Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.

During January, there was a flurry of activity surrounding password managers and their security. It all started in December, when LastPass warned about an unauthorized third party gaining access to archived backups of its production data. Oops. The data included customer information and their encrypted vaults. This announcement reignited interest in password storage and, especially, PBKDF2.

PBKDF2 is a key derivation function that’s used to slow down attackers who gain possession of some encrypted material. In this situation, vault passwords are the weakest link because weak passwords can be brute-forced with a dictionary of commonly used passwords.

Soatok wrote about a variety of algorithms for password storage. Neil Madden wrote a blog post discussing PBKDF2 iterations. Then he wrote another. Then it became difficult to keep up with the number of blog posts.

In its initial disclosure, LastPass claimed 100,100 PBKDF2 iterations, but users with older accounts are reporting significantly lower numbers. A former engineer provided additional details about what led to the current situation. A similar problem was discovered with Bitwarden, another popular password manager that’s also available as a free, open-source product.

In both cases, the problem was that the protection measures are initially set and frozen in time when a password vault is created and not updated over time, while our understanding of various weaknesses and the ability to exploit them improves continuously.

Current recommendations are to use 600,000 PBKDF2 iterations to protect password vaults. That said, it’s worth understanding that although increasing the number of iterations helps, it only increases the attackers’ costs—and by a relatively modest amount. A much better defense is to use a strong password, which can make your vault unbreakable.

Of particular interest here is the attack model when using a hosted password manager. In this scenario, your vault can be stolen from your devices, but also from the vendor’s systems. Your vendor’s systems are very attractive to attackers because they have many, many vaults, which is why we should expect to see further security measures. Neither LastPass nor Bitwarden have additional measures, but another hosted password manager company, 1Password, does, via its per-device secret key.

Short news

Here are some things that caught our attention since the previous newsletter:

• Bitwarden users were also targeted in a phishing campaign via Google ads.
• GoTo, the remote collaboration and IT software company that owns LastPass, disclosed a further loss of customer data in a security breach in November.
• It was discovered that Bitwarden and Dashlane can be tricked into auto-filling credentials into untrusted pages. Safari can be as well, although user interaction is required for exploitation.
• Emily M. Stark wrote a blog post discussing the right UX for expired certificates.
• Kiel Christofferson wrote for Let’s Encrypt about the improvements to its OCSP infrastructure.
• Aleksei Tiurin discussed misconfigured SNI proxies that can be abused to carry out server-side request forgery (SSRF) attacks.
• Amazon S3 encrypts new objects by default, using AES256.
• AWS published the Matter PKI Compliance Customer Guide for AWS Private Certificate Authority, but also made it very complicated to access it. If you’d like to read about Matter and its use of PKI, try the Espressif Matter Series.
• Summer School on real-world crypto and privacy 2023 will take place in June in Vodice, Croatia.
• There was a lot of chatter after a group of Chinese researchers made a claim that they can break 2048-bit RSA encryption.
• Our former editor, Hanno Böck, formally published his work on Fermat factorisation, originally published last year.
• Marcin Nawrocki wrote about the recently published research on QUIC performance. The report (available at this direct link) highlights some practical problems that prevent QUIC from reaching its maximum performance.
• A security audit at the US Department of the Interior reported that it was possible to crack one-fifth of all passwords in use.
• A group of academic researchers from the Applied Cryptography group at ETH Zurich, led by Kenny Paterson, published research detailing many attacks on the Threema encrypted messaging application. The team appeared on the Security. Cryptography. Whatever. podcast.
• Aditya Dixit wrote a post titled “Manipulating AES Traffic Using a Chain of Proxies and Hardcoded Keys.”
• Michal Spacek reported an XSS vulnerability in ZeroSSL. The problem could lead to the compromise of the private certificate keys generated by their users. This older Bugzilla ticket explains how ZeroSSL generates private keys in the browser and helps its users retrieve them later, while not technically having access to the key material.
• In response to the ZeroSSL discussion (ZeroSSL has the appearance of a CA, but it’s actually a reseller), Andrew Ayer wrote a post titled “The SSL Certificate Issuer Field Is a Lie.”
• Keyfactor’s Tech Days 2023 PKI conference will be held February 13 to 15 in Barcelona and online. PKI aficionados will find many interesting topics in the program.
• The PKI Consortium’s Post-Quantum Conference will be held on March 3 in Ottawa, Canada.
• Job Snijders provided an overview of RPKI in 2022.
• ZoTrus, a new company founded by the former WoSign leadership, has been denied membership on a CA/Browser Forum working group. All four browser vendors voted against, while most issuers abstained. WoSign is notable for being the first CA to be distrusted by the browser ecosystem. In 2016, it came to light that WoSign had purchased StartCom but hadn’t disclosed the transaction.
• Last year, the NCSC UK and the NSA discovered a spoofing vulnerability involving MD5 collisions in Microsoft’s products (CVE-2022-34689). Akamai followed up with an analysis and released a proof of concept.
• The Autonomous System Provider Authorization (ASPA) deployed in OpenBGPD detected its first route leak. ASPA is a part of RPKI and is used to verify that a provider has permission from a customer to send routes in all directions. RPKI is an effort to secure the global routing infrastructure.
• Mozilla is updating its root store policy in version 2.9 to distrust legacy root key material.