Bulletproof TLS Newsletter #3
Support for SSL v3 is eroding
27 November 2014
This issue was distributed to 8,208 email subscribers.

Welcome to another Bulletproof TLS Newsletter. As before, there were many interesting developments in the computer security space, even in the smaller SSL/TLS segment that we care are about here.

In this issue:

  1. Support for SSL v3 is eroding after POODLE discovery in October
  2. Chrome 39 starts to penalize sites with long-lived SHA1 certificates
  3. Remote code execution vulnerability in Schannel requires patching
  4. Free certification authority announced for Q2 2015
  5. ENISA released update of their cryptographic guidelines

Support for SSL v3 is eroding after POODLE discovery in October

After the disclosure of POODLE in October, many companies started to disable SSL v3, the only protocol version vulnerable to this attack. Leading the way are content delivery networks, such as Akamai and CloudFlare. Large companies, such as Amazon, are doing the same. The November SSL Pulse results show a 37.4% drop in support for SSL v3, currently at 60.6%. Chrome 39 disabled fallback to SSL v3, which should help defend against POODLE even with servers that don't support TLS_FALLBACK_SCSV. Chrome 40 and Firefox 34 (due on December 1st) are expected to disable SSL v3 altogether. Microsoft is expected to disable this protocol version at some point in 2015, on top of already disabling it on Azure and Office 365.


Chrome 39 starts to penalize sites with long-lived SHA1 certificates

Google released the stable version of Chrome 39, the first version of this browser to start warning about SHA1 certificates. This release warns about SHA1 certificates that expire in 2017. Versions 40 and 41 will increase the scope of the warnings to include certificates that expire in 2016. If you're still using SHA1 certificates that expire in 2016, you have two options. For best compatibility with older clients, reissue your SHA1 certificates to expire in late 2015. If your user base consists largely of modern clients, you can migrate to SHA256 (or better) straight away.

According to the SSL Pulse results for November, SHA1 is now used on about 76.8% servers, down 5.3% since October.


Remote code execution vulnerability in Schannel requires patching

On 11 November 2014, Microsoft disclosed a remote code execution vulnerability in Schannel, MS14-066. This critical issue affects virtually all Microsoft platforms and should be patched as soon as possible.


Free certification authority announced for Q2 2015

In exciting news for heavy certificate users, the Internet Security Research Group (ISRG) announced that a new certification authority (CA) called Let's Encrypt will be launched in Q2 2015. This new CA will provide certificates free of charge, with special focus on automated installation and renewal. ISRG is supported by Akamai, Cisco, EFF, IdenTrust, and Mozilla.


ENISA released update of their cryptographic guidelines

European Union Agency for Network and Information Security (ENISA) released the 2014 version of its cryptographic guidelines report, covering algorithms, key sizes, and other parameters. This comprehensive and practical report discusses suitability of various primitives in two scenarios: legacy and new deployments.