Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

Another certificate authority is being removed from browsers due to repeated violations of certificate validation rules. In April, Andrew Ayer noticed that Certinomis had issued fourteen precertificates for an unregistered domain name and reported it to Mozilla. In the discussion that followed in the bug tracker, Google developer Ryan Sleevi raised several concerns about the reaction of Certinomis.

Mozilla members collected information about this and previous issues with Certinomis in a Wiki page, and Mozilla’s Wayne Thayer asked the community for input. The previous issues included a subcertificate that was given to StartCom back in 2017 when the existing StartCom certificates were distrusted. Also, there was a variety of cases in which Mozilla was unhappy with the lack of response from Certinomis to problems.

It seems the number of incidents and the insufficient response from Certinomis led to a decision at Mozilla to distrust the certificate authority completely and remove its root certificate from the Mozilla root store.

Meanwhile, security issues with Certinomis seem to continue. New certificates with invalid object identifiers (OIDs) and new certificates for unregistered domains were issued by the end of May.

Short news

• Microsoft published the source code of SymCrypt, which is the primary library for cryptographic primitives in current versions of Windows.
• Several extended validation certificates with a city name of Default City have been discovered. This is noteworthy because extended validation certificates come with the promise that the data entered beyond the host name is actually verified by the issuing certificate authority.
• Apache developer Stefan Eissing shared plans for the next version of the ACME module for the Apache web server. It will support version 2 of the ACME protocol and will also include a more robust implementation of OCSP stapling. (The existing stapling implementation of Apache is known to have reliability issues.)
• Researchers at the University of Hamburg have looked at deployment and privacy problems in TLS with TCP Fast Open.
• An article in VICE’s Motherboard section covers the recent discoveries of suspicious properties of the Russian Streebog and Kuznyechik algorithms. The concerns are due to research by Inria researcher Leo Perrin, which we mentioned in our March newsletter.
• Chrome has plans to block downloads of executables over insecure connections.
• A research paper estimates relatively low costs for a chosen prefix SHA1 collision attack. However, Marc Stevens, who’s been involved in recent breakthroughs in attacking SHA1, is skeptical and mentions that the estimates are based on “as-of-yet undisclosed improvements.”
• The NSS library developers have published version 3.44, which mostly contains bug fixes.
• Robert McEliece passed away on May 8 at the age of seventy-six, reports his alma mater and employer, Caltech University. McEliece developed an early public key encryption algorithm. His algorithm wasn’t used widely, but in recent years it received new interest because it’s believed to be resistant to quantum computing attacks.
• Let’s Encrypt started the Certificate Transparency log Oak. It is sponsored by competing company Sectigo.
• Researchers from KU Leuven presented CSI-FiSh, a signature algorithm based on supersingular isogenies. It is based on concepts from the key exchange algorithm CSIDH.
• By the end of May, the Qualys SSL Labs test will rate hosts vulnerable to one of several new variations of recently discovered CBC padding oracle vulnerabilities with an F.
• OpenSSL released new versions that fix a low-severity security issue in ChaCha20-Poly1305.