Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

A large number of recent incidents tied to the Camerfirma certificate authority led to a lengthy discussion on Mozilla’s security policy mailing list. Camerfirma is a certificate authority from Spain. The mailing list discussion was initiated by Mozilla’s Ben Wilson, who started collecting information about rule violations and incidents by Camerfirma on a wiki page.

Examples include issuing certificates for invalid domains, missing audits, and undisclosed sub-CAs. Several of the incidents involved various sub-CAs that use intermediates signed by Camerfirma’s root certificates. What particularly worried many in the community was that Camerfirma repeated mistakes in several cases that should have been prevented after previous similar incidents. Particularly noteworthy issues include issuing a certificate for a subdomain of com.com without validating that domain in 2020, and a mistakenly revoked and subsequently unrevoked intermediate certificate.

In reply to the incident collection, Google’s Ryan Sleevi wrote: “This is clearly a portrait of a CA that, like those that came before, paint a pattern of a CA that consistently and regularly fails to meet program requirements, in a way that clearly demonstrates these are systemic and architectural issues.”

Camerfirma has responded to these issues with a remediation plan, but in the discussion it became clear that many community members thought the plan was not sufficient to remedy the situation.

Mozilla has not yet decided whether these incidents will lead to a distrust of Camerfirma. However, it seems Google has. In a later message in the thread, Ryan Sleevi announced that starting with version 90, the Google Chrome browser will no longer trust certificates issued by Camerfirma.

Short news

• LWN discusses the use of LibreSSL on Linux due to a recent discussion in which Gentoo Linux decided to drop optional support of LibreSSL.
• OpenSSL released alpha 10 of the upcoming version 3.0.0.
• Libgcrypt released its new major version 1.9.0, the most notable changes being several CPU-optimized variants of algorithms and some new API interfaces.
• Let’s Encrypt explains its use of MySQL databases in a blog post.
• Due to the coronavirus pandemic, the Real World Crypto 2021 conference was held online from January 11 to January 14. Videos of the presentations are available on YouTube and are linked from the conference program. Noteworthy talks include those about recent attacks like Racoon and Partitioning Oracles, plus plenty of talks on post-quantum cryptography.
• Partitioning Oracles are new forms of attack against certain uses of AEAD schemes, as a prepublication by USENIX describes. They rely on the noncommitting property of AEAD schemes—that is, the fact that it is possible to create a ciphertext that can be validly decrypted with multiple keys.
• NSS released version 3.61, fixing several minor bugs.
• The Cryptosense company published a detailed blog post about the security of the Triple DES algorithm.
• The author of this newsletter discovered some inconsistent behavior in the certificate validation of Ruby’s Net::SMTP module. By default, it would check the hostname in a certificate, but not whether the certificate had a valid signature.
• The NSA published documentation discouraging the use of old TLS versions 1.0 and 1.1 and published accompanying tools and configuration examples.
• The dutch National Cyber Security Centre (NCSC) published a document with security guidelines for TLS, notably recommending the use of TLS 1.3. The security of TLS 1.2 was downgraded from “Good” to “Sufficient” by the NCSC.
• Cloudflare announced live experiments with KEMTLS. This is a mechanism that allows using an authenticated post-quantum key exchange, which reduces the number of signatures needed in a TLS handshake. Post-quantum signatures are usually significantly larger than those of algorithms used today.
• The QuoVadis CA, which is a part of DigiCert, has revoked some intermediate certificates and replaced them with new ones. However, it seems that several sites did not replace the intermediates in time, leading to connection failures, as reported by the German IT news site Heise.