Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

A new RFC officially deprecates the use of the MD5 and SHA-1 weak hash algorithms in TLS handshake messages. The deprecation of these old hash algorithms has a long history, dating back to research results from sixteen years ago.

In 2004 and 2005, Chinese cryptographer Xiaoyun Wang published practical collision attacks on MD5 and theoretical attacks on SHA-1. Yet today these algorithms are still in widespread use.

In 2008, researchers were able to use the weakness in MD5 to create a rogue CA certificate. But that attack relied on a number of conditions; notably, the CA used nonrandom serial numbers, which are no longer used by CAs today. Nevertheless, the attack showed the dangers of weak hash functions, and in the web PKI system, both MD5 and SHA-1 certificates have been deprecated.

However, signatures within the TLS handshake also use these hash functions. In 2015, researchers analyzed how weak hash functions in TLS can be attacked, in a method known as the SLOTH attack.

In the latest TLS version, 1.3, MD5 and SHA-1 are forbidden, but TLS 1.2 and earlier still allowed these weak hash functions. The new RFC now states that MD5 and SHA-1 must not be used any longer for signatures in the TLS handshake.

The old hash functions can still be used in HMAC as this is not affected by collision attacks. But HMAC-based TLS ciphers are also being phased out for other reasons—notably, padding oracle attacks.

Short news

• OpenSSL published a security advisory with moderate severity. The vulnerability is tied to error handling that could lead to incorrect application behavior. It only affects OpenSSL 3.0.0 and not the old 1.0.2 and 1.1.1 versions.
• Slack experienced some outages while deploying DNSSEC.
• Cloudflare experienced an outage of its Certificate Transparency Log, Nimbus. Nick Sullivan from Cloudflare provided a detailed postmortem in a mailing list posting.
• Mozilla published a blog post explaining some policy changes and automated processes regarding the compliance of intermediate certificates.
• WolfSSL announced support for more experimental post-quantum algorithms in its upcoming version 5.1.0, including support for the Falcon signature algorithm.
• Version 2.0 of the Certificate Transparency standard and protocol has been published as RFC 9162.
• The Linux kernel switched from using SHA1 to BLAKE2 internally in the random number generator.
• Crosspoint Digital Partners announced its investment in the DigiCert CA. Former Symantec CEO Greg Clark, who now works for Crosspoint, will join the DigiCert board. Digicert bought Symantec back in 2017.
• Tavis Ormandy from Google’s Project Zero has found a memory corruption bug in Mozilla’s NSS library. Ormandy discusses in a detailed blog post why this bug wasn’t found by Mozilla’s existing fuzzing infrastructure.
• Ryan Sleevi explains the past and present use of TLS accelerator hardware in a Twitter thread.
• Firefox recently added support for SHA-2 signatures in OCSP and OCSP staples. Microsoft had previously enabled SHA-2 OCSP staples on some domains, which triggered a fast implementation and rollout of that change.
• Eric Rescorla wrote a series of blog posts discussing DNS security, the latest one covering DANE and its potential use in the WebPKI.

Interesting Jobs

Here is an interesting job we've come across in the last month:

• Senior Fellow - Decentralization, EFF - via BambooHR

If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.

Books and Resources

And here are some resources that you might find useful:

• DNSSEC DANE implementation manager, via @VDukhovni
• NCC Group’s Cryptopals Guided Tour, via @NCCGroupInfosec