Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

Future quantum computers could break all public key cryptosystems that are in mainstream use today. This has led to the development of new cryptographic algorithms that are believed to be resistant against quantum attacks. The US National Institute of Standards and Technology (NIST) is currently running a competition to develop such quantum-resistant algorithms and it is expected that within the coming years standards for these post-quantum cryptosystems will become available.

Previous experiments with post-quantum cryptography, which we have covered often in this newsletter, usually focused on the key exchange. While post-quantum key exchanges are somewhat larger and slower than today’s elliptic curve key exchanges, the overhead is believed to be manageable. However, signatures are more challenging.

All post-quantum signatures currently discussed have much larger signatures, larger public keys, or both. Some of them are also significantly slower than today’s cryptography. Cloudflare recently published data from experiments that it ran on such larger TLS handshake messages.

Modern TLS uses a lot of signatures, which has often been ignored in previous papers that analyzed post-quantum signatures in TLS. A common handshake will usually have six signatures (two in the certificates, one for OCSP stapling, two for Certificate Transparency SCTs, and one to sign the handshake).

Using any of the existing post-quantum signature proposals as a drop-in replacement is challenging. The Cloudflare experiment comes to the conclusion that going beyond nine kilobytes in ServerHello would add significant performance issues. This would only be possible with the smallest of the proposed signature schemes, called Falcon. But Falcon comes with challenges in regard to constant time implementation and side-channel attacks.

It is possible to conceive of ways to change the TLS protocol so that it can require fewer signatures. For example, the KEMTLS proposal would eliminate the handshake signature. Intermediate certificates could be cached. Certificate revocation via OCSP and OCSP stapling has never worked very well, and browsers have moved to using centralized revocation lists like Mozilla’s CRLset. Some signatures could be replaced by stateful signature schemes.

But each of these ideas requires rethinking how TLS works on sometimes very fundamental levels. And major changes in the TLS ecosystem come with their own challenges.

Short news

• GoDaddy recently disclosed a security incident in its managed WordPress services. This incident included attackers having access to TLS private keys. According to an entry in Mozilla’s bug tracker, GoDaddy did not revoke all certificates in the usually required timeframe of 24 hours. Also, in some cases GoDaddy revoked certificates before installing new ones, which caused some outages. Among the affected sites was the web page of the CA/Browser Forum.
• The discussion about the QUIC API in OpenSSL continues. Rich Salz, a former member of the OpenSSL development team, summarized the concerns of many in the community in an email. The OpenSSL team clarified its plans in a blog post.
• Ariadne Conill from Alpine Linux started a discussion on whether the distribution should switch from OpenSSL to LibreSSL.
• Filippo Valsorda has provided a Go package that includes all intermediate certificates currently in Mozilla’s root program.
• Soatok explains HMAC-based Key Derivation Functions (HKDF) in a detailed blog post and shows their common incorrect use according to its security definition.
• NCC Group disclosed a vulnerability in an open source ECDSA implementation by Stark Bank that allows signature forgery.
• The European Commission is planning a regulation called the Digital Identity Framework. Both Mozilla and the Internet Society published statements primarily criticizing the fact that this regulation could force browsers to include certain root certificates, which might cause them to be unable to enforce their root program security requirements.

Interesting Jobs

Here are some interesting jobs we've come across in the last month:

• Developer and Manager, OpenSSL - via OpenSSL blog
• Cryptographic Engineer, Apple - via @FredericJacobs
• Security and Cryptography Engineer and Senior Mobile Security Engineer, Brave - via @bcrypt

If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.

Books and Resources

And here are some resources that you might find useful:

• The Joy of Cryptography - a free undergraduate textbook that introduces students to the fundamentals of provable security. Author: Mike Rosulek