31 July 2017
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
Last month, we reported that Spotify and Cisco had bundled private keys for valid certificates within applications. Such certificates will be revoked according to Baseline Requirements, but applications aren’t the only source that leak private keys.
Koen Rouwhorst found various private keys belonging to valid certificates in GitHub repositories. The author of this newsletter was able to download keys via standard file names such as server.key directly from the corresponding webpages.
Baseline Requirements has a deadline of 24 hours by which certificate authorities must revoke certificates in case of a key compromise. This leads to the question of how thoroughly it would actually test such key leaks.
The author of this newsletter was able to trick Symantec into revoking a certificate without a real private key. Symantec revoked the certificate based on a fake key that looked like the correct private key when the public key values were compared without properly checking the key (see Symantec’s answer).
The TLS working group is currently debating a proposal by Matthew Green about how to use static Diffie-Hellman to allow passive TLS decryption. This is a follow-up to a discussion that was started by a request from a banking organization that complained about the removal of the old RSA key exchange in TLS 1.3.
Recently, a lengthy thread on the TLS mailing list and a discussion at the IETF meeting in Prague followed the debate. The usual “humming” vote in the TLS working group led to no clear consensus.
Stephen Chekoway has written a summary of the debate. Nick Sullivan from Cloudflare covered the controversy in a talk.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.