Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.

The OpenSSL team has published version 3.0.7 with a fix for two buffer overflow vulnerabilities rated as high. These vulnerabilities affect the parsing of punycode names in certificates.

Both client and server use of OpenSSL can be affected. Clients may parse such certificates if they connect to a malicious server, but the vulnerability is mitigated by the fact that this happens after certificate chain validation. In most settings, this means an attacker would need a malicious CA that signs a malicious certificate. Servers can be affected if they parse client certificates. According to the OpenSSL advisory, this vulnerability may lead to remote code execution, but stack protection mitigations that are available on most modern systems could mitigate attacks. The vulnerabilities have the following IDs: CVE-2022-3602 and CVE-2022-3786.

Originally OpenSSL had rated one of these vulnerabilities as critical. However, as the team explains in a blog post, the rating was later changed, as code execution exploits for these vulnerabilities seem very unlikely.

OpenSSL’s policy is to rate security vulnerabilities in four severity levels (low, medium, high and critical), so this is the highest category possible. Since the introduction of the critical level in 2015, OpenSSL has only rated one vulnerability as critical: a use after free memory corruption issue found in 2016. (The infamous Heartbleed bug was discovered in 2014, before OpenSSL introduced severity levels for its security advisories.)

The vulnerability only affects the 3.0 branch of OpenSSL, which is still rather new. Distributions and operating systems still using the old OpenSSL 1.1.1 version branch are thus unaffected.

OpenSSL had recently published version 3.0.6 with a low severity security fix and 1.1.1r as a bug fix release, and quickly withdrew these releases due to a regression. Apart from the 3.0.7 release, OpenSSL also published version 1.1.1s as a bugfix release.

A few words of goodbye from Hanno

Back in 2015, I met Ivan Ristic at the Black Hat Europe conference. He asked if I would like to help write the newsletter for Feisty Duck, and I quickly agreed. We decided that I would write monthly, covering all the things happening in the TLS realm. This was a time when there was a lot of research poking holes into TLS and often showing flaws in the protocol itself, which in turn helped lead to improvements. I enjoyed summarizing these developments.

Eventually, all of the TLS research being performed led to a big jump in TLS security with the release of TLS 1.3. The latest version of the protocol avoids many of the pitfalls of weak algorithms and problematic design choices found in previous protocol versions. It’s a great leap forward.

I’ve enjoyed being a part of this journey. But I know now that I’m ready to spend more of my time exploring other areas. Ivan Ristic will take over writing the newsletter going forward so that it can continue to be a valuable source of information about the TLS world.

I want to thank Ivan and Jelena Ristic and Melinda Rankin for our shared work on the newsletter over the years and look forward to it continuing to be a guidepost to developments in the TLS protocol.

Short news

Here are some things that caught our attention since the previous newsletter:

• Frank Denis created a port of BoringSSL to WASM.
• GnuTLS released version 3.7.8 with some minor bug fixes.
• The WithSecure company released information about a security flaw in Microsoft Office 365 message encryption, in which an ECB encryption mode was used in some situations.
• Mozilla released NSS version 3.84 with some minor bug fixes.
• Szilárd Pfeiffer From Balasys has released information about denial of service attacks based on Diffie-Hellman key exchanges, which he calls the DHEat attack. Balasys also released proof-of-concept code for the attack. These attacks have been known for a long time but have not received widespread attention.
• Cloudflare announced that it will enable support for draft versions of a post-quantum key exchange for all customers. These use a hybrid version of Kyber, a winner of NIST’s post-quantum competition, and the X25519 elliptic curve key exchange.
• A buffer overflow was found in the SHA-3/Keccak implementation. This code was the basis for various SHA-3 implementations: it has, for example, been used in Python and PHP’s SHA-3 functions.
• On the APNIC blog, Markus Sosnowski writes about research using TLS fingerprinting to identify web server software.
• Frank Denis published code to benchmark ciphers in OpenSSL, LibreSSL, and BoringSSL.
• Eric Lawrence writes about issues with HTTPS support using bare domains in browsers.
• An incident in the operation of the Yeti Certificate Transparency log led to a partly deleted database. The 2022 shards of the log were unrecoverable.
• Curl fixed an HSTS bypass using IDN names.