Home Books Training Newsletter Resources
Sign up Log in

Cryptography & Security Newsletter

111

European Union Starts to Confront Digital Platforms’ Dominance

28 Mar 2024

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić and Robert Thornton.

Originally conceived in 2022, the European Union’s Digital Markets Act (DMA) entered into force on March 7, 2024. The first six designated gatekeepers—dominant companies in key digital markets—must now comply with their obligations. From now on, Apple, Alphabet, Meta, Amazon, Microsoft, and ByteDance will be under close scrutiny designed to prevent them from abusing their platforms.

The scrutiny is certain; it took only eighteen days for the European Commission to start noncompliance investigations against Alphabet, Apple, and Meta. Amazon is also being scrutinized.

Several of these gatekeepers recently made announcements designed to increase compliance with the DMA and make them smaller targets. Amazon, for example, announced that it will waive the bandwidth charges incurred by customers leaving AWS. Meta specifically cited the DMA when it announced its WhatsApp and Messenger interoperability programs. Google announced its compliance efforts via a blog post, and so did and ByteDance.

Apple’s changes, announced in January, were met with criticism that they make things worse, rather than better, that these measures are designed to make the company technically compliant while making it difficult to impossible for developers to use their DMA rights. There was also a lot of drama surrounding Apple’s decision to kill off web apps in the EU, a decision the company later reversed. Apple is now in the hot seat in two locations: on March 21, the US Department of Justice filed an antitrust lawsuit against the company.

Subscribe to the Cryptography & Security Newsletter

This subscription is just for the newsletter; we won't send you anything else.

Short News

Here are some things that caught our attention since the previous newsletter:

  • The Real World Crypto (RWC) conference took place in Toronto, Canada. Check out the slides.
  • We’re great fans of Certificate Transparency. At RWC 2024, the team behind it won the Levchin Prize. Congratulations!
  • Apple’s new chips have a security weakness that could be exploited to steal encryption keys; the new vulnerability is called GoFetch. The vulnerability is said to be unpatchable on M1 and M2 chips, whereas M3 has a flag that mitigates the vulnerability (at unknown performance cost).
  • Let’s Encrypt announced Sunlight, a new style of Certificate Transparency log developed in partnership with Filippo Valsorda. The idea is to make it easier and cheaper to deploy a great many CT logs at scale.
  • Professor Fred Piper, the founder and former director of the Royal Holloway Information Security Group, has died.
  • HID global acquired ZeroSSL, a certificate provider from Austria with a business model centered on subscriptions.
  • NIST released version 2 of its Cybersecurity Framework (CSF). Whereas the previous version was focused on critical infrastructure, version 2 is intended for all organizations.
  • Microsoft has begun to publish its Certificate Transparency Log Monitor policy on a monthly cadence. Jeremy Rowley notes that this may mean expanding CT coverage into code-signing certificates.
  • Google released its threat model for post-quantum cryptography. Here’s what Matthew Green thinks about it.
  • NIST released a draft practice guide to help organizations that need visibility of encrypted traffic: Addressing Visibility Challenges with TLS 1.3.
  • Ryan Hurst has been looking into CA market share using Certificate Transparency data.
  • Marc Stevens has a neat new trick: pure alphanumeric MD5 collisions.
  • Mike Agrenius Kushner writes about certificate enrollment protocols.
  • Bertie is a TLS 1.3 implementation written in a subset of Rust designed to support formal verification.
  • The Security Cryptography Whatever podcast has published a parody episode with deep-faked Obama, Trump, and Biden discussing cryptography.
  • But they’re still into serious stuff; they also talked to Douglas Stebila, an associate professor of cryptography at the University of Waterloo, about Apple’s new post-quantum cryptography to iMessage.
  • D(HE)ater is a proof-of-concept DoS attack against TLS servers, exploiting the asymmetry of cryptographic operations across clients and servers.
  • Let’s Encrypt generated fifteen new intermediate certificates backed by ten new private keys. Going forward, these intermediates will be randomly rotated to prevent ossification.
  • David Adrian writes about post-quantum cryptography being too damn big.
  • There’s a new RFC draft to standardize remote attestation with certificate signing requests (CSRs). The idea here is to provide proof that private keys are strongly protected. (Via @Cryptoki.)
  • Brad Warren of the Electronic Frontier Foundation explains why the EFF’s Certbot tool, which maintains HTTPS for over thirty million domain names, could be replaced by new and innovative free and open-source tools, such as Caddy and Traefik.
  • 419 Consulting’s March 4 edition of Encrypted DNS in the News includes links to coverage of recent DNS-oriented attacks, IETF updates, and other DNS-related news.
  • Bruce Schneier’s blog discusses ComPromptMized, which is said to be the first worm designed to target GenAI ecosystems through the use of adversarial self-replicating prompts.
  • New Scientist examines Google and XPRIZE’s $5 million contest designed to widen the capabilities of quantum computers and find new tasks that they can accomplish.
  • Cloudflare’s blog discusses the current state of post-quantum internet cryptography. It predicts double-digit adoption by the end of 2024.
  • Hacker News readers discuss the Texts.blog article that analyzes how certificate pinning is practiced by Meta’s Messenger on macOS. Participants include Text.com developers who were involved in the analysis.
  • A Quanta Magazine article examines the promising results of a transatlantic collaboration that used statistical techniques and artificial intelligence to discover completely unexpected patterns in elliptic curves.
  • Hacker News readers provide insight into a report about a European Court of Justice decision blaming tracking industry association IAB Europe for the “consent spam popups that have plagued people for years all over the Internet in Europe,” which violate the GDPR.
  • Bleeping Computer examines how Tor’s new WebTunnel bridges mimic HTTPS traffic to evade censorship.
  • David Adrian reports via X that experimental post-quantum key exchange (ML-KEM/Kyber) will be enabled by default on desktop platforms in Chrome 124, which releases on April 16.

Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.

Remote and trainer-led, with small classes and a choice of timezones.

Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.

Find out More

@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Newsletter
  • SSL/TLS and PKI History
  • Archived Books
  • Bulletproof TLS Guide

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us