Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

Let’s Encrypt soon will disable support for the TLS-SNI-01 domain validation method in the ACME protocol. In January of last year, a vulnerability in TLS-SNI-01 was discovered by Frans Rosén from Detectify. The deprecation will likely cause problems for users of some stable Linux distributions.

TLS-SNI-01 requires a user to temporarily serve a certificate with a special, invalid domain name via the TLS SNI extension. However, under many cloud provider’s settings, it’s possible for users to exploit this scenario and get positive validation for domains hosted by other users at the same cloud provider. This affected Heroku and Amazon CloudFront, for example.

Let’s Encrypt decided that this inherent vulnerability of the TLS-SNI-01 method is too much of a risk and therefore to deprecate it fully. But until now, there was still an exception in place for some providers and for certificate renewals.

The final deadline for TLS-SNI-01 is February 13, 2019, after which all current setups using this method will stop working. Let’s Encrypt certificates have a relatively short lifetime of ninety days, and it heavily relies on automated renewal. Let’s Encrypt sent out warning emails in recent weeks to those who still use TLS-SNI-01, but not all users will get them because providing an email address isn’t mandatory to use Let’s Encrypt.

Some Debian and Ubuntu users may not get the update in time. The last stable version of Debian (Stretch) provides Certbot certificate automation software in version 0.10.2. This version of Certbot offers plugins for Apache and NGINX that use TLS-SNI-01. This was changed in version 0.21.0, which was released shortly after the discovery of the vulnerability in TLS-SNI-01 and uses the alternative HTTP-01 method.

Debian was alerted about this problem in January of 2018. The Certbot package has been updated in the stretch-updates repository—which is not Debian’s main stable repository but an additional repository used for updates between releases. Whether users of Debian’s stable branch will get the update depends on their configuration. Newer Debian installations use the stretch-updates repository by default, but older versions that have been updated over time may not do so.

Ubuntu’s older stable release, Xenial (16.04), which is a long-term support release and thus still gets updates, ships with an even older version of the Let’s Encrypt software. There is an open bug report in Ubuntu’s bug tracker, but no reaction from the Ubuntu developers. Another bug report discusses backporting a newer version, but it’s unclear whether it will be handled in time or whether users of Ubuntu Xenial will end up with a broken HTTPS setup soon.

Short news

• Filippo Valsorda published a tool to create certificates for localhost for development purposes.
• During the US government shutdown, various government sites had expired HTTPS certificates, as reported by Netcraft.
• Digicert completed the purchase of the QuoVadis certificate authority.
• Wireshark 3.0 will introduce capabilities to decrypt TLS traffic.
• Koen Rouwhorst discovered that several certificates were issued with a private key that was part of a publicly available virtual machine with WordPress preinstalled.
• A paper investigates the possibility to create bad Diffie-Hellman parameters that pass common parameter-validation methods.
• Daniel Stenberg, the author of curl, discusses QUIC implementation and how a lack of appropriate API calls in OpenSSL may make adoption harder.
• A Hardenize blog post explains how Certificate Transparency can be used to discover phishing pages.
• A paper compares the usability of traditional certificate authorities and Let’s Encrypt, though with a very small number of participants.
• Citrix published a security update for padding oracle vulnerabilities. Craig Young, one of the discoverers of these vulnerabilities, will talk about padding oracles at the Black Hat Asia conference in March.
• A denial-of-service bug in OpenSSL 1.1.1 was found and fixed in the mod_ssl module of the Apache web server. The bug was triggered by the renegotiation check of the Qualys SSL Labs test; therefore, Qualys temporarily disabled that check.
• A crash due to a NULL pointer in the certificate parsing has been found and fixed in Python’s SSL module.
• A blog post from Cloudflare explains the different layers of the future HTTP/3 protocol.
• NSS has released version 3.41.1, which contains a fix for a crash in the Cryptographic Message Syntax parser. The bug was discovered by the author of this newsletter.
• Switches from Dell had a vulnerability in which the certificate of a TLS connection in the Phone Home feature wasn’t validated.
• DNS operators and software vendors will disable some workarounds for broken and EDNS-intolerant DNS servers on February 1, dubbing it DNS Flag Day. While not directly related, these issues are very similar to the TLS intolerance issues that have slowed the development of TLS 1.3.
• Adam Langley gave an overview of the TLS 1.3 deployment issues the Chrome team experienced. He mentioned bugs in Java and problems with the KeyUpdate message.
• NIST has announced the round two candidates for the postquantum cryptography competition. Seventeen public key encryption schemes and nine signature schemes made it to round two.