Cryptography & Security Newsletter

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Hanno Böck.

TLS 1.3 in final stages

The next version of the TLS protocol is nearing completion. There was again a debate on whether it should be rebranded and called TLS 2 or TLS 4. During the IETF conference in Seoul, a majority voted to keep the name TLS 1.3, but on the working group mailing list many people were in favor of the name TLS 4.

Representatives from the financial industry had previously raised concerns that the removal of the RSA key exchange in TLS 1.3 would remove the possibility to decrypt TLS traffic in data centers (mentioned in our September newsletter). This discussion led to a proposal on how to use static Diffie-Hellman ephemeral keys to achieve something similar.

SHA-1 finally on its way out

Web site owners who still use certificates with the SHA-1 algorithm should replace them as soon as possible. Starting from January, Mozilla will reject such certificates with Firefox 51 if they chain to a publicly trusted root. Manually added roots can still use SHA-1.

Chrome plans to do the deprecation with version 56, to be released by the end of January. Chrome provides an option to allow an exception for locally added root certificates, however, that option will be removed in 2019. Microsoft plans the deprecation of SHA-1 for February 2017. Similarly to Mozilla, locally added roots will be exempted from this rule.

On the mailing list of the CA/Browser Forum Mozilla also announced stricter rules for the use of SHA-1 signatures with browser-trusted certificates for other use cases. That includes among others S/MIME (e-mail encryption) certificates and signatures on OCSP responses.

Short News

• OpenSSL released the security update 1.1.0c. It fixes a heap overflow in the ChaCha20/Poly1305 cipher, but the OpenSSL team believes that this isn’t exploitable beyond crashing the server. Two other minor security issues were fixed.
• For many years the company Alexa published a list of the one million most popular web sites according to data they collect with a browser toolbar. Recently Alexa took the list down and announced that in the future the data will only be available via a fee-based API. However, shortly after that Alexa reverted that decision and announced that the file is temporarily back. It is unclear what that means for the future. The Alexa list is very popular among security researchers, who use it to assess the popularity of security features among popular web hosts.
• Peter Shor and Lior Eldar published a quantum computing algorithm that would have questioned the security of lattice-based cryptography schemes. Lattice-based cryptography is one of the most promising ways to do efficient post-quantum cryptography, a quantum attack would therefore have a huge impact. However, Oded Regev found a flaw in the algorithm which was confirmed by Lior Eldar.
• A security vulnerability (CVE-2016-9015) was discovered in the certificate validation function of urllib3, a Python HTTP library. It was found to only affect very unusual configurations. Version 1.18.1 fixes this bug.
• The web site of Smashing Magazine, a news publication for web developers, had some trouble with HTTP Public Key Pinning (HPKP) - another account of the potential problems of this feature. This highlights the fact that website owners should be very careful when deploying HPKP and probably avoid it if they aren’t fully aware of the risks.
• The Mono TLS implementation now supports TLS 1.2.
• Tesla# (pronounced Tesla sharp) is a new post quantum signature algorithm based on the ring learning with errors problem (RLWE). Most existing RLWE-algorithms are either encryption or key exchange algorithms.
• BearSSL is a new TLS library written in C. It doesn’t implement many potentially insecure features of old TLS versions. BearSSL is released under the free MIT license.
• Google has published statistics about the HTTPS usage of different versions of the Chrome browser. On most platforms the share of HTTPS is above 50 percent. Android has the lowest HTTPS share among the supported operating systems.
• Let’s Encrypt has launched a crowdfunding campaign. Their goal is to get $200,000 in donations.
• The hosting company OVH announced that it will renew expired paid certificates automatically with Let’s Encrypt certificates.
• The PQCRYPTO project has published talk videos from a workshop held in June in Utrecht.
• Several vulnerabilities have been discovered in the Go JOSE library, including an invalid curve attack. JOSE is an encryption standard for JSON.
• A bypass of the mixed content restrictions in Internet Explorer is possible with redirects and the document.write Javascript function.
• Earlier this year the Sweet32 attack exploited block ciphers with a 64 bit block size like Triple-DES. This weakness had been well known for a long time. Juraj Somorovsky pointed out that the Ocaml-TLS project had a bug report on this issue since 2014.
• A research paper investigates the prevalence of invalid TLS certificates among Internet-wide scans. It points out that certificates can be used to track devices with changing IPs across scans.
• Firefox will soon ship a feature that warns of forms on insecure HTTP pages. Google announced a similar move with Chrome in September. Eric Lawrence pointed out that many notable web pages, including Ars Technica, the New York Times and Booking.com, still use insecure login forms.
• A research paper looks at the adoption of Let’s Encrypt certificates. Notably, it finds that many certificates issued are not in use and that many sites have misconfigurations.
• Let’s Encrypt reported a flaw in its issuance blocklist. Let’s Encrypt does not usually issue certificates for .mil domains and all domains containing .gov. However, due to a bug, the blocking of such domains didn’t work and various certificates were issued.
• In 2012 two research groups identified many devices with RSA keys that could be broken due to shared prime factors. A new paper looks at how this research affected devices. One of the authors - Nadia Heninger - was already leading one of the original research projects in 2012. The conclusion of the paper is that the number of affected devices has actually grown over the years and many vendors never released a patch for this flaw.
• Due to a bug in Chrome, some older versions of the browser rejected all certificates from Symantec. This was due to a time bomb implemented in the Certificate Transparency rules of the browser.
• The next version of Curl will support HTTPS proxies. This fully encrypts the connection between a client and a proxy.
• Researchers from Microsoft and the Princeton University presented a new post quantum signature scheme that is based on symmetric encryption primitives.
• Mozilla developer Gervase Markham started a discussion about Certificate Transparency policies for Firefox. Firefox will therefore soon get support for Certificate Transparency.
• Ivan Ristić announced changes in the SSL Labs grading for 2017. Various minor improvements have also been added to the SSL Labs test, notably that it can now show multiple certificate chains.
• Mozilla requires certificate authorities to disclose all intermediate certificates. However, many haven’t done so until now. Mozilla developer Gervase Markham now considers blocking these undisclosed certificates via OneCRL.
• Java 9 will bring some improvements to its TLS stack: Support for ALPN, OCSP Stapling and DTLS.
• The CA/Browser Forum had a lengthy discussion about its IPR (Intellectual Property Rights) policy. The core of the discussion is how to interpret certain existing rules and whether the policy has been violated in the past.
• In October the certificate authority GlobalSign accidently revoked an intermediate certificate. This caused widespread certificate validation failures. Some readers asked why this wasn’t mentioned in the newsletter. The simple and unfortunate reason is - we forgot. Apologies for that.