apple, Alphabet, Meta, Amazon, Microsoft, and ByteDance will be under close scrutiny designed to prevent them from abusing their platforms. https://www.feistyduck.com/newsletter/issue_110_apples_new_messaging_protocol_raises_the_bar_for_post_quantum_security https://www.feistyduck.com/newsletter/issue_110_apples_new_messaging_protocol_raises_the_bar_for_post_quantum_security Thu, 29 Feb 2024 16:45:00 -0000 Apple announced a significant upgrade of the communication protocol used by iMessage, working to add defenses against post-quantum attacks. The new protocol, called PQ3, is promoted as offering the strongest security properties of any protocol deployed at scale. https://www.feistyduck.com/newsletter/issue_109_cab_forum_adopts_caa_for_s_mime https://www.feistyduck.com/newsletter/issue_109_cab_forum_adopts_caa_for_s_mime Wed, 31 Jan 2024 23:50:00 -0000 In January 2024, CA/Browser Forum voted to adopt Certification Authority Authorization (CAA) for S/MIME certificates. There were nineteen votes cast, supporting ballot SCM05. CAs are recommended to adopt the new CAA features by September 15, 2024; support will become mandatory on March 15, 2025. https://www.feistyduck.com/newsletter/issue_108_ssh_protocol_vulnerable_to_mitm_attack https://www.feistyduck.com/newsletter/issue_108_ssh_protocol_vulnerable_to_mitm_attack Fri, 29 Dec 2023 11:00:00 -0000 The SSH protocol was found to be vulnerable to active network (MITM) attacks, enabling threat actors to drop an arbitrary number of messages from the beginning of the secure channel. The researchers have named this attack Terrapin. Although SSH is supposed to provide secure channel integrity, it doesn’t quite work in practice. There are three widely used encryption modes that are not fully secure. /newsletter/issue_107_european_union_presses_ahead_with_article_45 /newsletter/issue_107_european_union_presses_ahead_with_article_45 Thu, 30 Nov 2023 10:00:00 -0000 The European Union continues on its path to eIDAS 2.0, which includes the controversial Article 45 that basically tells browsers which certification authorities (CAs) to trust. eIDAS, which stands for electronic identification and trust services, is a framework aimed at regulating electronic transactions. As part of this proposal, the EU wants to support embedding identities in website certificates. In essence, the goal is to bring back Extended Validation (EV) certificates. /newsletter/issue_106_encrypted_client_hello_and_the_last_network_privacy_gap /newsletter/issue_106_encrypted_client_hello_and_the_last_network_privacy_gap Tue, 31 Oct 2023 11:00:00 -0000 In the early days of the Internet, no encryption was taking place anywhere, and so it was very easy for those with the right access and means to intercept network traffic. Over the years, the passive monitoring industry grew, although there were also setbacks as SSL and, later, TLS gained popularity. /newsletter/issue_105_microsofts_compromised_private_key /newsletter/issue_105_microsofts_compromised_private_key Wed, 27 Sep 2023 10:00:00 -0000 Back in July, Microsoft disclosed a serious security breach that allowed a threat actor to compromise email accounts belonging to twenty-five organizations, seemingly mostly government agencies. The problem was that a so-called MSA key, which is used for signing in Microsoft’s consumer environment, was compromised. Unexpectedly, that key was then able to be used in Microsoft’s enterprise environment. /newsletter/issue_104_vpns_still_dont_work /newsletter/issue_104_vpns_still_dont_work Wed, 30 Aug 2023 11:00:00 -0000 Virtual private networks (VPNs) have been the cornerstone of personal and corporate security for several decades now, but we still can’t get them to work properly. This has been highlighted by TunnelCrack, a combination of two widespread vulnerabilities released under a single brand name. When either weakness is exploited, attackers end up redirecting user traffic outside the protected tunnel. The researchers tested a great number of products and report that every VPN product is vulnerable on at least one device. /newsletter/issue_103_rfc_9420_messaging_layer_security /newsletter/issue_103_rfc_9420_messaging_layer_security Thu, 27 Jul 2023 10:00:00 -0000 Messaging Layer Security (MLS), a new standard that supports end-to-end encryption in messaging applications, has been released as RFC 9420. The name is an obvious riff on Transport Layer Security (TLS), but that’s not where the similarities end. MLS had been in development for about five years, which is similar to the time it took to produce TLS 1.3. /newsletter/issue_102_four_ca_stories_the_good_times_two_the_bad_and_the_ugly /newsletter/issue_102_four_ca_stories_the_good_times_two_the_bad_and_the_ugly Thu, 29 Jun 2023 10:00:00 -0000 Good: Google Trust Services (GTS) announced general availability of its ACME APIs, now available at no cost to anyone with a Google Cloud Platform (GCP) account. This is a fantastic addition to the ecosystem that improves diversity among free certificate providers. GTS also announced support for multiperspective domain validation and ACME renewal information (ARI). /newsletter/issue_101_end_to_end_encryption_under_attack /newsletter/issue_101_end_to_end_encryption_under_attack Wed, 31 May 2023 10:00:00 -0000 For many, fully protected communication with end-to-end encryption is the ultimate destination of communication protocols. It seems that we got close to it in recent years, finding the right combination of technology, usability, and public awareness and popularity. These developments have not gone unnoticed by governments worldwide. Improvements in the security of network communications are detrimental to signals intelligence (SIGINT), which is at the cornerstone of intelligence gathering. /newsletter/issue_100_openssl_cookbook_released_under_cc_by_nc /newsletter/issue_100_openssl_cookbook_released_under_cc_by_nc Wed, 26 Apr 2023 10:00:00 -0000 This newsletter launched in October 2014 as a way of helping the readers of Bulletproof SSL and TLS (as it was called then) stay informed of the developments in the transport security space. I am very pleased that we’ve kept with our newsletter for one hundred issues. I can’t say that it’s always been easy, but it’s definitely rewarding, especially at a milestone like this one. /newsletter/issue_99_Sabre_ct_log_issued_invalid_scts /newsletter/issue_99_Sabre_ct_log_issued_invalid_scts Wed, 29 Mar 2023 10:00:00 -0000 Sabre, one of the oldest CT logs, suffered an outage during a recent upgrade that aimed to improve performance and scalability. Although the upgrade was initially declared successful, the private key ended up being misconfigured—unnoticed—for almost an entire day. During this time, this CT log issued a number of SCTs with invalid signatures. /newsletter/issue_98_caa_expands_into_new_use_cases /newsletter/issue_98_caa_expands_into_new_use_cases Tue, 28 Feb 2023 10:00:00 -0000 Certification Authority Authorization (CAA) is a good example of a technology that’s slow and steady. Originally conceived in 2013 as RFC 6844, it was adopted by the CA/Browser Forum and mandated for all CAs in 2017, and eventually brought to its current shape in 2019 as RFC 8659. Although not perfect, it gets the job done, and support for it continues to grow. /newsletter/issue_97_password_managers_and_pbkdf2_in_the_spotlight /newsletter/issue_97_password_managers_and_pbkdf2_in_the_spotlight Tue, 31 Jan 2023 10:00:00 -0000 During January, there was a flurry of activity surrounding password managers and their security. It all started in December, when LastPass warned about an unauthorized third party gaining access to archived backups of its production data. Oops. The data included customer information and their encrypted vaults. This announcement reignited interest in password storage and, especially, PBKDF2. /newsletter/issue_96_TrustCor /newsletter/issue_96_TrustCor Thu, 29 Dec 2022 10:00:00 -0000 We previously wrote that concerns were raised on Mozilla’s dev-security-policy mailing list about the trustworthiness of TrustCor CA. Joel Reardon, a professor at the University of Calgary with interest in privacy in the mobile space, reported on the possible connections and shared ownership between TrustCor CA and a company called Measurement Systems. This is relevant because the latter had been linked to a US defense contractor and implicated in collecting private information from mobile application users. /newsletter/issue_95_the_battle_of_qwacs_is_in_full_swing /newsletter/issue_95_the_battle_of_qwacs_is_in_full_swing Wed, 30 Nov 2022 10:00:00 -0000 Back in February, we wrote about the EU's plans to mandate support for Qualified Website Authentication Certificates (QWACs) in all browsers. This intention hasn’t gone over very well with Mozilla in particular: in response, the company kicked off its Security Risks Ahead campaign and an associated Twitter account and started to lobby against the changes. /newsletter/issue_94_openssl_fixes_buffer_overflows_in_certificate_parsing /newsletter/issue_94_openssl_fixes_buffer_overflows_in_certificate_parsing Tue, 1 Nov 2022 16:30:00 -0000 The OpenSSL team has published version 3.0.7 with a fix for two buffer overflow vulnerabilities rated as high. These vulnerabilities affect the parsing of punycode names in certificates. /newsletter/issue_93_in_memory_of_peter_eckersley /newsletter/issue_93_in_memory_of_peter_eckersley Thu, 29 Sep 2022 09:00:00 -0000 Peter Eckersley, a security researcher and longtime activist for the Electronic Frontier Foundation (EFF), passed away on September 2. Eckersley was most well-known for having cofounded the Let’s Encrypt certificate authority. Throughout his life, he worked on various projects to improve TLS security. /newsletter/issue_92_the_end_of_sidh_and_sike /newsletter/issue_92_the_end_of_sidh_and_sike Wed, 31 Aug 2022 08:00:00 -0000 A post-quantum key exchange method once considered promising is apparently insecure and can be completely broken with classical computers. Researchers recently published attacks on both supersingular isogeny Diffie-Hellman (SIDH) and the supersingular isogeny key encapsulation (SIKE) variation that was submitted for NIST's post-quantum competition. /newsletter/issue_91_nist_announces_preliminary_winners_of_post-quantum_competition /newsletter/issue_91_nist_announces_preliminary_winners_of_post-quantum_competition Thu, 28 Jul 2022 10:00:00 -0000 The US National Institute of Standards and Technology (NIST) has announced the first winners of a several-years-long competition for post-quantum encryption and signature algorithms. For encryption, NIST recommends the use of CRYSTALS-Kyber, although that recommendation may still change. For signatures, NIST has selected CRYSTALS-Dilithium as the primary algorithm, plus two additional algorithms, Falcon and SPHINCS+. /newsletter/issue_90_hertzbleed_shows_how_cpu_frequency_scaling_can_lead_to_side_channel_attacks /newsletter/issue_90_hertzbleed_shows_how_cpu_frequency_scaling_can_lead_to_side_channel_attacks Thu, 30 Jun 2022 10:00:00 -0000 A new type of side-channel vulnerability called Hertzbleed was published recently. The attack relies on dynamic frequency scaling, a power-saving and performance feature on modern CPUs. /newsletter/issue_89_certificate_transparency_data_is_used_to_compromise_wordpress_before_installation /newsletter/issue_89_certificate_transparency_data_is_used_to_compromise_wordpress_before_installation Tue, 31 May 2022 10:00:00 -0000 Recently in the community forums of WordPress and Let's Encrypt, reports have shown up about webshells on freshly installed WordPress blogs that were later used for DDoS attacks. These attacks were also covered in an article at the Daily Swig. /newsletter/issue_88_two_zeros_bypass_javas_ecdsa_signature_check /newsletter/issue_88_two_zeros_bypass_javas_ecdsa_signature_check Thu, 28 Apr 2022 12:00:00 -0000 A security vulnerability in Java’s ECDSA implementation allows creating a signature that would always be evaluated as valid. Neil Madden, who discovered the flaw, called it a psychic signature. /newsletter/issue_87_russia_creates_certificate_authority_in_response_to_sanctions /newsletter/issue_87_russia_creates_certificate_authority_in_response_to_sanctions Thu, 31 Mar 2022 11:00:00 -0000 As a result of the Russian invasion of Ukraine, several certificate authorities, like DigiCert and Sectigo, have revoked certificates of Russian entities or are refusing to issue new certificates for them. In response, Russian government authorities have created their own certificate authority. /newsletter/issue_86_eu_plans_to_mandate_less_secure_certificates_in_browsers /newsletter/issue_86_eu_plans_to_mandate_less_secure_certificates_in_browsers Mon, 28 Jan 2022 11:00:00 -0000 A planned EU regulation about so-called Qualified Website Authentication Certificates (QWACs) is causing concerns among security researchers and browser vendors. The QWACs concept has existed for several years, but has not gained much traction. /newsletter/issue_85_webtransport_allows_tls_connections_with_certificate_hash /newsletter/issue_85_webtransport_allows_tls_connections_with_certificate_hash Thu, 27 Jan 2022 10:00:00 -0000 The development of the WebTransport browser API has led to discussions about the nuances of the use of TLS without Web PKI certificates. /newsletter/issue_84_rfc_9155_deprecates_md5_and_sha-1_signatures_in_tls_handshake_messages /newsletter/issue_84_rfc_9155_deprecates_md5_and_sha-1_signatures_in_tls_handshake_messages Thu, 30 Dec 2021 10:00:00 -0000 A new RFC officially deprecates the use of the MD5 and SHA-1 weak hash algorithms in TLS handshake messages. The deprecation of these old hash algorithms has a long history, dating back to research results from sixteen years ago. /newsletter/issue_83_post-quantum_signatures_in_tls_will_be_challenging /newsletter/issue_83_post-quantum_signatures_in_tls_will_be_challenging Tue, 30 Nov 2021 11:06:00 -0000 Future quantum computers could break all public key cryptosystems that are in mainstream use today. This has led to the development of new cryptographic algorithms that are believed to be resistant against quantum attacks. The US National Institute of Standards and Technology (NIST) is currently running a competition to develop such quantum-resistant algorithms and it is expected that within the coming years standards for these post-quantum cryptosystems will become available. /newsletter/issue_82_expiration_of_dst_root_ca-causes_problems_with_lets_encrypt_certificates /newsletter/issue_82_expiration_of_dst_root_ca-causes_problems_with_lets_encrypt_certificates Thu, 28 Oct 2021 10:00:00 -0000 On September 30, the root certificate with the common name DST Root CA—owned by the company IdenTrust—expired. Notably, this certificate was used by Let’s Encrypt to cross-sign its intermediate certificates in the past. Technically, two expiration events happened on this day: the old Let’s Encrypt intermediate certificate expired a few hours before the root certificate. Both events caused a number of problems. /newsletter/issue_81_with_https_everywhere_there_is_no_longer_any_need_for_the_https_everywhere_plug-in /newsletter/issue_81_with_https_everywhere_there_is_no_longer_any_need_for_the_https_everywhere_plug-in Thu, 30 Sep 2021 10:00:00 -0000 The Electronic Frontier Foundation (EFF) has announced the deprecation of the HTTPS Everywhere plug-in. Instead it recommends that users enable HTTPS-only modes provided by modern browsers. /newsletter/issue_80_vulnerabilities_show_fragility_of_starttls /newsletter/issue_80_vulnerabilities_show_fragility_of_starttls Tue, 31 Aug 2021 10:30:00 -0000 A paper published at the USENIX security conference showed a large number of vulnerabilities in STARTTLS implementations. The author of this newsletter participated in this research. /newsletter/issue_79_the_end_of_ftp_in_browsers /newsletter/issue_79_the_end_of_ftp_in_browsers Fri, 30 Jul 2021 11:50:00 -0000 With the recent release of Mozilla Firefox version 90, all support for the FTP protocol was removed from the browser. Mozilla followed the lead of Chrome, which also removed all FTP support. /newsletter/issue_78_alpaca_shows_tls_cross_protocol_attacks /newsletter/issue_78_alpaca_shows_tls_cross_protocol_attacks Tue, 29 Jun 2021 11:10:00 -0000 A team of security researchers has shown vulnerabilities that affect the interaction of different TLS-protected protocols if they are operated with the same host name. They named the attacks ALPACA, and a paper will be published at the upcoming USENIX conference. The underlying issue is that traditionally TLS contains no protection against cross-protocol attacks. /newsletter/issue_77_quic_graduates_to_rfc_9000 /newsletter/issue_77_quic_graduates_to_rfc_9000 Fri, 28 May 2021 12:10:00 -0000 Today we celebrate the release of QUIC, a brand-new reliable and secure protocol that marks a new direction in how networking standards are designed. Before QUIC, secure communication on the Internet involved several layers, most frequently TCP for reliable transport and TLS for security. This layered approach (via the OSI model) served us well, but there was a desire for even better performance, for which development of a specialised protocol was necessary. /newsletter/issue_76_in_memoriam_dan_kaminsky /newsletter/issue_76_in_memoriam_dan_kaminsky Thu, 29 Apr 2021 10:00:00 -0000 On April 23, well-known security researcher Dan Kaminsky passed away. Kaminsky was most famously known for finding security flaws in the Domain Name System (DNS), but he also discovered flaws in the TLS certificate infrastructure and X.509. /newsletter/issue_75_ietf_formally_deprecates_tls_1_0_and_1_1 /newsletter/issue_75_ietf_formally_deprecates_tls_1_0_and_1_1 Wed, 31 Mar 2021 10:00:00 -0000 The Internet Engineering Task Force has published RFC 8996, which officially deprecates the old TLS versions 1.0 and 1.1. These old versions have inherent security weaknesses that can only be fixed by moving to a newer protocol version. /newsletter/issue_74_rust_and_cryptographic_code /newsletter/issue_74_rust_and_cryptographic_code Thu, 25 Feb 2021 12:00:00 -0000 The Rust programming language is gaining more popularity, and it increasingly affects cryptographic code as well. Rust’s main selling point is that the language provides many memory safety guarantees, making bugs like buffer overflows and use after free errors much less likely to happen (they can still happen in code specifically marked as “unsafe”). /newsletter/issue_73_google_chrome_distrusts_camerfirma /newsletter/issue_73_google_chrome_distrusts_camerfirma Thu, 28 Jan 2021 10:00:00 -0000 A large number of recent incidents tied to the Camerfirma certificate authority led to a lengthy discussion on Mozilla’s security policy mailing list. Camerfirma is a certificate authority from Spain. The mailing list discussion was initiated by Mozilla’s Ben Wilson, who started collecting information about rule violations and incidents by Camerfirma on a wiki page. /newsletter/issue_72_cross_signature_will_keep_lets_encrypt_compatible_with_old_android /newsletter/issue_72_cross_signature_will_keep_lets_encrypt_compatible_with_old_android Tue, 5 Jan 2021 10:00:00 -0000 The Let’s Encrypt certificate authority is facing a challenging situation with its upcoming planned certificate switch. /newsletter/issue_71_firefox_introduces_https_only_mode /newsletter/issue_71_firefox_introduces_https_only_mode Thu, 26 Nov 2020 09:00:00 -0000 With the release of version 83 of Mozilla’s Firefox web browser, Mozilla announced the browser’s support of an optional HTTPS-only mode. This was previously available in Firefox Nightly versions and in advanced settings, but the latest version makes it officially available for all users. /newsletter/issue_70_chrome_developers_want_to_eliminate_mixed_content /newsletter/issue_70_chrome_developers_want_to_eliminate_mixed_content Thu, 29 Oct 2020 10:00:00 -0000 The current Chrome version no longer loads mixed content on HTTPS connections. This change was announced by the Chrome security team last year and has now been implemented. Emily Stark from Chrome’s security team explains some of the details on Twitter. /newsletter/issue_69_raccoon_attack_shows_design_flaw_in_old_tls /newsletter/issue_69_raccoon_attack_shows_design_flaw_in_old_tls Wed, 30 Sep 2020 10:00:00 -0000 Raccoon is a timing attack that exploits a vulnerability in the Diffie-Hellman specification in TLS 1.2 and older. /newsletter/issue_68_great_firewall_of_china_blocks_encrypted_sni_extension /newsletter/issue_68_great_firewall_of_china_blocks_encrypted_sni_extension Thu, 27 Aug 2020 10:00:00 -0000 According to a joint report from iYouPort, the University of Maryland, and the Great Firewall Report, TLS connections using the preliminary encrypted SNI (ESNI) extension are being blocked in China. /newsletter/issue_67_intermediate_certificates_with_ocsp_capability_cause_trouble /newsletter/issue_67_intermediate_certificates_with_ocsp_capability_cause_trouble Thu, 30 Jul 2020 10:00:00 -0000 A large number of certificates are affected by an issue in which intermediate certificates can also act as OCSP responder certificates. This issue was highlighted by Google developer Ryan Sleevi in early July. Sleevi found over 200 certificates that were issued by publicly trusted certificate authorities with an extended key usage flag that allows them to act as OCSP responder certificates. However, these certificates were missing an extension (id-pkix-ocsp-nocheck) that is required for such certificates, so they are in violation of the Baseline Requirements. /newsletter/issue_66_expired_addtrust_certificate_causes_trouble /newsletter/issue_66_expired_addtrust_certificate_causes_trouble Tue, 30 Jun 2020 10:00:00 -0000 The expiration of an old root certificate by Sectigo was the cause of some trouble on May 30. The AddTrust certificate was used to cross-sign the newer USERTrust certificate, and in some situations the expired cross-signature certificate caused verification failures. Andrew Ayer has written a blog post with a detailed technical explanation. /newsletter/issue_65_private_key_of_digicert_certificate_transparency_log_compromised /newsletter/issue_65_private_key_of_digicert_certificate_transparency_log_compromised Thu, 28 May 2020 10:00:00 -0000 A critical vulnerability in the Saltstack configuration management software that was discovered in March by the F-Secure company was recently used for widespread attacks. Among the affected hosts was one of the Certificate Transparency logs operated by DigiCert. /newsletter/issue_64_gcc_code_analyzer_finds_bug_in_openssl /newsletter/issue_64_gcc_code_analyzer_finds_bug_in_openssl Thu, 30 Apr 2020 10:45:00 -0000 OpenSSL recently released a security update fixing a bug in the certificate validation code. The SSL_check_chain() function can crash due to a NULL pointer dereference when an invalid signature algorithm is detected. This bug could be used to crash OpenSSL-based servers. Only relatively recent versions of OpenSSL 1.1.1 are affected (1.1.1d through 1.1.1f); the OpenSSL team has released version 1.1.1g with a fix for the bug. /newsletter/issue_63_the_lets_encrypt_certificate_authority_authorization_incident /newsletter/issue_63_the_lets_encrypt_certificate_authority_authorization_incident Tue, 31 Mar 2020 10:00:00 -0000 The Let’s Encrypt certificate authority discovered a bug in its certificate issuance process and the checking of CAA records, which caused them to announce the intent to revoke three million certificates. However, due to the disruption this would have caused, Let’s Encrypt did not proceed with that plan. /newsletter/issue_62_one_year_certificate_lifetimes_are_coming /newsletter/issue_62_one_year_certificate_lifetimes_are_coming Thu, 27 Feb 2020 10:01:00 -0000 During a recent meeting of the CA/Browser Forum, Apple announced that its Safari browser will not accept certificates with a lifetime of more than 398 days starting in September of this year. With this announcement, Apple moves ahead with the shorter certificate lifetimes that multiple browsers have wanted for a while. /newsletter/issue_61_vulnerability_in_windows_allows_certificate_forgery_with_elliptic_curves /newsletter/issue_61_vulnerability_in_windows_allows_certificate_forgery_with_elliptic_curves Thu, 30 Jan 2020 09:40:00 -0000 With the January security update from Microsoft, a severe security flaw in the certificate handling of Windows was fixed. The flaw was reported to Microsoft by the NSA. Microsoft’s own advisory contained few details, and the NSA advisory contained only brief hints, but cryptographers were soon able to understand the vulnerability and created proof of concept exploits. /newsletter/issue_60_new_factoring_and_discrete_log_records_but_rsa_stays_safe /newsletter/issue_60_new_factoring_and_discrete_log_records_but_rsa_stays_safe Tue, 31 Dec 2019 10:00:00 -0000 A team of researchers has announced a new record in factoring large numbers and calculating discrete logarithms. The researchers factored the RSA-240 number on hardware of the Grid’5000 project, a collaboration of French research institutes. At the same time, the researchers have calculated a discrete logarithm of the same size. /newsletter/issue_59_testing_of_delegated_credentials_begins /newsletter/issue_59_testing_of_delegated_credentials_begins Thu, 28 Nov 2019 09:00:00 -0000 Delegated credentials is a TLS feature currently in development that allows for temporarily delegating authentication of TLS connections to a different public/private key pair. Cloudflare, Facebook, and Mozilla are currently running experiments with this feature in practice. /newsletter/issue_58_elliptic_curve_implementations_vulnerable_to_minerva_timing_attack /newsletter/issue_58_elliptic_curve_implementations_vulnerable_to_minerva_timing_attack Thu, 31 Oct 2019 10:00:00 -0000 Researchers from Masaryk University have presented a timing attack called Minerva. The attack exploits side-channel vulnerabilities in implementations of elliptic curve signatures, primarily ECDSA. The primary targets of the attack were cryptographic chips, but several open-source libraries were also affected. /newsletter/issue_57_mozilla_and_chrome_about_to_enable_dns_over_https /newsletter/issue_57_mozilla_and_chrome_about_to_enable_dns_over_https Thu, 26 Sep 2019 10:00:00 -0000 Both Mozilla and Chrome have announced their first plans to enable DNS over HTTPS (DoH) in some situations. But they will start with a very slow rollout and will disable DoH in many situations. /newsletter/issue_56_firefox_and_chrome_will_remove_gui_indicator_for_extended_validation_certificates /newsletter/issue_56_firefox_and_chrome_will_remove_gui_indicator_for_extended_validation_certificates Thu, 29 Aug 2019 09:00:00 -0000 The developers of Chrome and Firefox have announced a major change in the handling of Extended Validation certificates. Previously these certificates were presented with a green bar in front of the URL that shows the company name. This will be removed in future Chrome and Firefox versions. The information now will be visible only when users click on the lock icon and view the connection details. /newsletter/issue_55_kazakhstan_intercepts_tls_traffic /newsletter/issue_55_kazakhstan_intercepts_tls_traffic Tue, 30 Jul 2019 09:00:00 -0000 In Kazakhstan, Internet connections via HTTPS are partly intercepted. According to various reports, providers in the central Asian country have asked their customers to install a special root certificate in their browsers that enables the interception. This first became known to a wider audience due to a bug report in Mozilla’s bug tracker. Mozilla hasn’t yet decided how to react, but several users have asked Mozilla to block the certificate in question. /newsletter/issue_54_network_time_security_nts_could_finally_bring_support_for_authenticated_network_time /newsletter/issue_54_network_time_security_nts_could_finally_bring_support_for_authenticated_network_time Thu, 27 Jun 2019 10:00:00 -0000 As part of its crypto week, the company Cloudflare recently announced that it will operate a time server supporting the Network Time Security (NTS) extension for the Network Time Protocol (NTP). This solves a long-standing problem with time in the context of secure protocols. /newsletter/issue_53_certificate_authority_certinomis_removed_from_firefox_browser /newsletter/issue_53_certificate_authority_certinomis_removed_from_firefox_browser Thu, 30 May 2019 09:00:00 -0000 Another certificate authority is being removed from browsers due to repeated violations of certificate validation rules. In April, Andrew Ayer noticed that Certinomis had issued fourteen precertificates for an unregistered domain name and reported it to Mozilla. In the discussion that followed in the bug tracker, Google developer Ryan Sleevi raised several concerns about the reaction of Certinomis. /newsletter/issue_52_gmail_starts_using_mtasts /newsletter/issue_52_gmail_starts_using_mtasts Tue, 30 Apr 2019 12:00:00 -0000 MTA-STS is a recent standard that enables more secure TLS connections between mail servers. Although several email providers already have published MTA-STS policies for inbound connections, Gmail recently became the first major email provider to actually check those policies and thus implement MTA-STS on both sides of a connection. /newsletter/issue_51_trouble_with_a_missing_random_bit_in_serial_numbers /newsletter/issue_51_trouble_with_a_missing_random_bit_in_serial_numbers Thu, 28 Mar 2019 11:05:00 -0000 A seemingly minor issue is the cause of major trouble in the certificate industry: many certificate authorities have used serial numbers with sixty-three bits of entropy for their certificates, yet the Baseline Requirements say that they need sixty-four bits. /newsletter/issue_50_darkmatter_from_the_united_arab_emirates_operates_a_certificate_authority /newsletter/issue_50_darkmatter_from_the_united_arab_emirates_operates_a_certificate_authority Thu, 28 Feb 2019 10:05:00 -0000 DarkMatter, a controversial company from the United Arab Emirates, now raises questions about trust in certificate authorities. /newsletter/issue_49_disabling_of_insecure_lets_encrypt_validation_will_cause_broken_https_setups_for_debian_and_ubuntu_users /newsletter/issue_49_disabling_of_insecure_lets_encrypt_validation_will_cause_broken_https_setups_for_debian_and_ubuntu_users Thu, 31 Jan 2019 12:30:00 -0000 Let’s Encrypt soon will disable support for the TLS-SNI-01 domain validation method in the ACME protocol. In January of last year, a vulnerability in TLS-SNI-01 was discovered by Frans Rosén from Detectify. The deprecation will likely cause problems for users of some stable Linux distributions. /newsletter/issue_48_google_starts_cecpq2 /newsletter/issue_48_google_starts_cecpq2 Thu, 3 Jan 2019 11:00:00 -0000 Quantum computers have the potential of compromising the security of almost all public key encryption systems in use today. This has led to discussions in the TLS community on how to face this threat. /newsletter/issue_47_attacking_cryptography_with_side_channels /newsletter/issue_47_attacking_cryptography_with_side_channels Thu, 29 Nov 2018 11:30:00 -0000 New research shows that cryptographic code often is still vulnerable to side-channel attacks. /newsletter/issue_46_the_end_of_tls_1_0_and_1_1 /newsletter/issue_46_the_end_of_tls_1_0_and_1_1 Tue, 30 Oct 2018 11:30:00 -0000 The four largest browser vendors—Google, Microsoft, Mozilla, and Apple—have all announced that in 2020 they want to deprecate old TLS protocol versions 1.0 and 1.1. Webmasters should make sure that they support at least TLS 1.2, or ideally the latest version, TLS 1.3. /newsletter/issue_45_visa_certificate_authority_in_trouble /newsletter/issue_45_visa_certificate_authority_in_trouble Thu, 27 Sep 2018 13:00:00 -0000 The credit card company Visa operates a TLS certificate authority that is currently trusted by all major browsers. Visa doesn’t sell certificates to end users; the certificates are used for their own services and by some banks. Lately, questions have arisen about the operations of the Visa CA. /newsletter/issue_44_tls_1_3_is_here /newsletter/issue_44_tls_1_3_is_here Thu, 30 Aug 2018 11:30:00 -0000 It’s taken much longer than anticipated, but the IETF finally published new version 1.3 of the TLS protocol as RFC 8446. /newsletter/issue_43_chrome_now_says_not_secure_for_http_webpages /newsletter/issue_43_chrome_now_says_not_secure_for_http_webpages Tue, 31 Jul 2018 11:30:00 -0000 With its recently released version 68, the Google Chrome browser introduced warnings on all web pages not using HTTPS. A “Not secure” label appears to the left of the URL for every page loaded over HTTP. /newsletter/issue_42_does_tls_have_to_change_constantly_to_make_it_future_proof /newsletter/issue_42_does_tls_have_to_change_constantly_to_make_it_future_proof Thu, 28 Jun 2018 11:30:00 -0000 The TLS 1.3 standard will soon be finished; however, getting here wasn’t always easy. One problem that accompanied the standardization process was devices assuming old TLS versions. These issues were worked around by protocol quirks—making the protocol needlessly complex, but also deployable. /newsletter/issue_41_domain_fronting_cloud_providers_stop_censorship_circumvention_tool /newsletter/issue_41_domain_fronting_cloud_providers_stop_censorship_circumvention_tool Mon, 31 May 2018 11:30:00 -0000 Two large cloud providers—Google and Amazon—have stopped the use of a technique called domain fronting, which was used by encrypted messengers and privacy tools to circumvent network blockades in some countries. /newsletter/issue_40_certificate_transparency_logging_is_now_mandatory /newsletter/issue_40_certificate_transparency_logging_is_now_mandatory Mon, 30 Apr 2018 00:00:00 -0000 Starting April 30, the Chrome browser will require all new certificates to be compliant with Certificate Transparency. This is a major change in the certificate ecosystem and was prepared over several years. Certificate Transparency has already played a major role in many cases of uncovering mistakes by certificate authorities. /newsletter/issue_39_trustico_debacle_shows_risk_of_key_generation_by_resellers /newsletter/issue_39_trustico_debacle_shows_risk_of_key_generation_by_resellers Thu, 29 Mar 2018 00:00:00 -0000 Several events related to certificate reseller Trustico have caused questions to arise about the practice of certificate sellers that generate keys for their users. /newsletter/issue_38_chrome_will_mark_http_pages_as_not_secure /newsletter/issue_38_chrome_will_mark_http_pages_as_not_secure Wed, 28 Feb 2018 00:00:00 -0000 Google has been a major force in pushing HTTPS by default. For years, Google stated that the plan was to mark all HTTP connections as insecure in the Chrome browser eventually. However, this was a change that couldn’t happen overnight. It would have caused too many warnings for average Internet users, ultimately leading to warning fatigue. /newsletter/issue_37_cloud_provider_vulnerability /newsletter/issue_37_cloud_provider_vulnerability Wed, 31 Jan 2018 00:00:00 -0000 A major issue with some cloud providers allowed the unauthorized issuance of Let’s Encrypt certificates. Although the issue clearly lies with the cloud providers, Let’s Encrypt nevertheless has decided to disable the corresponding validation method. /newsletter/issue_36_private_keys_in_software /newsletter/issue_36_private_keys_in_software Wed, 03 Jan 2018 00:00:00 -0000 Various software vendors lately have been found to have shipped private keys for certificates within their software. This problematic practice can lead to security vulnerabilities and will inevitably lead to the revocation of certificates if the key is discovered. The latest examples of these cases include Blizzard’s battle.net, Origin from Electronic Arts, Microsoft Dynamics 365 for Operations, and mandatory communication software for lawyers from Germany called besonderes elektronisches Anwaltspostfach (beA). /newsletter/issue_35_robot_return_of_bleichenbachers_oracle_attack /newsletter/issue_35_robot_return_of_bleichenbachers_oracle_attack Tue, 12 Dec 2017 00:00:00 -0000 In 1998 the cryptographer Daniel Bleichenbacher discovered a severe attack against the use of RSA in the PKCS #1 v1.5 padding mode in TLS. Over the years researchers have found many variations and improvements of this attack, most notably the DROWN attack against SSL version 2. /newsletter/issue_34_comodo_gets_controversial_new_owner /newsletter/issue_34_comodo_gets_controversial_new_owner Thu, 30 Nov 2017 00:00:00 -0000 Not long ago, Symantec—one of the largest certificate authorities (CAs)—sold its certificate business to competitor DigiCert. Now, another large certificate authority has been sold. Comodo’s certificate business is now owned by Francisco Partners.