Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.

With the recent release of Mozilla Firefox version 90, all support for the FTP protocol was removed from the browser. Mozilla followed the lead of Chrome, which also removed all FTP support.

The removal of FTP goes along with the increasing efforts of browsers to default to encrypted connections with HTTPS. In theory, TLS support for FTP is possible, but browsers never supported that. Thus browser downloads via the FTP protocol were never protected against manipulation and eavesdropping.

Some may ask why browsers didn’t instead decide to support FTP with TLS. It turns out that this is quite problematic and prone to security bugs. This stems from the fact that FTP uses a control channel and a separate channel for file transfers, and their interaction is quite fragile.

In 2015, the cross-protocol attacks discovered by Jann Horn showed those weaknesses. Chris Evans, who maintained vsftpd, noted this at that time when he wrote about the “horrors of FTP over SSL.” The recently published ALPACA attack, which we covered last month, shows some variations of these vulnerabilities.

Given these weaknesses, and the fact that there are not many advantages to using FTP these days, it’s understandable that browsers decided to completely remove FTP support.

Short news

• Mozilla published NSS 3.68. Its notable changes include support for SHA2 hardware acceleration with the Intel SHA CPU extension.
• A detailed security analysis of Active Directory Certificate Services, the PKI implementation from Microsoft, was published by the company SpecterOps.
• Deutsche Telekom, the largest ISP in Germany, now offers DNS over HTTPS (DoH) on their DNS servers.
• The Rust Cryptography Interest Group published Awesome Rust Cryptography, a list of cryptography-related software packages for the Rust programming language.
• The Chrome developers published a blog post explaining their efforts to increase HTTPS adoption and announcing an HTTPS-First mode for future browser versions, a feature similar to the Firefox HTTPS-Only mode.
• Researchers have published an empirical study of vulnerabilities in cryptographic libraries, noting that many of the issues found (37%) are memory safety issues.
• OpenSSL has released beta 2 of its upcoming version 3.0.0.
• The lobbying organization of certificate authorities formerly known as the CA Security Council has announced that it has been renamed. It’s now the Public Key Infrastructure Consortium.