Cryptography & Security Newsletter

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić.

The European Union continues on its path to eIDAS 2.0, which includes the controversial Article 45 that basically tells browsers which certification authorities (CAs) to trust. eIDAS, which stands for electronic identification and trust services, is a framework aimed at regulating electronic transactions. As part of this proposal, the EU wants to support embedding identities in website certificates. In essence, the goal is to bring back Extended Validation (EV) certificates.

Browsers—of course—don’t want that, but the real problem is the fact that, with the legal text as it is at the moment, in its near-final form, the EU gets the final say in which CAs are trusted. The global security community has been fighting against Article 45 for more than two years now; we wrote about it on a couple of occasions. As of November 2023, the European Council and Parliament have reached a provisional agreement. The next step is for the law to be put to the vote, which is usually a formality.

In November, ahead of the crucial vote, the campaigns intensified, with browser providers (Google, Mozilla), civil society groups (EFF), other companies, and more than 500 security experts voicing their concerns. In the end, it didn’t help: the bureaucrats drafted the text and voted behind closed doors with little acknowledgement of the protests.

And therein lies the main problem: the EU doesn’t understand the global technical community. Internet standards are developed collaboratively and organically, with careful deliberation of the details. The EU, on the other hand, prefers a top-down approach that ignores the details—and apparently involves no debate. They expect everyone to trust that the details will turn out all right. The text voted on was published only after the fact.

The EU might have the right to govern its territory, but when it comes to these global matters, it also has a duty to respect and compromise with the rest of the world. Above all, care must be taken to separate technology and politics as much as possible.

After all, it took the world a very long time to achieve reasonable security of global website authentication. A decade ago, we were witnessing hackers breaking into CAs and government agencies issuing certificates for Google’s properties. Today, we have much stricter issuance and security standards, and we also have Certificate Transparency, which provides visibility and auditing. No one knows what’s going to happen with that, and the EU doesn’t engage. (If you’d like to read a longer argument, try this one from Ryan Hurst.)

Where are we now? The EU wants browsers to display legal identities embedded in the qualified certificates, but it also wants to control who issues them. It so happens that the same certificates are used to store the identities and authenticate websites. It’s not at all clear if the EU cares about the latter part. In fact, the following statement appears in the recitals in the provisional agreement:

“The obligation of recognition, interoperability and support of QWACs is not to affect the freedom of web-browser providers to ensure web security, domain authentication and the encryption of web traffic in the manner and with the technology they consider most appropriate.”

So can browsers recognise and show legal identities from the EU-approved CAs, but continue to require full compliance with current technical standards in order to fully trust qualified certificates? Or can browsers require two certificates, one for TLS and the other for identities, like Mozilla proposed last year?

We’ll need to wait and see.

Short News

Here are some things that caught our attention since the previous newsletter:

• Cloudflare’s CT logs suffered an extended downtime of several weeks. Normally, CT logs are required to publish accepted certificates within twenty-four hours, which is important to support timely auditing. Cloudflare’s Nimbus log shards became unavailable on November 2, 2023. Nimbus 2024 came back on November 15, but Nimbus 2023 didn’t come back online fully until November 27.
• There’s a new paper outlining Time Memory Tradeoff (TMTO) attacks against TLS 1.3, DTLS 1.3, QUIC, and Signal.
• Firefox 120 will trust CA certificates manually added to the underlying operating system.
• OpenSSL 3.2.0 has been released. This version incorporates two years of work and many new features, including client-side QUIC, Deterministic ECDSA, AES-GCM-SIV, Argon2, HPKE, and more.
• Service Binding via DNS (SVCB and HTTPS Resource Records) is now RFC 9460.
• A group of researchers published their work on private RSA key recovery from naturally occurring failures during signature generation (think cosmic rays and such). The paper focuses on passive SSH key recovery. Online DNSSEC signers may also be vulnerable.
• Earlier this year, Chrome started rolling out its HTTPS-Upgrades feature across its user base. The rollout is now complete and applies to all users.
• There was an announcement on LinkedIn that 2,048-bit RSA has been broken, but no evidence has been provided.
• Shay Gueron came up with a way to make AES-GCM safer using an approach called Derive-Key-AES-GCM. Frank Denis provides Rust and Zig implementations.
• Excellent news: out of seventeen Tier 1 autonomous systems, only one doesn’t use Route Origin Validation (ROV).
• Filippo Valsorda talks about polynomials and linear algebra, just enough to help you implement the Kyber post-quantum crypto algorithm.
• Martin Albrecht appeared on the Security Cryptography Whatever podcast to discuss security analysis of lattice-based cryptosystems.
• The European Telecommunications Standards Institute (ETSI) decided to open up its TETRA algorithms to the public. This news follows earlier discovery of vulnerabilities in these important yet little-understood protocols.
• The world has become better at deploying and updating server certificates, but embedded systems continue to be a challenge. Car manufacturer Rivian deployed a software update that included an incorrect certificate and bricked the infotainment systems for 3 percent of its customer base. Luckily, the company was able to fix the problem remotely.
• The second Post-Quantum Cryptography Conference has been held in Amsterdam. There are slides and videos available from the conference.
• Unusually, the .et TLD uses CAA to restrict certificate issuance. This means that by default, the same CAA policy applies to all registrable domains with this suffix. Although this was probably done by mistake, a good way to promote CAA might be to publish a policy that doesn’t allow issuance, thus forcing all users to learn about CAA and publish their own policies.
• The Legion of the Bouncy Castle released version 1.77 to keep up with the latest post-quantum algorithms.
• Microsoft announced a new Cloud PKI service for its Intune Suite for endpoint management. Cloud PKI will support multiple certification authorities and manage the lifecycle of certificates issued to Intune-managed devices.