Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

As a result of the Russian invasion of Ukraine, several certificate authorities, like DigiCert and Sectigo, have revoked certificates of Russian entities or are refusing to issue new certificates for them. In response, Russian government authorities have created their own certificate authority.

Users in Russia are advised to either install the new root certificate in their browser or use one of the Russian-based Yandex and Atom browsers.

Unsurprisingly the operation of a state CA outside the normal web PKI system raises concerns. The root certificate could be used to perform man-in-the-middle attacks against users that have installed it. A previous case in which the country of Kazakhstan asked its users to install a root CA, which we have covered in this newsletter before, has been mentioned often.

Yandex has put up a blog post with more details (the post is in the Russian language; here’s a version translated with Google Translate). Notably, Yandex claims that its browser will only accept certificates issued by the new CA if they are in a list of domains actually approved for the use of this CA. This may limit the potential security impact of man-in-the-middle attacks. Yandex also mentions that it plans to operate a Certificate Transparency log for this new CA.

Short news

• A cryptographic module published by the company Rambus and used in printers from Canon and Fujifilm is generating RSA keys that can be broken with Fermat’s factorization algorithm, as discovered by the author of this newsletter. This algorithm was described in 1643 by the mathematician Pierre de Fermat and is widely known in the literature. It allows efficient factoring of composite numbers that are the product of two primes if the primes are close. Such close primes would not be generated by a correct RSA key generation function that chooses the primes independently and randomly, but a flawed key generation algorithm can produce them.
• Stefan Eissing wrote a blog post about the current status of the Prossimo project’s efforts to bring rustls support to the Apache web server.
• A security incident at the NetLock certificate authority was mentioned on Mozilla’s security policy mailing list.
• Researchers have published a paper analyzing the security properties of the TLS 1.3 pre-shared key (PSK) modes.
• A group of security researchers has addressed EU policy makers around a controversial planned regulation for web certificates. We covered the planned QWACS plans in detail in the last newsletter.
• The PKI Consortium and the standardization organization ETSI have announced that they signed a Memorandum of Understanding. This is noteworthy in the context of the planned QWACS regulation in the EU. The PKI Consortium, formerly known as the CA Security Council, is a lobbying organization of certificate authorities that would benefit from QWACS, while ETSI would oversee it. ETSI has not answered questions from us about the content of this agreement and possible conflicts of interest.
• OpenSSL announced that its version 3.0 will be a long-term support (LTS) release.
• A research paper gives an overview of the challenges of implementing SCT auditing for Certificate Transparency.
• OpenSSL has fixed a possible endless loop in the BN_mod_sqrt function. This can lead to a denial-of-service attack using certificates with custom elliptic curves. Such custom elliptic curve parameters are barely ever used, but have been the source of vulnerabilities in the past. Adam Langley wrote a blog post discussing parameter choices in cryptographic algorithms in response.
• The International Association for Cryptographic Research (IACR) held its Public Key Cryptography (PKC) conference in March. Videos of the talks are available. During the conference, the IACR also awarded two papers with the PKC Test-of-Time Award: a paper from 2005 about password-based authenticated key exchange and a paper from 2006 introducing Curve25519.
• The Security. Cryptography. Whatever. podcast interviewed Chris Peikert about lattice-based cryptography.
• A research paper looks at the code quality of the software implementations in the NIST post quantum competition.
• A blog post from Hardenize discusses the new Chrome Certificate Transparency policy that removes the requirement of having one Google log.
• Jason Donenfeld has written a blog post about his recent work introducing some major changes in the Linux kernel’s random number generation code. LWN also has a detailed article on the topic.
• The Trickster Dev blog describes how to decrypt HTTPS traffic with Wireshark.
• The CA/Browser Forum has decided to deprecate the use of SHA-1 signatures in OCSP signing. SHA-1 signatures for certificates were deprecated in the web PKI a long time ago, but in OCSP they were still allowed. Some further discussion around this issue can be found in the bug tracker of the Go x509 module. The module’s developer, Filippo Valsorda, recently tried to disable SHA-1 signatures and had to re-enable them for OCSP.
• PKI Solutions announced a new product called PKI Spotlight to help with monitoring of private CAs and HSM deployments.

Interesting jobs

Here are some interesting jobs we've come across in the last month:

• Senior Java Security Libraries Engineer - Oracle, via @seanjmullan
• Lead Product Manager, Chrome Security - Google, via @nasko
• Information Security Manager - 360T (Germany)

If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.