27 Sep 2023
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.
Back in July, Microsoft disclosed a serious security breach that allowed a threat actor to compromise email accounts belonging to twenty-five organizations, seemingly mostly government agencies. The problem was that a so-called MSA key, which is used for signing in Microsoft’s consumer environment, was compromised. Unexpectedly, that key was then able to be used in Microsoft’s enterprise environment.
There wasn’t enough information initially to fully understand how the attack took place, but Microsoft released further information two months later. What can we learn from it?
First, we can confirm yet again that security is difficult and that even the largest organizations in the world can’t get enough things right to prevent extremely high-profile breaches. Reading through, there have been many factors that contributed to making the exploitation possible. Here are the highlights:
Microsoft’s write-up is very informational, although it doesn't explain everything. Perhaps the main unanswered question is: Why wasn’t such a sensitive key protected with an HSM?
This subscription is just for the newsletter; we won't send you anything else.
Here are some things that caught our attention since the previous newsletter:
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.