27 November 2014
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.
Welcome to another Bulletproof TLS Newsletter. As before, there were many interesting developments in the computer security space, even in the smaller SSL/TLS segment that we care are about here.
After the disclosure of POODLE in October, many companies started to disable SSL v3, the only protocol version vulnerable to this attack. Leading the way are content delivery networks, such as Akamai and CloudFlare. Large companies, such as Amazon, are doing the same. The November SSL Pulse results show a 37.4% drop in support for SSL v3, currently at 60.6%. Chrome 39 disabled fallback to SSL v3, which should help defend against POODLE even with servers that don't support TLS_FALLBACK_SCSV. Chrome 40 and Firefox 34 (due on December 1st) are expected to disable SSL v3 altogether. Microsoft is expected to disable this protocol version at some point in 2015, on top of already disabling it on Azure and Office 365.
Google released the stable version of Chrome 39, the first version of this browser to start warning about SHA1 certificates. This release warns about SHA1 certificates that expire in 2017. Versions 40 and 41 will increase the scope of the warnings to include certificates that expire in 2016. If you're still using SHA1 certificates that expire in 2016, you have two options. For best compatibility with older clients, reissue your SHA1 certificates to expire in late 2015. If your user base consists largely of modern clients, you can migrate to SHA256 (or better) straight away.
According to the SSL Pulse results for November, SHA1 is now used on about 76.8% servers, down 5.3% since October.
On 11 November 2014, Microsoft disclosed a remote code execution vulnerability in Schannel, MS14-066. This critical issue affects virtually all Microsoft platforms and should be patched as soon as possible.
In exciting news for heavy certificate users, the Internet Security Research Group (ISRG) announced that a new certification authority (CA) called Let's Encrypt will be launched in Q2 2015. This new CA will provide certificates free of charge, with special focus on automated installation and renewal. ISRG is supported by Akamai, Cisco, EFF, IdenTrust, and Mozilla.
European Union Agency for Network and Information Security (ENISA) released the 2014 version of its cryptographic guidelines report, covering algorithms, key sizes, and other parameters. This comprehensive and practical report discusses suitability of various primitives in two scenarios: legacy and new deployments.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.