Cryptography & Security Newsletter

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić.

Update (28 June 2024): Just a few hours after we published our newsletter, Google announced that they will distrust Entrust from November 2024.

Entrust, one of the oldest Certification Authorities (CAs), is in trouble with Mozilla and other root stores. In the last several years, going back to 2020, there have been multiple persistent technical problems with Entrust’s certificates. That’s not a big deal when it happens once, or even a couple of times, and when it’s handled well. But according to Mozilla and others, it hasn’t been. Over time, frustration grew. Promises were made, then broken. Finally, in May, Mozilla compiled a list of recent issues and asked Entrust to formally respond.

Entrust’s first response did not go down well, lacking sufficient detail. Sensing trouble, it later provided another response, with more information. We haven’t seen a response back from Mozilla yet, just ones from various other unhappy members of the community. It’s clear that Entrust’s case has reached a critical mass of unhappiness.

We haven’t heard from other root stores directly … yet. However, at the recent CA/Browser forum meeting also in May, Google used the opportunity to discuss standards for CA incident response. (The Root Causes podcast has an episode dedicated to it, if you’d like to learn more.) It’s not clear if it’s just a coincidence, but Google’s presentation uses pretty strong words that sound like a serious warning to Entrust and all other CAs to improve—or else.

Looking at the incidents themselves, they’re mostly small technical problems of the kind that could have been avoided with standardized validation of certificates just prior to issuance.

As it happens, Ballot SC-75 focuses on preissuance certificate linting. If this ballot passes, linting will become mandatory as of March 2025. It’s a good first step. Perhaps the CA/Browser Forum will in the future consider encoding the Baseline Requirements into a series of linting rules that can be applied programmatically to always ensure full compliance.

EU: The Belgian Presidency Backs Down

In last month’s newsletter, we wrote about how the politicians in the EU are continuing on the path to requiring constant surveillance of all their citizens. We spent the last month reading leaked documentation and contradicting statements from various EU officials. For example, Věra Jourová has said that the EU’s proposal is not breaking encryption or affecting privacy, but she also has been quoted as saying specifically that encryption will be broken.

Ultimately, it seems that the opponents of the proposal produced enough noise, causing the Belgian Presidency to give up on the vote that was supposed to happen on June 20. This is it for now. The presidency will be moving to Hungary, which is expected to continue trying to push the proposal through.

Short News

Here are some things that caught our attention since the previous newsletter:

• The University of Tartu, from Estonia, published a series of video lectures on applied cryptography.
• Frederik Reiter spent months of work writing about the security of AES-GCM and its various failure modes related to nonce reuse.
• Neil Madden writes about nonces as well, exploring if you can go beyond 2^32 messages with AES-GCM.
• Chrome is removing trust from GLOBALTRUST 2020, a small European CA. To ensure that current certificates are not affected, for the first time, the distrust will be carried out based on the Certificate Transparency timestamps (SCTs).
• In the Root Causes podcast, episode 393, Tim Callan talks about the breakage observed during the deployment of the new post-quantum algorithms.
• If you’re into post-quantum crypto, you’ll want to know about PQCrypto 2024 (see the proceedings, part one and two) and the affiliated workshop, New Trends in Post-Quantum Cryptography—or newtpqc (via @mjos_crypto).
• Chrome, in version 124, enabled hybrid post-quantum cryptographic key exchange, Kyber (ML-KEM) for everyone. This same blog post announcing this information continues to introduce the concept of trust anchor agility, which enables supporting old and modern clients at the same time while using the best available authentication.
• Panos Kampanakis and Will Childs-Klein have looked at the impact of post-quantum cryptography on the time to last byte.
• Bouncy Castle Java added support for Messaging Layer Security (RFC 9420).
• The Security Cryptography Whatever podcast has a new episode out, with Eric Rescorla.
• If you’re not into post-quantum cryptography but you’d still like to understand what’s going on, then this is the book for you: What You Shouldn't Know about Quantum Computers.
• Pkilint, the open-source linter for digital certificates, has added support to check the compliance of eIDAS certificates.
• Whitfield Diffie turned 80 on June 5, 2024.
• Rustls has added support for Encrypted Client Hello (ECH).
• Firefox will—finally—start upgrading the remaining passive mixed content to HTTPS.
• AWS has added an SCEP connector to its AWS Private CA product.
• On the Key Material blog, you can read about reconstructing public keys from signatures.
• OpenSSH plans to remove support for DSA keys in the near future.
• Latacora wrote a blog post about several interesting talks that were presented at Real World Crypto 2024.
• Apple will add a password manager to macOS Sequoia. Finally.
• Let’s Encrypt switched to its new intermediate certificates.
• Entropy is now offered as a tool designed to find secrets in files, looking for high-entropy data.
• Geoff Huston wrote a lengthy article to analyze the state of DNSSEC. The verdict? DNSSEC is going nowhere. Now what?
• We know from Eric Rescorla’s previous posts that post-quantum cryptography will be coming to TLS 1.2. If you want it, you’ll have to use TLS 1.3. (Good.) Still, Eric explores how post-quantum cipher suites might work in combination with TLS 1.2.