29 Mar 2023
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.
Sabre, one of the oldest CT logs, suffered an outage during a recent upgrade that aimed to improve performance and scalability. Although the upgrade was initially declared successful, the private key ended up being misconfigured—unnoticed—for almost an entire day. During this time, this CT log issued a number of SCTs with invalid signatures.
This outage shouldn’t have led to any problems because the best practice is for CAs to request signatures from more CT logs than they need. But in this case it became evident that not all CAs verify the returned signatures. As a result, the invalid data made its way to production certificates.
The extent of the damage isn’t clear, given that many CAs don’t submit certificates to CT logs. Some CAs could have detected and ignored the invalid signatures. Sectigo published some statistics from a scan of all DNS names for which certificates were issued during the affected timeframe. Andrew Ayer has a blog post at SSLMate Blog with more extensive research.
Certificate Transparency information can be delivered embedded in a certificate, in the TLS handshake via a TLS extension, or embedded in an OCSP response. Just two months ago, Chrome developers questioned whether we still need the TLS and OCSP delivery methods. Nick Sullivan from Cloudflare made a case for keeping them so that it’s possible to recover from issues with CT logs without certificate reissuance. You can guess what happened next. Some of the certificates with Sabre’s botched signatures made their way to Cloudflare, but they handled the problem seamlessly by providing additional SCTs out of band.
This subscription is just for the newsletter; we won't send you anything else.
About two years ago, the EU announced plans to require Qualified Website Authentication Certificates (QWACs) to be accepted by all browsers. This caused alarm in the security community because the language in the legal document required unconditional support. We wrote more about this most recently in November 2022.
This month, the European Parliament accepted a number of amendments to Article 45 that make it more palatable. In the new text, browsers are allowed to take proportional measures to ensure and preserve security. It looks like a win, although the process is still ongoing.
During the recent CA/Browser Forum meeting, Chrome highlighted its vision (some might call it a plan) for a more agile PKI ecosystem. Moving Forward, Together outlines a number of changes, including agility for private key material, single-purpose CA hierarchies, and reduction of the maximum certificate lifetime to 90 days from the current 398. OCSP is also facing the chop.
The most controversial among these changes is the reduction of maximum certificate lifetime. Automation is the only feasible approach at this frequency of change. Even though we made great improvements in this area in the last couple of years, there are still very large numbers of certificates handled manually. The next likely step in Chrome’s plans is to require all CAs to support ACME, which would set us on a path to ubiquitous automation. According to Google’s survey, 58.3% of CAs currently do not support ACME.
Here are some things that caught our attention since the previous newsletter:
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.