Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

With the January security update from Microsoft, a severe security flaw in the certificate handling of Windows was fixed. The flaw was reported to Microsoft by the NSA. Microsoft’s own advisory contained few details, and the NSA advisory contained only brief hints, but cryptographers were soon able to understand the vulnerability and created proof of concept exploits.

The vulnerability relies on custom parameters for elliptic curves. Usually when using elliptic curves, you use a predefined curve (like NIST P-256), and the parameters are hardcoded in the implementation. However, it’s also possible to define custom curves and parameters.

In the case of this vulnerability, the confusion happened with cached certificates, which allowed an attacker to specify his own generator. With this, it’s possible to create a private key for an existing public key. Initial details were posted by Thomas Ptacek on Hacker News. For further details, there’s also a blog post and proof of concept available from Kudelski Security.

The vulnerability can be used to perform man-in-the-middle attacks against TLS connections and forge code signatures for executables. It’s not possible to target Windows Update directly with this vulnerability because Windows Update uses a pinned RSA key and the vulnerability only affects elliptic curve certificates.

Short news

• Researchers from the University of Bochum found a vulnerability in the client certificate support for Java/JSSE that allows bypassing client authentication.
• PrimeKey, the company that develops the EJBCA CA software, has announced that it acquired Crypto Workshop, the company behind the Bouncy Castle Java TLS implementation.
• Scott Helme comments on the demise of HTTP Public Key Pinning (HPKP) in a blog post. Firefox, the last browser that supported HPKP, recently removed the feature.
• Netgear has used publicly trusted certificates with a static private key in some of its routers. The private keys became public, and subsequently the certificates were revoked.
• Antonio Sanso discovered a vulnerability in the nonstandard Diffie-Hellman implementation for WebCrypto in Firefox. Mozilla subsequently removed the feature.
• Version 3.0 of testssl.sh, a bash-based TLS testing tool, has been released.
• The Chrome security team announced several plans for their handling of certificate transparency in 2020. A notable change is that Chrome will no longer require that one of the signed certificate timestamps (SCTs) for a certificate is provided by a Google log.
• A paper by Jake Massimo and Kenneth Patterson analyzes primality testing of APIs in cryptographic libraries and proposes an improved simple API for future OpenSSL versions.
• In a blog post, Eric Lawrence discusses why some people still use Internet Explorer—one reason being that some certificate authorities, including DigiCert, use the deprecated Keygen API, which is not supported in modern browsers.
• Ian Carroll noted certificates that were issued by Sectigo to domains belonging to Harman (part of Samsung), with the certificates’ Organization Name fields listing Twitter.
• Researchers published a chosen prefix collision attack against the SHA-1 hash function. They discuss possible attacks against the OpenPGP web of trust. In TLS, SHA-1 for certificates has largely been deprecated, but SHA-1 signatures are still used within the TLS handshake. Practical attacks against this function are difficult to perform, however.
• A blog post by Matt Hobbs gives an overview about certificate revocation and its impact on web performance.
• Go published a security update fixing two vulnerabilities related to X.509 certificates. One is a mitigation for the Windows vulnerability (see this issue’s main story); the other can lead to a panic in the certificate parser.
• A blog post from the Amossys company gives a detailed overview of the architecture of the Linux random number generator.