Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

1. Cisco and Spotify ship private keys in applications
2. Short news

Cisco and Spotify ship private keys in applications

Several cases of the problematic practice of shipping private keys within applications have been discovered lately. Koen Rouwhorst found that the Sky NOW TV Player shipped with a certificate for a domain owned by Cisco and the corresponding private key. Shortly thereafter, Annie Nguyen reported that an application by Spotify had a very similar problem. Several previous cases existed, involving Github, Dropbox, and Discord, but all those certificates were previously known and already revoked.

In most of these cases, the intent of the certificate is for an application to open a local web server so that a web service from a company can communicate with the server within a browser. As ever-increasing numbers of web pages move to HTTPS, this process will be blocked if the local server doesn’t have a valid certificate.

Discussions are ongoing about whether browsers should treat localhost IPs such as 127.0.0.1 as secure origins even if they are delivered over unencrypted HTTP. Future browsers might allow this practice without a need for shipping certificates and keys. However, the Baseline Requirements of the CA or browser forbid such practices. If a private key becomes public, then the corresponding certificate is revoked.

Short news

• The Register reports that a problem with OCSP stapling on Microsoft’s Azure platform has caused problems for Firefox users. The technical details are unclear.

• The number of sites using HPKP in Alexa's top one million list has increased from 187 to over six thousand. This is likely due in part to Tumblr enabling HPKP for sites it hosts.

• StartCom certificates are no longer trusted by major browsers. It doesn’t seem to work well at the failed certificate authority: A posting to the Mozilla security policy mailing list reports that StartCom recently issued several bogus certificates.

• A research paper presents an improved algorithm for the SIDH key exchange. Supersingular isogeny Diffie-Hellman (SIDH) is a proposed method for a postquantum key exchange.

• A sidechannel attack against the BLISS signature scheme was discovered. BLISS is a lattice-based postquantum signature algorithm.

• A vulnerability in GnuTLS could lead to a null pointer and a crash. The bug was found with the tlsfuzzer tool.

• The crt.sh web interface with Certificate Transparency now allows for direct use of SQL queries to search for certificates.

• Several scans of Alexa’s top one million list by Mozilla developer April King over the past year reveal changes in various security features, including TLS-related features such as HSTS and HPKP.

• Dyn and Cloudflare have enabled support for CAA records in their DNS servers.

• DigiCert has opened its Certificate Transparency log for other certificate authorities.

• In a long blog post, Red Hat explains changes in security and cryptography features in Red Hat Enterprise Linux 7.4. This includes the deprecation of several problematic, older TLS features.

• Tavis Ormandy from Google's Project Zero found several undisclosed intermediate certificates in PDF files found on the Internet. Certificate authorities are required to disclose intermediate certificates publicly that are trusted by browsers, but they regularly fail to do so.

• Talos reports on a stack overread vulnerability in the X.509 parsing of MatrixSSL.

• A research paper investigates the qubits needed to break current public key algorithms with quantum computers. It concludes that elliptic curve algorithms are easier to break with quantum computers than RSA.

• A vulnerability in FreeRADIUS allows for bypassing the TLS authentication.

• Preact-CLI, a tool to develop web applications, contains a serious vulnerability. The tool ships a certificate and a private key for development purposes. This alone would be problematic, but the bundled certificate is a certificate authority. Thus, if a developer using Preact-CLI accepts the certificate in his browser, then he’s vulnerable to man-in-the-middle attacks from certificates signed with this certificate authority.

• Microsoft wants to encourage its customers to prepare for the deprecation of TLS 1.0 and 1.1. In a blog post and a white paper, Microsoft gives advice on how to test software and infrastructure for incompatibilities with the latest TLS version, TLS 1.2. TLS 1.0 and 1.1 have fallen out of favor, mostly due to padding oracle vulnerabilities such as Lucky Thirteen.

• EJBCA is Java software to manage certificate authorities and is used by many TLS certificate providers. In a series of blog posts, EJBCA’s developers provide an overview of the current state of the software.

• Researchers from Fox-IT have presented a TEMPEST attack against AES. By measuring electromagnetic waves, they were able to reconstruct AES keys up to a distance of one meter.

• Guido Vranken found several vulnerabilities in OpenVPN with libFuzzer.
• Some debates have erupted recently over the correct use of elliptic curve cryptography. An incorrect use of the Ed25519 signature scheme caused a vulnerability in the CryptoNote cryptocurrency. And some questions have been raised about Curve25519.
• A new sidechannel attack against sliding window implementations of modular exponentiation allows breaking RSA in some circumstances. This affects libgcrypt, the library behind GnuPG.