Bulletproof TLS Newsletter

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.

Sabre, one of the oldest CT logs, suffered an outage during a recent upgrade that aimed to improve performance and scalability. Although the upgrade was initially declared successful, the private key ended up being misconfigured—unnoticed—for almost an entire day. During this time, this CT log issued a number of SCTs with invalid signatures.

This outage shouldn’t have led to any problems because the best practice is for CAs to request signatures from more CT logs than they need. But in this case it became evident that not all CAs verify the returned signatures. As a result, the invalid data made its way to production certificates.

The extent of the damage isn’t clear, given that many CAs don’t submit certificates to CT logs. Some CAs could have detected and ignored the invalid signatures. Sectigo published some statistics from a scan of all DNS names for which certificates were issued during the affected timeframe. Andrew Ayer has a blog post at SSLMate Blog with more extensive research.

Certificate Transparency information can be delivered embedded in a certificate, in the TLS handshake via a TLS extension, or embedded in an OCSP response. Just two months ago, Chrome developers questioned whether we still need the TLS and OCSP delivery methods. Nick Sullivan from Cloudflare made a case for keeping them so that it’s possible to recover from issues with CT logs without certificate reissuance. You can guess what happened next. Some of the certificates with Sabre’s botched signatures made their way to Cloudflare, but they handled the problem seamlessly by providing additional SCTs out of band.

QWACs: Article 45 Amended for Better Security

About two years ago, the EU announced plans to require Qualified Website Authentication Certificates (QWACs) to be accepted by all browsers. This caused alarm in the security community because the language in the legal document required unconditional support. We wrote more about this most recently in November 2022.

This month, the European Parliament accepted a number of amendments to Article 45 that make it more palatable. In the new text, browsers are allowed to take proportional measures to ensure and preserve security. It looks like a win, although the process is still ongoing.

Chrome Pushes for Shorter-Life Certificates

During the recent CA/Browser Forum meeting, Chrome highlighted its vision (some might call it a plan) for a more agile PKI ecosystem. Moving Forward, Together outlines a number of changes, including agility for private key material, single-purpose CA hierarchies, and reduction of the maximum certificate lifetime to 90 days from the current 398. OCSP is also facing the chop.

The most controversial among these changes is the reduction of maximum certificate lifetime. Automation is the only feasible approach at this frequency of change. Even though we made great improvements in this area in the last couple of years, there are still very large numbers of certificates handled manually. The next likely step in Chrome’s plans is to require all CAs to support ACME, which would set us on a path to ubiquitous automation. According to Google’s survey, 58.3% of CAs currently do not support ACME.

Short news

Here are some things that caught our attention since the previous newsletter:

• GitHub published its SSH host key to a public repository. Yikes.
• Let’s Encrypt deployed ACME Renewal Information support to production. This feature will make it easier to handle mass-revocation events.
• Soatok wrote Database Cryptography Fur the Rest of Us, sharing some very useful and practical advice.
• Benjamin, O’Brien, and Westerbaan released an experimental IETF draft describing Merkle Tree Certificates, which combine X.509 and Certificate Transparency, achieving comparable security properties with a smaller message size. The main idea is to support post-quantum signatures at under a thousand bytes in total.
• The Security Cryptography Whatever podcast now has a website.
• Google Workspace announced support for client-side encryption.
• Carl Tashian at Smallstep writes about building a private CA secured with a YubiKey.
• Details from the LastPass security incident continue to trickle down: it’s now known that one of four DevOps engineers with access to the vaults was targeted at home and compromised via a Plex exploit.
• Bitwarden is vulnerable to password theft because of its autofill mechanism.
• Ambisto wrote about brute-force attacks on Bitwarden pins, highlighting the never-ending battle between usability and security.
• Amazon Trust Services made it clear it doesn’t support or recommend pinning against its key material or certificates.
• Researchers have published a paper on a novel ECDSA attack they're calling Polynonce. Nils Amiet writes about the attack in a blog post at Kudelski Security Research.
• Both slides and videos from the thirteenth BIU Winter School on cryptography have been made available online.
• AEGIS-128X is an experimental authenticated cipher designed to take advantage of parallelism and vectorized AES instructions; it’s fast.
• PKI Consortium hosted its first Post-Quantum PKI conference in Ottawa, Canada. Slides and videos are now available.
• Lightweight OCSP (RFC 5019) is being updated to add support for SHA-256 and deprecate SHA-1.
• OpenSSL 3.1 has been released with a FIPS 140-3-compliant provider and performance improvements. Phoronix released benchmarks showing significant improvements with certain processor architectures.
• Backendal, Haller, and Paterson broke MEGA’s security, and then they broke it again.
• Runa Sandvik started Untidy, a newsletter that investigates cybersecurity. In the first issue, she wrote about the use of spyware in Morocco. In the second issue, she analyzed the UK’s proposed Online Safety Bill and its effects on end-to-end encryption.
• A group of researchers released a paper on Jolt, discussing recovery of TLS signing keys via rowhammer faults, which create invalid signatures and reveal parts of the keys.
• Google now provides free certificates via ACME for all customers of Google Domains.
• Ciphey is a handy tool that brute-forces more than fifty encodings and classic encryption algorithms.
• A side-channel attack against CRYSTALS-Kyber was published. Bruce Schneier highlights the fact that machine learning was used to exploit the weakness.
• Cloudflare announced free post-quantum cryptography for all its customers. Separately, a Cloudflare post also talked about how Kyber is not broken.
• Speaking of post-quantum crypto, Zig added it to its standard library.
• OPAQUE is an Asymmetric Password-Authenticated Key Exchange (aPAKE) protocol being standardized by the IETF as a more secure alternative to the traditional password-over-TLS mechanism prevalent in current practice.
• It was discovered that CloudPanel installations all use the same private key.
• Hammurabi is a framework for pluggable, logic-based X.509 certificate validation.
• The Security Cryptography Whatever podcast has a new episode about the Real World Crypto conference, which is taking place this week.