Home Books Training Newsletter Resources
Sign up Log in

Bulletproof TLS Newsletter

93

In memory of Peter Eckersley

29 Sep 2022

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

BROUGHT TO YOU BY OUR SPONSOR
Architecture for Machine Identity Management. What will your PKI look like when fast application development triggers an explosion of new machine identities? Read this reference architecture to learn new strategies for orchestrating machine identities in data center, cloud and edge environments. VENAFI

Peter Eckersley, a security researcher and longtime activist for the Electronic Frontier Foundation (EFF), passed away on September 2. Eckersley was most well-known for having cofounded the Let’s Encrypt certificate authority. Throughout his life, he worked on various projects to improve TLS security.

One of Eckersley’s earlier projects related to TLS security was the creation of the EFF SSL Observatory in 2010. With an internet-wide scan, the project collected all certificates reachable via public IPv4 addresses. Such internet-wide scans are a common tool of security research today. By analyzing this data, Eckersley was able to show that various certificate authorities violated existing rules for certificates. The dataset is still available and can be downloaded for analysis. A video of a presentation at the Chaos Communication Congress from Eckersley and Jesse Burns discussing the SSL Observatory is available online.

Eckersley later developed a proposal for an alternative to the TLS certificate authority system called Sovereign Keys, but it was never practically implemented.

Later, Eckersley was also involved in the development of the HTTPS Everywhere browser extension. This extension would automatically send users to the HTTPS version of a web page if it was available both as HTTP and HTTPS. Last year the EFF announced that the HTTPS Everywhere extension is now deprecated—due to its success. HTTPS is now by and large the default on the web, and such an extension is no longer needed.

That HTTPS was able to become so prevalent is in part also the work of Eckersley. Together with Alex Haldermann, he started developing a protocol for the automated issuance of TLS certificates in 2012. The pair then learned about a team at Mozilla that wanted to start a free certificate authority, and they joined forces. The results of these efforts were the ACME protocol and the Let’s Encrypt certificate authority.

As all readers of this newsletter probably will know, Let’s Encrypt allows free and automated issuance of TLS certificates. It is likely that HTTPS was only able to become so prevalent on the web because these efforts made it easy and free to get TLS certificates.

Later in life, Eckersley founded the AI Objectives Institute, an organization working on the ethical issues tied to AI and machine learning technologies.

Eckersley was 43 years old. He had a lasting impact on the security of the internet and TLS and he will be missed.

Subscribe to the Bulletproof TLS Newsletter

This subscription is just for the newsletter; we won't send you anything else.

Short news

Here are some things that caught our attention since the previous newsletter:

  • Let’s Encrypt will start supporting Certificate Revocation Lists (CRLs).
  • Researchers have looked at DNSSEC/TLSA configuration issues in SMTP servers and found a large number of records that could not be validated, as published at USENIX. A blog post at APNIC explains the details.
  • Filippo Valsorda explains planned changes in the cryptographic module of the upcoming Go 1.20 release, particularly regarding changes in the elliptic curve API.
  • The Precursor open hardware project will get TLS support via rustls.
  • Google announced the launch of its CA root program.
  • Chrome will no longer perform OCSP requests for EV certificates. Tim Kadlec explains the details in a blog post.
  • Curl developer Daniel Stenberg wrote about TLS fingerprinting and the TLS fingerprint of Curl.
  • NIST published a call for proposals for new post-quantum signature schemes. Proposals can be submitted until June 1, 2023.
  • On the Linux Kernel mailing list, a discussion started about announcements from Intel and ARM related to constant time code. Unless a specific flag is set, CPU instructions are not guaranteed to be constant time and may have data-dependent behavior. Constant time code is considered important for the security of cryptographic operations in order to prevent side-channel attacks.
  • Due to the protests in Iran and internet blocking, Meredith Whittaker from Signal published a call to operate TLS proxies that can be used by people in countries that block Signal.
  • NSS released version 3.83, including some cleanup work of no longer supported architectures.

Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.

Remote and trainer-led, with small classes and a choice of timezones.

Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.

Find out More

THE FINEST IN TLS
AND PKI EDUCATION
@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Bulletproof TLS Newsletter
  • SSL/TLS and PKI History
  • Archived Books
  • Bulletproof TLS Guide

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us