Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.

Comodo tries to register trademarks for Let’s Encrypt

Let’s Encrypt saw its name endangered by several trademark registration attempts from Comodo. In October 2015 Comodo tried to register three trademarks, “‘Let’s Encrypt”, “Comodo Let’s Encrypt” and “Let’s Encrypt with Comodo”. Let’s Encrypt was first publicly announced in November 2014, almost a year earlier, therefore it can be assumed that these registrations didn’t happen by accident and that Comodo had been aware that a competitor under that name was planning to start operating soon.

Shortly after the Let’s Encrypt announcement, a post on the Comodo forum stated that the company had filed a request for express abandonment of these trademark applications. Let’s Encrypt confirmed that.

Comodo’s CEO Melih Abdulhayoğlu indicated that the registration of the trademarks was a response to the fact that Let’s Encrypt had copied Comodo’s business model of offering free certificates with a validity of 90 days. However, the comparison is questionable: Comodo offers 90 day trial certificates, but prolonging them is not free; Let’s Encrypt uses 90 day certificates that are free to renew.

New record in calculating discrete logarithms (768 bit)

A team of researchers from EFPL and the University of Leipzig achieved a new record in calculating discrete logarithms. By using the number field sieve and a cluster of 200 cores running since February 2015, the team was able to compute a discrete logarithm in a prime field with a 768 bit long prime.

The discrete logarithm problem is the basis of cryptographic algorithms like DSA and the Diffie-Hellman key exchange. While it has been known for a long time that discrete logarithms with group sizes of 768 bit are potentially insecure, they were still in use up to quite recently. After the Logjam attack, browsers increased the minimum size of the Diffie-Hellman group to 1024 bit, which caused incompatibilities with a sizeable number of devices.

ChaCha20 and Poly1305 for TLS specified

IETF published RFC 7905, which is an official specification for the use of the algorithm ChaCha20 and the mode Poly1305 in TLS. ChaCha20 is a stream cipher developed by Dan Bernstein and a variant of the Salsa20-cipher, which was one of the winners of the ESTREAM competition. Poly1305 is an authenticated encryption mode.

The deployment of this new cipher was a response to many attacks discovered against other widely used TLS cipher suites. Many variants of so-called padding oracle attacks have challenged the security of CBC-based TLS ciphers. And biases in the keystream of RC4 enabled attacks on these cipher modes as well. The only cipher modes left in TLS were those based on the Galois/Counter-Mode (GCM).

There haven’t been any significant attacks against GCM, but the mode is not very popular among cryptographers. It has a reputation of being hard to implement safely. Another concern with GCM in TLS is the fact that implementations have to choose a nonce value, and that is a problem because if that nonce value is ever repeated, the cipher fails catastrophically (see the May edition of this newsletter). The new ChaCha20/Poly1305-specification considers this problem and doesn’t leave the choice of the nonce up to the implementer.

Google, Cloudflare and others have been using preliminary versions of the new cipher modes for quite some time. Firefox supports the new cipher suite since version 47, and OpenSSL will support it in the upcoming version 1.1.

The comeback of TLS version fallbacks?

Google developer Adam Langley wrote a detailed explanation of the challenges of algorithm and version agility in TLS. Langley expects that version fallback workarounds will come back with TLS 1.3. This was confirmed by Google developer David Benjamin on the TLS working group mailing list.

TLS version fallbacks were introduced by browsers in the past, because some servers misbehave if a browser tries to connect with a higher version of TLS than the server supports. A correctly behaving server can signal the client that it only supports a lower version.

These version fallbacks enabled some attacks in the past, notably the Virtual Host Confusion attack and the POODLE attack.

Symantec acquires Blue Coat

Cloudflare developer Filippo Valsorda recently pointed out that Symantec had issued an intermediate certificate to the company Blue Coat. That caused some uproar because Blue Coat has a questionable reputation in the cryptographic community. It has been named an Enemy of the Internet by Reporters Without Borders.

Shortly after that incident Symantec announced that they have acquired Blue Coat.

Amazon, Techcrunch and the Sun enable HTTPS by default

Amazon has long been one of the most significant web pages that did not use HTTPS by default. Up until recently, the company only used HTTPS for the login itself, but not for the whole web page. Such constructions are not secure due to SSL stripping attacks. Amazon has now moved to HTTPS by default and HTTP requests to the Amazon domain are now redirected. However, Amazon still doesn’t use HTTP Strict Transport Security (HSTS).

The British newspaper Sun and the IT news site Techcrunch recently joined the few media web pages that use HTTPS by default. News media sites have been slow in adopting HTTPS, because many ad networks refuse to support the encrypted protocol.

Telemetry data from Firefox suggests that 45% of web connections use HTTPS these days. Let’s Encrypt suggests that this number could surpass 50% this year.

Short news

• Tor developer Isis Lovecruft and cryptographer Peter Schwabe developed a proposal to use a hybrid key exchange incorporating the post quantum algorithm New Hope. The proposal caused a discussion on the tor-dev mailing list in which Peter Schwabe gave a good overview of available post quantum key exchange options.
• Let’s Encrypt accidentally leaked around 7,000 email addresses due to a bug in their mail system. The email addresses were attached to the body of an email sent to their subscribers.
• A research paper uncovers a vulnerability in OpenSSL and all its forks that allows cache side-channel attacks against the DSA algorithm. DSA is rarely used these days, but the attack is a reminder that side-channel issues are a very common problem in cryptographic software.
• Another research paper discovered a cache side channel vulnerability in the RSA implementation of Libgcrypt. The research will be presented at the upcoming CHES conference. Libgcrypt 1.6.3, which was released in early 2015, contains a fix for this issue.
• The Norwegian National Security Authority (NSM) proposes that all public web services from the government should always use HTTPS in the future. They assess that right now only 5 percent of publicly owned domains use HTTPS. In a similar move, the UK’s Government Digital Service (GDS) published a requirement for all services under the service.co.uk domain to use HTTPS and HSTS. E-Mail services under that domain will need to use DMARC.
• Cloudflare published a detailed explanation of the performance interactions between TCP and TLS. To optimize throughput, they suggest to dynamically change the TLS record size during connections. A patch to implement this in the nginx web server is available.
• AirStash is working on a Rust implementation of TLS called moatTLS. The motivation and design principles are explained in a paper published at the Symposium on Trends in Functional Programming (TFP). AirStash announced that they plan to publish the code as Open Source, but it is not available yet.
• David Wong investigated the possibility of creating backdoored Diffie-Hellman parameters. Wong was able to show that it is possible to create a so-called NOBUS backdoor for Diffie-Hellman parameters, meaning that only the person who created the parameters can use that knowledge to break the encryption. This work was motivated by the discovery earlier this year that the tool socat contained predefined Diffie-Hellman parameters where the modulus was not prime. This should never be the case for correct parameter sets (see our February Newsletter).
• Florian Bogner disclosed a vulnerability in the update process of the password manager KeePass. It was using insecure HTTP connections to fetch updates. Initially KeePass was unwilling to fix the vulnerability claiming that it would mean reduced advertising revenue. It is unclear why this should be the case. However, soon after that KeePass announced that they have introduced a signed update process that additionally uses HTTPS.
• The OCaml-TLS project published C bindings for its code. OCaml-TLS is a TLS implementation from the MirageOS project.
• GnuTLS fixed a security issue that could allow an attacker to abuse Setuid executables to write arbitrary corrupt files to the filesystem. This issue only affects GnuTLS 3.4.12 and is fixed in 3.4.13. The issue does not affect the 3.5 version branch.
• GnuTLS version 3.5.1 has been released. It allows completely disabling SSLv3 during compile time. It also introduces support for the OCSP Must Staple extension.
• NSS version 3.25 has been released. Most notably it contains many improvements in the experimental TLS 1.3 implementation, as well as support for GCM cipher suites using SHA384 and AES-256.
• A vulnerability has been discovered in Netgear’s router models D6000 and D3600. The routers contain a preconfigured TLS certificate and private key, and the private key can very easily be extracted from the firmware. Similar vulnerabilities were found in many router models in the past (see our November 2015 Newsletter).
• New service SSLPing allows monitoring of HTTPS servers and sends a warning email on common mistakes (misconfigurations, certificate errors).
• A bug in Firefox disables HTTP Public Key Pinning (HPKP) if a certificate is using the OCSP Must Staple extension.
• StartCom launched a new service called StartEncrypt. It automates the issuance and renewal of certificates for the StartSSL certificate authority.
• The author of this newsletter (Hanno Böck) gave a talk at the Ruhr-Universität Bochum about attacks on TLS (video, slides) and another talk specifically about TLS implementation failures at the AusCERT conference (video, slides).
• In 2014 BoringSSL incorporated a change in the montgomery multiplication code to make it constant time. Brian Smith pointed out that this change has not yet been incorporated into OpenSSL.
• Bitdefender researcher Radu Caragea presented a way to extract keys from a virtual machine if an attacker controls the host system at the Hack in the Box conference in Amsterdam.
• TLS 1.3 will disable the TLS compression feature. The CRIME attack showed that TLS compression is inherently insecure. While TLS compression wasn’t used widely for web connections, it was used for the news group protocol NNTP. Work has now started on a dedicated NNTP compression protocol and a draft is available.
• At the Apple Worldwide Developers Conference the company announced that starting from January 2017, apps for iOS will have to use encrypted HTTPS connections. Apple also announced support for the Certificate Transparency system.
• The credit card security standard PCI-DSS 3.1 has been delayed until 2018. It will require payment services to move to newer TLS versions and will deprecate use of TLS 1.0.
• Microsoft developer Christian Huitema explains the work on the Edge browser on supporting TLS 1.3, TLS False Start and TCP Fast Open in order to improve the performance of TLS connections.
• A research paper investigates possibilities to create backdoored random number generators. This was motivated by the incidents around the Dual EC DRBG random number generator. The work will be presented at the Crypto 2016 conference.
• In a Twitter discussion it was noted that the Intel processor instruction RDRAND can fail if called from multiple threads. This poses a risk for cryptographic applications relying exclusively on RDRAND to provide randomness. However, most random number generator implementations only use RDRAND as one randomness source among others.
• A research paper presents a method of injecting faults into cryptographic operations with the Rowhammer attack. Rowhammer is an attack on faulty behaving DRAM memory chips. The attack can be executed from user space and can be used across virtual machines.
• Florian Weimer points out that MatrixSSL 3.8.3, which was released in April, comes with a protection for key leaks due to calculation errors in the RSA-CRT optimization. Weimer had previously observed such errors leaking keys in the wild. He published a background paper on this issue last year.