Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

It’s taken much longer than anticipated, but the IETF finally published new version 1.3 of the TLS protocol as RFC 8446.

We have covered the development of TLS 1.3 many times in previous newsletters. The new protocol version deprecates a lot of problematic and insecure practices, including static RSA ciphers without forward secrecy, CBC modes with MAC-then-Encrypt, insecure hashes, and many other old algorithms. New features include, among others, a reworked handshake that removes one round trip, an optional—and controversial—zero round trip mode, encrypted certificates, a safer nonce construction for AEAD modes, and RSA-PSS signatures.

The development of TLS 1.3 took longer than anticipated because many deployed devices didn’t implement the TLS handshake correctly or broke in other ways when they saw an as-yet-unknown TLS version.

Deployment of TLS 1.3 had already started before it was finalized; various browsers and servers supported draft versions. It’s expected that they’ll all soon move to the final version.

The IETF posted a blog entry introducing the new TLS version, and a very detailed description was written by Cloudflare’s Nick Sullivan.

Short news

• On August 1, rules went into effect to ensure that two problematic validation methods were no longer allowed to be used by certificate authorities. The methods allowed for checking the ownership of a domain without any technical validation. Digicert explains the details.
• The Mega.nz sync client contained a certificate with a private key for localhost connections. We covered similar cases and backgrounds in a previous newsletter.
• Many people use the Alexa Top 1 Million list in TLS research, so it’s important to learn how reliable it is. Researchers from several institutions have looked at the list and found several noteworthy properties; in particular, the day-to-day changes are very high.
• As of August 1, Apple distrusted some Symantec certificates and published a plan stating that it will distrust the remaining ones later in 2018.
• Facebook published Fizz, an open-source library to support TLS 1.3.
• Microsoft accepted the Let’s Encrypt root certificate. This means all major browsers now accept the Let’s Encrypt root directly. In practice, most browsers already accepted Let’s Encrypt certificates because a cross-signed intermediate, signed by the IdenTrust certificate authority, is used.
• RFC 8410 specifies algorithm identifiers for modern elliptic curve cryptography like Ed25519 in X.509 certificates.
• RFC 8422 defines modern elliptic curves (curve25519, curve448) for TLS 1.2 and earlier.
• OpenSSL released versions 1.1.0i and 1.0.2p, fixing two low-severity security issues that had been disclosed previously.
• Google published an interview with Emily Schechter from the Chrome security team about HTTPS.
• MesaLink is a TLS library written in Rust that aims to be compatible with OpenSSL.
• Trail of Bits explored using Rowhammer-style attacks to inject faults and cause RSA-CRT bugs. A property of the RSA-CRT algorithm means that a faulty calculation in a signature allows an attacker to trivially calculate the private key.
• A research paper investigated the robustness of primality tests in cryptographic libraries and found several problems.
• Researchers published new variations of the Lucky Thirteen attack against CBC mode in TLS, affecting Amazon’s s2n, GnuTLS, mbed TLS, and wolfSSL.
• Thyla van der Merwe published her PhD thesis, which analyzes TLS 1.3.
• Google recently announced that it intends to remove support for Token Binding in Chrome, which was never enabled by default. On the other hand, Microsoft announced how it plans to use Token Binding in the future. Token Binding can tie application-level tokens (like cookies) directly to the TLS connection, but whether this is of any practical use remains controversial.
• Researchers at the University of Hamburg investigated how TLS Session Resumption can be used as a tracking mechanism.
• Ian Foster and Dylan Ayrey published research about certificates for domains that change ownership. This work was also presented at DEFCON. This causes two problematic scenarios: First, old domain owners may still own a private key that allows for man-in-the-middle attacks on a certificate. Second, for cloud providers for which many domains share a single certificate, this may allow a domain owner to revoke that certificate and thus cause a denial of service.
• A talk at the Black Hat conference looked at replay attacks with TLS 1.3 and 0-RTT.
• This year’s Pwnie award for the best cryptographic attack went to the ROBOT attack. (The author of this newsletter was one of the authors of ROBOT.)
• Researchers from Princeton University looked at BGP attacks on the certificate-issuance process and published their research at the USENIX conference.
• A research team from Brigham Young University proposed a socket API with direct TLS support. It was published at the USENIX conference and won second place in Facebook’s Internet Defense Prize.