Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.

Peter Eckersley, a security researcher and longtime activist for the Electronic Frontier Foundation (EFF), passed away on September 2. Eckersley was most well-known for having cofounded the Let’s Encrypt certificate authority. Throughout his life, he worked on various projects to improve TLS security.

One of Eckersley’s earlier projects related to TLS security was the creation of the EFF SSL Observatory in 2010. With an internet-wide scan, the project collected all certificates reachable via public IPv4 addresses. Such internet-wide scans are a common tool of security research today. By analyzing this data, Eckersley was able to show that various certificate authorities violated existing rules for certificates. The dataset is still available and can be downloaded for analysis. A video of a presentation at the Chaos Communication Congress from Eckersley and Jesse Burns discussing the SSL Observatory is available online.

Eckersley later developed a proposal for an alternative to the TLS certificate authority system called Sovereign Keys, but it was never practically implemented.

Later, Eckersley was also involved in the development of the HTTPS Everywhere browser extension. This extension would automatically send users to the HTTPS version of a web page if it was available both as HTTP and HTTPS. Last year the EFF announced that the HTTPS Everywhere extension is now deprecated—due to its success. HTTPS is now by and large the default on the web, and such an extension is no longer needed.

That HTTPS was able to become so prevalent is in part also the work of Eckersley. Together with Alex Haldermann, he started developing a protocol for the automated issuance of TLS certificates in 2012. The pair then learned about a team at Mozilla that wanted to start a free certificate authority, and they joined forces. The results of these efforts were the ACME protocol and the Let’s Encrypt certificate authority.

As all readers of this newsletter probably will know, Let’s Encrypt allows free and automated issuance of TLS certificates. It is likely that HTTPS was only able to become so prevalent on the web because these efforts made it easy and free to get TLS certificates.

Later in life, Eckersley founded the AI Objectives Institute, an organization working on the ethical issues tied to AI and machine learning technologies.

Eckersley was 43 years old. He had a lasting impact on the security of the internet and TLS and he will be missed.

Short news

Here are some things that caught our attention since the previous newsletter:

• Let’s Encrypt will start supporting Certificate Revocation Lists (CRLs).
• Researchers have looked at DNSSEC/TLSA configuration issues in SMTP servers and found a large number of records that could not be validated, as published at USENIX. A blog post at APNIC explains the details.
• Filippo Valsorda explains planned changes in the cryptographic module of the upcoming Go 1.20 release, particularly regarding changes in the elliptic curve API.
• The Precursor open hardware project will get TLS support via rustls.
• Google announced the launch of its CA root program.
• Chrome will no longer perform OCSP requests for EV certificates. Tim Kadlec explains the details in a blog post.
• Curl developer Daniel Stenberg wrote about TLS fingerprinting and the TLS fingerprint of Curl.
• NIST published a call for proposals for new post-quantum signature schemes. Proposals can be submitted until June 1, 2023.
• On the Linux Kernel mailing list, a discussion started about announcements from Intel and ARM related to constant time code. Unless a specific flag is set, CPU instructions are not guaranteed to be constant time and may have data-dependent behavior. Constant time code is considered important for the security of cryptographic operations in order to prevent side-channel attacks.
• Due to the protests in Iran and internet blocking, Meredith Whittaker from Signal published a call to operate TLS proxies that can be used by people in countries that block Signal.
• NSS released version 3.83, including some cleanup work of no longer supported architectures.