30 November 2016
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
The next version of the TLS protocol is nearing completion. There was again a debate on whether it should be rebranded and called TLS 2 or TLS 4. During the IETF conference in Seoul, a majority voted to keep the name TLS 1.3, but on the working group mailing list many people were in favor of the name TLS 4.
Representatives from the financial industry had previously raised concerns that the removal of the RSA key exchange in TLS 1.3 would remove the possibility to decrypt TLS traffic in data centers (mentioned in our September newsletter). This discussion led to a proposal on how to use static Diffie-Hellman ephemeral keys to achieve something similar.
Web site owners who still use certificates with the SHA-1 algorithm should replace them as soon as possible. Starting from January, Mozilla will reject such certificates with Firefox 51 if they chain to a publicly trusted root. Manually added roots can still use SHA-1.
Chrome plans to do the deprecation with version 56, to be released by the end of January. Chrome provides an option to allow an exception for locally added root certificates, however, that option will be removed in 2019. Microsoft plans the deprecation of SHA-1 for February 2017. Similarly to Mozilla, locally added roots will be exempted from this rule.
On the mailing list of the CA/Browser Forum Mozilla also announced stricter rules for the use of SHA-1 signatures with browser-trusted certificates for other use cases. That includes among others S/MIME (e-mail encryption) certificates and signatures on OCSP responses.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.