Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.

We previously wrote that concerns were raised on Mozilla’s dev-security-policy mailing list about the trustworthiness of TrustCor CA. Joel Reardon, a professor at the University of Calgary with interest in privacy in the mobile space, reported on the possible connections and shared ownership between TrustCor CA and a company called Measurement Systems. This is relevant because the latter had been linked to a US defense contractor and implicated in collecting private information from mobile application users.

People familiar with the PKI space and operation of trust stores could tell how this conversation was going to end as soon as TrustCor’s first email arrived in their mailboxes. That first response and the follow-up emails all followed the same pattern: too much text, a lot of rambling, and not enough factual information. Contrast that style of communication with Mozilla’s concise request for information.

In the span of less than a month, TrustCor ended up being distrusted by Microsoft, Mozilla, and then Google. What’s interesting in this case is that the removal happened not because of the information that was initially uncovered. There was no smoking gun, and TrustCor CA was not found to have breached its technical obligations. However, the unsatisfactory responses eroded the user agents’ trust. The initial doubt and circumstantial evidence, combined with TrustCor’s small actual footprint in the public certificate space, led to its demise.

The world is most definitely better off with TrustCor removed from the root stores. After all, any trusted CA can issue certificates for any domain name, so we ought to be super extra cautious about who is being allowed in.

That said, this incident is a reminder that CAs are allowed in root stores at the user agents’ absolute discretion. A CA is not able to continue to do business if any one of the major vendors (Apple, Google, Microsoft, or Mozilla) decides not to trust it. Some vendors are better than others at establishing the rules. Microsoft apparently distrusted TrustCor without notifying the company. But even if we take Mozilla as the leader in transparency and process, its response essentially boils down to “we don’t trust you.”

Trust is no doubt difficult to quantify, but not being able to answer the question “What rule has been broken?” is most definitely going to annoy EU officials, who are famously laser-focused on establishing rules for everything. As you may remember from last month’s newsletter, the EU plans to establish stronger controls over digital trust in its territories, and browser vendors are not happy about that.

Short news

Here are some things that caught our attention since the previous newsletter:

• Let’s Encrypt enabled ACME CAA Account and Method Binding in its production environment. Hugo Landau wrote about closing the DV loophole.
• After two years of work, the CA/Browser Forum approved new S/MIME Baseline Requirements. They will take effect as of September 2023. Bruce Morton has more in his blog post.
• Apple announced further improvements to the security of its platform, introducing iMessage contact key verification, support for hardware two-factor authentication, and encrypted backups. Matthew Green wrote a blog post to discuss why encrypted backups are important.
• On the same day, Apple also announced that it was abandoning its plans to scan Apple users’ private photos.
• Willy Tarreau, the founder of HAProxy, wrote about the poor performance of OpenSSL 3.0 under load due to lock contention.
• Andrew Ayer wrote about his efforts to process the world’s CRLs, in order to monitor global certificate revocation.
• Jetstack released Paranoia, a tool that can be used to inspect the trust stores of container images.
• Microsoft digital certificates have once again been abused to sign malware.
• Chrome Security published its Q3 2022 summary. Highlights include the official launch of Chrome’s root store and transition toward a complete rollout. The certificate verified component is being extracted and contributed to BoringSSL. Encrypted Client Hello is being tested on the Canary and Dev channels.
• Two AEGIS algorithms have been added to the IANA registry and will be supported in TLS 1.3. AEGIS is a new authenticated encryption algorithm that provides better performance and better practical security.
• RFC 9336 has been published to define new EKUs for document signing.
• APNIC published a case study covering its use of RPKI.
• The research paper highlighting issues in the Matrix protocol was published on Hacker News and sparked an interesting conversation.
• Android 14 is adding support for updatable root certificates.