Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

We’re looking back at an eventful year in the TLS space. The most notable development in 2016 was that we are finally seeing the web adopting HTTPS as the new default.

Countless web pages and organizations have switched their default to the secure transport protocol in the past year: Wordpress.org, The Guardian, Wired, SourceForge, Blogspot and many more. According to Mozilla’s telemetry data TLS-encrypted traffic surpassed 50 percent in October. There’s still a huge chunk of the web that is not encrypted and it’ll probably take many more years until we can disable HTTP.

We’ve also seen some notable new attacks: SLOTH, Sweet32 and DROWN reminded us that old, insecure algorithms still pose a threat. The Nonce Reuse attack points out how fatal implementation flaws can be. And the rediscovered HEIST/TIME attack highlights an unsolved problem with encryption and compression.

Certificate authorities continue to be a concern when it comes to the security of TLS. The case of WoSign and StartCom is a reminder of that. However, thanks to Certificate Transparency - which will be required for all new certificates starting October 2017 - the abuse of certificates can be detected much better these days.

We already have a very good idea what the dominant topic in 2017 will be: TLS 1.3 is around the corner and will provide better security and better performance for encrypted connections.

Short news

• Google developer Adam Langley has proposed to require the generation of new Ephemeral Diffie-Hellman keys for each connection in TLS 1.3. Reused ephemeral keys can defeat forward secrecy and have been the source of security vulnerabilities in the past. This proposal by Langley is in conflict with another proposal to use reused ephemeral keys in order to be able to decrypt traffic for surveillance purposes inside organizations. This was proposed in response to a request from a financial industry lobby organization that wanted to be able to decrypt traffic on the wire with a static key. According to Langley, “TLS is not designed to be decrypted by third-parties—that's kind of the point.”
• Several TLS-related talks were given at the 33rd Chaos Communication Congress (33C3), covering TLS 1.3, Certificate Transparency and DROWN. The author of this newsletter gave a talk about Evidence-Based IT-Security.
• The blog software WordPress announced that in 2017 they’ll start adding features that require HTTPS. They’ll also only recommend hosting providers that provide HTTPS certificates by default.
• Adam Langley posted results from Google’s experiments with a hybrid post-quantum key exchange mechanism based on Curve25519 and New Hope. He also announced that Google will now end this experiment and future versions of Chrome will stop supporting the hybrid exchange CECPQ1.
• Thyla van der Mewe and Kenny Patterson published an analysis of changes in the TLS standardization process and came to the conclusion that the TLS working group adopted an “analysis-prior-to-deployment” design philosophy.
• mitmAP is an implementation of a Man-in-the-Middle access point that implements SSL Stripping attacks.
• Google released Project Wycheproof, an analysis framework for cryptographic algorithm implementations. It tests implementations for known common implementation flaws. In its current form it is focused on Java implementations. The lead developer is the cryptographer Daniel Bleichenbacher, who found several notable attacks on RSA implementations in the past.
• Google has started Daedalus, a Certificate Transparency log dedicated to store expired certificates. In the past, mass submissions of old certificates to Google’s logs have caused uptime issues, as we reported in our October newsletter.
• Facebook has stopped using SHA-1-certificates.
• Two research papers proposed post-quantum signature schemes based on the supersingular isogeny problem ([1], [2]).
• BearSSL developer Thomas Pornin wrote an explanation of constant-time crypto implementations.
• SourceForge now offers hosted projects to switch their web pages to HTTPS.
• mitmproxy, a tool to implement Man-in-the-Middle attacks with TLS support, has released version 1.0.0.
• Researchers from the University of Michigan have analyzed TLS properties that impact Forward Secrecy on TLS connections, including ephemeral key reuse, session resumption and session tickets.
• Apple delayed its plans to require TLS-protected connections via App Transport Security in its App Store. Originally, this requirement was planned for the end of 2016.
• Heroku explains how they were able to significantly improve the performance of their TLS connections with a change in the TLS stack of Erlang. The caching behavior for TLS certificates caused a significant slowdown.
• A vulnerability in the SMACK XMPP library allowed STARTTLS stripping attacks. Version 4.1.9 fixes this.
• By using a technology called domain fronting the Signal messenger tries to use HTTPS to circumvent censorship in some countries.
• A timing attack against the NIST P-256 elliptic curve implementation in certain versions of OpenSSL has been detected.
• An article on Motherboard calls for porn web pages to adopt HTTPS.
• We reported in September that iTunes supports HTTPS for Podcasts only with a very limited number of certificate authorities. Most notably, Let’s Encrypt was not supported. This has now changed and podcasters using Let’s Encrypt have no more excuse to not use HTTPS by default.