Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.

After a lengthy discussion at the end of July, Google announced its final plan and timeline for distrusting Symantec certificates. Due to various incidents, Google wants to remove trust for all existing Symantec roots from its Chrome browser. The final plan is significantly milder than Google’s original announcement and allows for a longer transition period. Mozilla will follow Google’s plan; other browser vendors haven’t announced any actions yet.

People who use certificates from Symantec or one of their brands (GeoTrust, Verisign, RapidSSL, Thawte) can use the Hardenize service to check when their certificate will be distrusted by browsers. (Hardenize is operated by Ivan Ristić, who is also one of the owners of Feisty Duck.)

Shortly thereafter, Symantec announced that it will sell its certificate business to DigiCert.

Short news

• StartCom has submitted a new root certificate to Mozilla. However, there were some concerns about the fact that this root already has signed various certificates not compliant with the Baseline Requirements.
• Oracle and SafeLogic announced that they will support the creation of a FIPS-compatible variant of OpenSSL 1.1.
• Kurt Roeckx has uploaded an OpenSSL package to Debian with the old TLS versions, 1.0 and 1.1, disabled. It will be a while until this reaches DebianStable and the decision can be reverted, as it will very likely cause a lot of compatibility problems with old devices that still do not support TLS 1.2. On other fronts, the deprecation of old TLS versions is also pushed forward: The credit card standard PCI DSS will require disabling TLS 1.0 by June of next year. Fastly also published an updated timeline for its TLS 1.0 and 1.1 deprecation plans.
• David Hulton gave a talk at SHA 2017 to present his DES cracking service.
• Praveen Vadnala and Lukasz Chmielewski presented a side-channel attack against OpenSSL’s RSA implementation at SHA 2017. A short paper describing the attack also was published.
• BoarSSL is a new TLS library in C# that’s intended for testing. It’s not supposed to be used in production. It was developed by the author of BearSSL and is used for its testing.
• Fabrice Boudot published algorithmic improvements to the number field sieve, which can be used to speed up attacks against RSA and Diffie-Hellman.
• A well-known problem of TLS interception tools is that they almost always degrade the security of the TLS connection. Will Dormann has tested two products—Untangle NG Firewall and Entensys Usergate UTM—and found a variety of security problems in them.
• Microsoft announced that it will distrust certificates from WoSign and StartCom, following Google and Mozilla, which took the same action months ago.
• Antonio Sanso has discovered a bug in the elliptic curve implementation of both NSS (Mozilla) and Java (Oracle). For some inputs, the function returns a point at infinity when it shouldn’t. However, according to Sanso, it’s unlikely to be exploitable.
• J. C. Jones provides an overview of Certificate Revocation Lists and performs several tests with them in a blog post.
• Nikos Mavrogiannopoulos, the main developer of GnuTLS, gives an overview of the changes in the new version 3.6.0 on his blog.
• Scott Helme has written a blog post discussing the pitfalls and disadvantages of HPKP.
• An implementation of the Ntru Prime algorithm has been published by Daniel J. Bernstein and others. NTRU Prime is a variant of NTRU and a potential candidate for post-quantum cryptography.
• A timing side channel vulnerability has been discovered in the Curve25519 implementation of Libgcrypt. Version 1.8.1 of Libgcrypt contains a mitigation for this vulnerability. Dan Bernstein, the inventor of Curve25519, criticized the mitigation as insufficient.
• A buffer overread in the X.509 certificate parser of OpenSSL has been discovered by Google’s OSS-Fuzz project.
• Developers from Google and Mozilla have published statistics about the adoption of HTTPS at the USENIX Security conference.
• Many violations of the Baseline Requirements by certificate authorities have been discovered lately. An overview can be found in the Mozilla Wiki. Notably, Jonathan Rudenberg has reported most of these incidents to Mozilla’s dev-security-policy mailing list, which is a recommended resource for people interested in the CA ecosystem.
• Scott Helme posted an analysis of security features in the Alexa Top 1 Million list, including HTTPS deployments, distribution of EV certificates, and several HTTPS-related headers.