Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

DarkMatter, a controversial company from the United Arab Emirates, now raises questions about trust in certificate authorities.

According to a report by Reuters, DarkMatter is behind an operation called Project Raven, in which former NSA employees performed offensive hacking operations for the UAE. This project also involved spying on human rights activists—specifically including, according to Reuters, spying operations against Ahmed Mansoor, who was sentenced to 10 years in prison.

Claudio Guarnieri, who works as a technologist for Amnesty International, pointed out that DarkMatter has applied for Mozilla’s certificate root store. Shortly afterward, the Electronic Frontier Foundation (EFF) asked Mozilla to reject that request and also mentioned that DarkMatter already had a working intermediate certificate capable of issuing browser-trusted TLS certificates.

The DarkMatter intermediate certificate is signed by QuoVadis, a certificate authority that was recently purchased by DigiCert.

Mozilla’s Wayne Thayer started a discussion on the Mozilla security policy list asking for opinions on how to handle this issue. “The purpose of this discussion is to determine if Mozilla should distrust DarkMatter by adding their intermediate CA certificates that were signed by QuoVadis to OneCRL, and in turn deny the pending root inclusion request,” Thayer writes.

Short news

• NIST has published a status report about the first round of the postquantum cryptography standardization process.
• The Firefox 65 update caused problems for some antivirus applications that use TLS interception.
• A denial-of-service vulnerability in the elliptic curve implementation of the Go programming language was discovered and fixed.
• The Courier Mail Transfer Agent now has preliminary support for MTA-STS on outgoing mails in a development version.
• Researchers at the University of Hamburg have analyzed the performance impact of session sharing across hostnames.
• David Wong from NCC explains in a blog post how to use Bleichenbacher vulnerabilities for downgrade attacks against TLS 1.3. This is based on research that was published last year and mentioned in our December newsletter.
• A master’s thesis from Jennifer Chamberlain at Stockholm University gives an overview of postquantum lattice-based key encapsulation mechanisms (KEMs).
• According to reports in Mozilla’s Bugzilla, South Korea has started blocking sites based on SNI names.
• Tavis Ormandy disclosed a stack buffer overflow in MatrixSSL that is triggered by test certificates for the BERserk signature forgery vulnerability. Test certificates have been created by Filippo Valsorda for an online test.
• Mozilla’s Wayne Thayer explains issues around Mozilla’s root certificate store in a blog post.
• Microsoft will soon deprecate SHA1 in signatures for Windows updates.
• James Bromberger gave a talk at linux.conf.au that covered the current state of TLS on the web; a video is available.
• Craig Young from Tripwire explains two new TLS vulnerabilities—Zombie POODLE and GOLDENDOODLE—in a blog post. The vulnerabilities are variations of padding oracle attacks and target the CBC mode in TLS 1.2 and earlier.
• Researchers from Ruhr-University Bochum have also looked into padding oracles and published preliminary findings. They will publish a research paper at the USENIX 2019 conference.
• One of the previously mentioned padding oracle vulnerabilities affected OpenSSL and has been fixed in version 1.0.2r. OpenSSL 1.1 is not affected. The vulnerability only occurs in unusual situations and depends on wrong usage of the OpenSSL API. OpenSSL also released version 1.1.1b with bug fixes.
• The OpenSSL developers have explained their plans for the future version 3.0.0 in strategic architecture and design documents.
• Researchers at the University of Hamburg have analyzed how QUIC can be used for web user tracking.
• The CAESAR competition to define new authenticated encryption modes has announced its final portfolio of selected cipher modes.