Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.

On April 23, well-known security researcher Dan Kaminsky passed away. Kaminsky was most famously known for finding security flaws in the Domain Name System (DNS), but he also discovered flaws in the TLS certificate infrastructure and X.509.

In a talk Kaminsky gave in 2009 at several conferences (a recording is available from CCC), he presented an issue with MD2 hashes. Back then, a certificate from Verisign was listed in certificate root stores that had a self-signature with an MD2 hash.

With a preimage attack on MD2, this could theoretically have allowed for creating an intermediate certificate that has the same hash and is signed by that root. A theoretical preimage attack against MD2 had been known since 2008, with a complexity of 2^73. This is an impractical attack, but it comes close to what is practically breakable.

In response to this research, MD2 support was removed from all major TLS libraries, making this an example of a crypto algorithm being deprecated before it could become a problem. No improved preimage attacks on MD2 have been published since then, yet it could be speculated that the removal of MD2 support made the research less interesting.

Kaminsky presented further attacks affecting X.509 certificate parsing. The most notable one, which was codiscovered by Moxie Marlinspike, enabled issuing a certificate with a null byte that would be interpreted differently by CAs and browsers.

An article in the New York Times provides a worthy read about Kaminsky’s work and life.

Short news

• Curl fixed a vulnerability with TLS session tickets and proxies in which there could be a mixup between the proxy and the remote host session ticket.
• Google delayed the previously announced distrust of Camerfirma certificates in Chrome due to several Spanish and Portuguese government web pages that haven’t migrated and that provide information related to COVID-19.
• An article by The Record reports that in Russia, a deep packet inspection system is throttling traffic to some web pages, including Twitter. The system uses SNI to identify the traffic. There is ongoing work on a standard called Encrypted Client Hello that would prevent identifying a host name in the TLS traffic.
• OpenSSL published alpha 14 of its upcoming version 3.0.0.
• NSS published version 3.63.1.
• A document by the Information & Communication Technologies Authority of Mauritius indicates that the country plans to use a TLS interception certificate that users would have to install. Previously, Kazakhstan tried something similar, but the certificate was subsequently blocked by browser vendors.
• AWS announced that it was made aware of and fixed an issue with TLS session tickets in its Application Load Balancer functionality, which would use uninitialized session keys in some edge cases. This issue was found by researchers at Paderborn University and Ruhr University Bochum.
• As of April 21, Apple’s Certificate Transparency policy requires three instead of two SCTs if the certificate lifetime is longer than 180 days. Not all CAs met the new requirements by the deadline. This blog post from Hardenize explains the details.