Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.

Back in July, Microsoft disclosed a serious security breach that allowed a threat actor to compromise email accounts belonging to twenty-five organizations, seemingly mostly government agencies. The problem was that a so-called MSA key, which is used for signing in Microsoft’s consumer environment, was compromised. Unexpectedly, that key was then able to be used in Microsoft’s enterprise environment.

There wasn’t enough information initially to fully understand how the attack took place, but Microsoft released further information two months later. What can we learn from it?

First, we can confirm yet again that security is difficult and that even the largest organizations in the world can’t get enough things right to prevent extremely high-profile breaches. Reading through, there have been many factors that contributed to making the exploitation possible. Here are the highlights:

• The signing process crashed, causing the private key to be recorded in the crash dump (which shouldn’t have happened).
• The crash dump was then moved into the less-secure corporate environment, but the very sensitive key in it was not detected by the credential-scanning system that’s in place.
• The threat actor compromised an account belonging to a Microsoft engineer and gained access to the key. ASCII keys are easy to detect in files, but there is also a detection method based on entropy (via Ryan Hurst).
• Microsoft doesn’t have the logs that far back and thus doesn’t have any actual evidence of the exfiltration.
• The MSA key shouldn’t have been able to control access to enterprise email, but the libraries didn’t perform scope validation by default and no one told the developers and/or checked that the required validation was in place.
• Wiz reported that the certificate matching the stolen key expired in 2021, so it’s not quite clear why the threat actor was able to use it for signing in 2023. Microsoft didn’t provide any information about this.

Microsoft’s write-up is very informational, although it doesn't explain everything. Perhaps the main unanswered question is: Why wasn’t such a sensitive key protected with an HSM?

Short news

Here are some things that caught our attention since the previous newsletter:

• In the UK, the parliament passed the Online Safety Bill without any safeguards for end-to-end encryption. For a brief time, there was hope that an amendment would be made to explicitly protect security, but such an amendment was unfortunately rejected. Both Joe Mullin for the EFF and the Open Rights Group have written about the passage of the bill. There was very little mention—if any—of it in the mainstream media.
• Jacob Appelbaum’s PhD thesis from last year came into the spotlight because it offered some previously unknown tidbits from the Snowden documents.
• Signal updated its protocol to add quantum resistance; it’s called PQXDN.
• Brian Smith is embarking on a journey to build a FIPS-validated crypto library in safe Rust. His effort was born out of desire to build a native Rust crypto library, with sponsorship from Ditto.
• Emily Starks writes about the possibility of end-to-end encryption on the web.
• Mozilla’s Security Risk Ahead campaign warned that the wording of Article 45 hasn’t improved, despite some promising signs earlier.
• Chrome is planning to ship full support for the TLS Encrypted ClientHello (ECH).
• Fake Signal and Telegram apps have been discovered and removed from the Google Play Store.
• The Security Cryptography Whatever podcast has a new episode, discussing Zenbleed and Downfall.
• Ram Sundara Raman et al. released their research on global tampering of network communications. The paper is available online.
• OpenSSL 1.x has reached its end of life (EOL), five years after its last release in 2018. Although some platforms may continue to provide support, the future is now with OpenSSL 3.x.
• The performance of the secp384r1 curve in OpenSSL has been known to be lagging behind other curves, lacking optimization. Rohan McLure fixed that, yielding five times better performance.
• In a blog post, Scott Arciszewski writes about how to build a secure JWT library, if you must.
• Apple revealed more information about its decision to abandon content scanning on users’ devices, Lily Hay Newman writes for Wired. The content of the original email is available online.
• You can achieve full disk encryption bypass and root shell on TPM-protected Ubuntu 20.04…by pressing enter multiple times really fast.
• PKI Consortium’s second Post-Quantum Cryptography conference will be held in Amsterdam on November 7 and 8.
• Keystroke timing obfuscation was added to SSH. The mechanism kicks in when there is little traffic and switches to sending data at small but fixed time intervals.
• Clément Labro wrote a blog post titled “A Deep Dive into TPM-based BitLocker Drive Encryption.”