Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.

Leaked private keys and revocations based on fake private keys

Last month, we reported that Spotify and Cisco had bundled private keys for valid certificates within applications. Such certificates will be revoked according to Baseline Requirements, but applications aren’t the only source that leak private keys.

Koen Rouwhorst found various private keys belonging to valid certificates in GitHub repositories. The author of this newsletter was able to download keys via standard file names such as server.key directly from the corresponding webpages.

Baseline Requirements has a deadline of 24 hours by which certificate authorities must revoke certificates in case of a key compromise. This leads to the question of how thoroughly it would actually test such key leaks.

The author of this newsletter was able to trick Symantec into revoking a certificate without a real private key. Symantec revoked the certificate based on a fake key that looked like the correct private key when the public key values were compared without properly checking the key (see Symantec’s answer).

Controversy over TLS interception

The TLS working group is currently debating a proposal by Matthew Green about how to use static Diffie-Hellman to allow passive TLS decryption. This is a follow-up to a discussion that was started by a request from a banking organization that complained about the removal of the old RSA key exchange in TLS 1.3.

Recently, a lengthy thread on the TLS mailing list and a discussion at the IETF meeting in Prague followed the debate. The usual “humming” vote in the TLS working group led to no clear consensus.

Stephen Chekoway has written a summary of the debate. Nick Sullivan from Cloudflare covered the controversy in a talk.

Short news

• On the Mozilla security policy list, a longer thread was started about certificates issued to invalid hostnames. Various certificate authorities have issued certificates for hostnames containing double dots.
• Per Torsheim mentions that two large Norwegian newspapers — Aftenposten and Bergens Tidende — now use HTTPS.
• Robert Parks explains that documentation from Microsoft for Visual C++ recommends outdated and insecure cryptography. The documentation from Microsoft has been taken down in response.
• RFC 8188 introduces an encrypted content method for HTTP. This is meant to allow for storage encryption of HTTP content, which isn’t provided by TLS.
• It’s a known property of client certificates that their transmission is not encrypted; thus, they present a privacy problem. Research from the Technical University of Munich shows how this fact could be used to track users of Apple Push Notifications (APN). In TLS 1.3, the situation will improve and client certificates will be encrypted.
• Let’s Encrypt has announced that starting next year, they’ll offer free wildcard certificates.
• Tim Taubert explains that the developers of Mozilla’s NSS library used formal verification to show the correctness of a binary multiplication function that is part of their new GCM implementation.
• Mike Cardwell points out that the IMAP and SMTP servers of the new Lavabit service seem to offer unencrypted logins to clients.
• sct.rs is a library written in Rust that can verify signed certificate timestamps (SCTs) from Certificate Transparency servers.
• Troy Hunt discusses the upcoming UI changes for HTTP certificates in browsers and predicts that pages without HTTPS support will be under increasing pressure to include such support.
• Nick Sullivan from Cloudflare discusses OCSP stapling and its implementation in a detailed blog post. Cloudflare now also makes use of OCSP Must-Staple.
• LibreSSL has released versions 2.5.5 and 2.6.0.
• During the IETF meeting in Prague, a proposal to deliver DNS queries over HTTPS was discussed. Google already provides a DNS over HTTPS service; however, it’s using a different, incompatible format.
• Researchers from Google, Cisco, and Mozilla have published a paper with statistics about the adoption of HTTPS. The research will be presented at the USENIX Security Symposium 2017.
• SBA Research has published a paper investigating the usability of deploying HTTPS on an Apache web server. They tested whether students with IT skills would be able to configure such a server in one hour. This research will also be presented at the USENIX Security Symposium.
• A test site with an IDN domain name containing a lock emoji tries to trick users into believing it’s HTTPS. However, none of the mainstream browsers shows the emoji in the URL bar.
• Stefan Eissing announced a first alpha version of mod_md, a Let’s Encrypt/ACME module for the Apache web server. This work is sponsored by the Mozilla Open Source Support (MOSS) program.
• The US NIST has announced the deprecation of the Triple DES (also called 3DES or TDEA) algorithm. Its small, 64-bit block size makes it vulnerable to attacks. Last year, the Sweet32 attack showed the weaknesses of 64-bit block ciphers.
• Google has announced the final removal of all trust in certificates from WoSign and StartCom in Chrome.
• Vincent Lynch gives an overview of features that are only available via secure origins in Chrome.
• A paper published at the Privacy Enhancing Technologies Symposium investigates new attacks against BGP and the domain validation process for certificate authorities. Similar attacks have been discussed previously—for example, during a talk at Black Hat 2015.
• StartCom has asked for the inclusion of its new root certificates into Mozilla’s certificate store. However, these certificates share private keys with existing intermediate certificates.
• Kelby Ludwig has written an explanation of the LLL algorithm, which is a lattice-based method that can be used to attack some cryptographic algorithms.
• Shay Gueron and Yehuda Lindell have published a method to use key derivation with block cipher modes in order to improve their security bounds.
• Jean-Philippe Aumasson and Yolan Romailler from Kudelski Security have published the tool CDF that uses differential fuzz testing to find bugs in cryptographic software. It was presented in a talk at Black Hat.