29 June 2017
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
Several cases of the problematic practice of shipping private keys within applications have been discovered lately. Koen Rouwhorst found that the Sky NOW TV Player shipped with a certificate for a domain owned by Cisco and the corresponding private key. Shortly thereafter, Annie Nguyen reported that an application by Spotify had a very similar problem. Several previous cases existed, involving Github, Dropbox, and Discord, but all those certificates were previously known and already revoked.
In most of these cases, the intent of the certificate is for an application to open a local web server so that a web service from a company can communicate with the server within a browser. As ever-increasing numbers of web pages move to HTTPS, this process will be blocked if the local server doesn’t have a valid certificate.
However, the Baseline Requirements of the CA or browser forbid such practices. If a private key becomes public, then the corresponding certificate is revoked.
Discussions are ongoing about whether browsers should treat localhost IPs such as 127.0.0.1 as secure origins even if they are delivered over unencrypted HTTP. Future browsers might allow this practice without a need for shipping certificates and keys.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.