Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.

Good: Google Trust Services (GTS) announced general availability of its ACME APIs, now available at no cost to anyone with a Google Cloud Platform (GCP) account. This is a fantastic addition to the ecosystem that improves diversity among free certificate providers. GTS also announced support for multiperspective domain validation and ACME renewal information (ARI).

Good: Let’s Encrypt botched issuance of 645 certificates during a configuration change. A combination of factors led to the creation of certificates that were not substantially the same as their corresponding precertificates. Read more about the problem in the incident report. There’s also a blog post from Andrew Ayer, who discovered the problem within minutes. We classify this as good based on the combination of community monitoring that led to near-immediate discovery of the problem and Let’s Encrypt’s fast reaction, transparency, and in-depth incident report.

Bad: The outlook is not good for E-Tugra, a new CA that was found to have an insecure website back in November 2022. That incident and E-Tugra’s handling led to its removal from the Chrome Root Store. Mozilla is still deliberating.

Ugly: Matt Holt discovered something very peculiar and highly irregular. HiCA, which bills itself as a “pure ACME tls certificate authority,” but is most definitely not a CA, used a security flaw in an ACME tool (acme.sh) to execute arbitrary code (!) on its customers computers in order to relay ACME requests to real CAs. Here’s the related Mozilla discussion.

Short news

Here are some things that caught our attention since the previous newsletter:

• Researchers have discovered five new attack classes in the way Microsoft Office signs documents: Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures.
• Over eighty civil society organizations, academics, and cyber experts from twenty-three countries wrote to the UK government over the threat to the security and privacy of billions of people who use apps like WhatsApp and Signal.
• Dialup.net shares the experience of porting modern TLS to Windows 3.1 in a blog post.
• Hashicorp Vault supports ACME as of version 1.14.0, released on June 21, 2023.
• The IETF published Reflections on Ten Years Past the Snowden Revelations, a memo in which four people looked back at the events that took place a decade ago.
• DNSSEC KSK rollover breaks DNS resolution for .nz domains. This is essentially the same problem as TLS certificate rotation, just for a great many domains all at once.
• Niels Provos, one of the authors of Bcrypt, a popular algorithm for password hashing, has written a password security retrospective on the algorithm’s twenty-fifth anniversary. It’s good to see Bcrypt still holding up, both against the attacks and against the competition. If you’d like to take a better look at how Bcrypt-hashed passwords are attacked, read this article from a couple of years ago.
• Chrome 115 supports post-quantum key exchange behind a feature flag.
• Read about a low-cost robot that automates “cold boot” attacks that are able to extract information from memory chips: Ice Ice Baby: Coppin' RAM With DIY Cryo-Mechanical Robot.
• padre is a tool that automates padding oracle attacks.
• OpenSSL 1.1.1, which started its life in 2018 as a long-term release (LTS), will reach its official end of life in September 2023. Although this means there will be no further official releases, operating system vendors may provide support on a different schedule; check with your vendor.
• Java is adding an API for key encapsulation mechanisms (KEMs) in JEP 452.
• From the archives: Read again about how the CIA used Crypto AG, a Swiss company, to compromise the security of many nations.
• Bundesamt für Sicherheit in der Informationstechnik (BSI) published a tool that checks TLS servers against the agency’s recommendations: TaSK Framework.
• Mozilla is starting the process of incorporating S/MIME Baseline Requirements into its root program.
• There’s a new website dedicated to ACME and the surrounding ecosystem.
• The Security Cryptography Whatever podcast talked to Matthew Garrett about Twitter’s direct message encryption. How good is it?
• AWS launched a new product called Payment Cryptography, intended to simplify implementation of cryptographic operations and accelerate PCI compliance.
• Sylvain Kerkour wrote about using SHA256 length extension attacks in practice.
• If you saw this in a movie, you wouldn’t believe it: stealing cryptographic keys by monitoring power LEDs.
• A paper published online looks at analysis of random number generation in the Cisco ASA platform.
• The Computer Science Department at ETH Zurich released a new research paper, Security Analysis of MongoDB Queryable Encryption, which uncovered significant vulnerabilities.
• Robert Alexander looked at the adoption of HSTS preloading.