Bulletproof TLS Newsletter #1
SHA1 Deprecation
2 October 2014
This issue was distributed to 7,984 email subscribers.

Welcome to the first-ever Bulletproof TLS Newsletter. Now that the first edition of my book Bulletproof SSL and TLS has been released, I can focus on some of the more interesting events related to SSL/TLS and PKI, and cryptography in general.

The plan is to send out a newsletter once a month, less often if there's nothing very interesting going on, and more often in case of emergencies (e.g., critical crypto flaws in popular software). I hope you enjoy this content. If you don't, there's a link at the end of this email where you can unsubscribe.

In this issue:

  1. Google announced their SHA1 deprecation policy for Chrome
  2. CloudFlare announced free TLS certificates for all their users
  3. Firefox started supporting hardcoded pinning in version 32
  4. New TLS extension: Encrypt-then-MAC for TLS and DTLS (RFC 7366)

Google announced SHA1 deprecation policy for Chrome

After a lively discussion on the Chrome mailing list, Google formally announced their plans for SHA1 deprecation in Chrome. New Chrome releases will gradually start to warn about encountered SHA1 certificates.

The first warnings will be about certificates that expire in 2017, then about those that expire after May 2016, and then finally about those that expire after 2015. Warnings will affect servers that use SHA1 either on leaf or intermediate certificates. (There will be no warnings about SHA1 on root certificates, because those signatures are never used and don't affect security.)

Before this news the plan had been to migrate away from SHA1 by the end of 2016, but Chrome shrunk the deadline because the warnings will start to appear in the next couple of months. Thus, there's no time to lose: inventory your certificates and start to plan your activities. There's a longer discussion of this change on my blog.

Mozilla also indicated that they would start warning about SHA1, but so far it seems that they won't show any indicators to end users until 2016.

CloudFlare announced free TLS certificates for all their users

CloudFlare announced that, effective immediately, all their users will be given free TLS certificates; even those users who are not paying for their services.

This is clearly good news for CloudFlare users, but also for the rest of us. The free certificates work only with relatively modern clients, requiring support for ECDSA keys and the SNI extension for virtual TLS hosting. These technologies are on the verge of being feasible for use on public sites and CloudFlare's announcement might very well push us over the last hump.

For those interested in the details, CloudFlare published a great follow-up blog post to discuss what they did to scale their service.

There's a bit of controversy in that free certificates will be issued even to those sites that don't have encryption configured on the origin servers (now positioned behind CloudFlare's proxies). Although it could be argued that the attacks more commonly take place on the network segment close to end users, it's a disadvantage that the users can no longer tell if a particular site is properly secure, with encryption running from the browser and through to the origin server.

Firefox started supporting hardcoded pinning in version 32

In version 32, Firefox joined Chrome by supporting hardcoded web site pins. More interestingly, they announced that they would support the future standard for pinning—Public Key Pinning for HTTP—in the near future.

New TLS extension: Encrypt-then-MAC for TLS and DTLS (RFC 7366)

A new TLS extension has been released to make CBC suites safer to use. The MAC-then-encrypt mechanism, which is the default in TLS, has been the subject of several security issues in the past years. The new extension standardises an encrypt-then-MAC scheme that allows ciphertext to be integrity-checked before any operations are done on it.

It's not immediately clear if the new extension will have a practical impact on TLS security, however. A growing number of clients and servers support TLS 1.2 and authenticated suites, which don't share the same weaknesses. It's unlikely that older clients will be updated to support the new extension. As for TLS 1.3, it's probable that it will allow only authenticated suites, excluding all CBC suites and therefore sidestepping the weaknesses.