29 Jun 2023
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.
Good: Google Trust Services (GTS) announced general availability of its ACME APIs, now available at no cost to anyone with a Google Cloud Platform (GCP) account. This is a fantastic addition to the ecosystem that improves diversity among free certificate providers. GTS also announced support for multiperspective domain validation and ACME renewal information (ARI).
Good: Let’s Encrypt botched issuance of 645 certificates during a configuration change. A combination of factors led to the creation of certificates that were not substantially the same as their corresponding precertificates. Read more about the problem in the incident report. There’s also a blog post from Andrew Ayer, who discovered the problem within minutes. We classify this as good based on the combination of community monitoring that led to near-immediate discovery of the problem and Let’s Encrypt’s fast reaction, transparency, and in-depth incident report.
Bad: The outlook is not good for E-Tugra, a new CA that was found to have an insecure website back in November 2022. That incident and E-Tugra’s handling led to its removal from the Chrome Root Store. Mozilla is still deliberating.
Ugly: Matt Holt discovered something very peculiar and highly irregular. HiCA, which bills itself as a “pure ACME tls certificate authority,” but is most definitely not a CA, used a security flaw in an ACME tool (acme.sh) to execute arbitrary code (!) on its customers computers in order to relay ACME requests to real CAs. Here’s the related Mozilla discussion.
This subscription is just for the newsletter; we won't send you anything else.
Here are some things that caught our attention since the previous newsletter:
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.