This issue was distributed to 55,708 email subscribers.
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.
In this issue:
- Raccoon attack shows design flaw in old TLS
- Short news
Raccoon attack shows design flaw in old TLS
Raccoon is a timing attack that exploits a vulnerability in the Diffie-Hellman specification in TLS 1.2 and older.
In the Diffie-Hellman key exchange in old TLS versions, the protocol stripped leading zeros before calculating the premaster secret with a hash function. This allows for measuring a timing difference and thus learning about the leading zeros.
Performing multiple connections to a server that reuses Diffie-Hellman key shares allows an attack that has some similarities to Bleichenbacher attacks. Doing a calculation involving the so-called hidden number problem subsequently allows decrypting data.
The practical impact is relatively low, as Diffie-Hellman is rarely used these days and the additional requirement of key share reuse makes it even less likely. Previous attacks on key share reuse have caused many implementations to disable it by default.
However, the attack gives some clues for how to avoid further similar attacks in the future. Although the attack does not affect ECDHE, it’s still advisable to avoid key share reuse. The attack also led to a discussion about variable-length secrets in upcoming postquantum key exchanges in TLS that could be vulnerable to similar attacks. Nimrod Aviram, one of the Raccoon finders, proposed a change to a draft for upcoming hybrid key exchanges.
- A research paper investigates the potential for incorrectly generated RSA keys in the key-generation algorithm.
- DigiCert announced that it will deprecate the Organizational Unit (OU) field in certificates, which has often been a source of confusion in the past.
- NCC Group discovered a flaw in the TLS 1.3 client implementation of WolfSSL that allows a man-in-the-middle attack to intercept the connection.
- A blog post by Dylan Pindur describes the basics of padding oracle attacks.
- Certificate authority Sectigo was acquired by GI Partners.
- Let’s Encrypt created various new root and intermediate certificates and delayed the plan to switch to its own ISRG root certificate until January 2021.
- OpenSSL released version 1.1.1h, which contains only minor changes.
- CT Days, an event to discuss Certificate Transparency, took place in September. A blog post by Rasmus Dahlberg and another one by Mark Goodwin (Hardenize) give an overview of the topics discussed there. A new community web page for Certificate Transparency was recently created.
- The certificate authority SwissSign was attacked with a distributed denial of service (DDoS). This led to disruption of certificate issuance, and some of SwissSign’s customers temporarily had to switch their certificate provider.
- Amazon announced TLS 1.3 support on CloudFront.
- A proposed law in Russia might ban technologies like ESNI and DoH (DNS over HTTPS) that prevent traffic observers from seeing the hostname of a connection. In the past, China had attempted to block ESNI connections, as we discussed in the previous newsletter.
- Google Cloud announced a service for managing private certificate authorities.