Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

As part of its crypto week, the company Cloudflare recently announced that it will operate a time server supporting the Network Time Security (NTS) extension for the Network Time Protocol (NTP). This solves a long-standing problem with time in the context of secure protocols.

Most computers and other network-connected devices these days synchronize their clocks with time sources from the internet. However, the traditional way of doing so—the Network Time Protocol—supports no way of authenticating that data by default. This essentially means that for a man-in-the-middle attacker, it’s trivial to deliver a wrong time.

This can have security consequences because a working clock is assumed by many other security protocols, including X.509 certificates, which have an expiration date, and features like HSTS that have a lifetime. Practical attacks on HSTS have been shown in the past.

In the past, the TLS timestamp has been used as an alternative in the tlsdate tool, but it’s no longer maintained and TLS 1.3 removed the timestamp. OpenNTPD has a feature by which it can use TLS to provide authenticated time constraints, but it relies on LibreSSL and thus is not usable on many systems. Google’s Adam Langley has developed the Roughtime protocol as an alternative to NTP, but it’s not widely used.

NTP itself attempted to provide authentication in the past by a procedure called Autokey, but it’s been shown to be insecure. It also supports authentication with symmetric keys, but that’s not practical for widespread use.

NTS is a new attempt to fix this issue. It exchanges a key over an authenticated TLS channel and uses that to secure NTP itself. It’s been in development for a while, but now it seems it’ll be finished soon and implementations are starting to pick it up. There is a reference implementation of NTS, NTPsec just released a new version with support for NTS, Chrony has an experimental fork with NTS support, and more implementations are expected to come soon.

Chances are this will finally provide a widely supported option to synchronize time over the internet in a secure and authenticated way.

Short news

• Cloudflare started a service that certificate authorities can use to support multipath domain validation. The idea here is that domain validation for certificates is happening over insecure networks and is thus vulnerable to a variety of attacks. Checking domains from multiple points in the internet makes such attacks much less likely to succeed.
• A research paper investigates padding oracle vulnerabilities in current TLS implementations. We mentioned this research in a previous newsletter. The paper will be published officially at the upcoming USENIX conference.
• Jonathan Leitschuh reports that many Java projects reference dependencies with HTTP URLs, which makes them vulnerable to man-in-the-middle attacks.
• Two papers analyze the postquantum security of the CSIDH key exchange algorithm. These papers also led to a longer discussion on the NIST postquantum mailing list.
• A research paper demonstrates the use of thermal laser stimulation for a fault-based attack on the memory of field-programmable gate arrays (FPGAs), allowing the extraction of an Advanced Encryption Standard (AES) key.
• Devices from the YubiKey FIPS series have a vulnerability in which the ECDSA algorithm may use a random number with reduced entropy after boot. In ECDSA, using bad randomness can lead easily to a full attack on the private key if the same random value is used twice for two different signatures.
• Apple announced certificate requirements for iOS 13 and macOS 10.15, notably deprecating SHA-1 signatures. Most other browsers already have removed support for SHA-1.
• The Windows version of Curl had a bug in which an unprivileged user could inject code via the engine functionality of OpenSSL. The same bug also was found and fixed in Stunnel. According to Curl developer Daniel Stenberg, this problem is widespread among Windows applications using OpenSSL.
• The Summer School on Real-World Cryptography and Privacy in Croatia held various talks on TLS and cryptography in June. Slides are available on its web page.
• Filippo Valsorda and Ben Cartwright-Cox are working on age, a simple file encryption tool and format. It’s only a design document for now, with no code yet.
• OpenSSH implemented changes that try to shield memory with cryptographic keys from potential hardware side-channel attacks.
• Cloudflare announced that it will cooperate with Google to test postquantum key exchange algorithms. HRSS-SXY and SIKE will be part of the test that involves Cloudflare’s servers and Google’s Chrome browser. Both algorithms will be implemented in combination with an X25519 key exchange in TLS 1.3.
• Cloudflare announced the publication of CIRCL, a cryptographic library written in Go that also supports some postquantum algorithms.
• PolarProxy is a new tool that allows intercepting TLS connections for debugging purposes and creates PCAP files of the decrypted traffic.
• RAMBleed is a Rowhammer-like side-channel attack. As a demonstration, its authors exfiltrated an RSA key from another process.
• Hardenize extended the functionality of their public dashboards to show PKI and certificate statistics across the monitored sites.