Cryptography & Security Newsletter

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić.

HTTP cookies were never intended for session management, but that’s what we ended up with. Modern-day applications may have shifted to other methods, such as JSON Web Tokens (JWTs), but the traditional session management approach is based around the concept of a session identifier, which is a temporary authentication (bearer) token that gives access to the application session state. This is not insecure in itself, but it’s problematic when session identifiers are transported using cookies, which were never designed for security. These weaknesses gave rise to session hijacking attacks.

Over the years, many attempts have been made to make HTTP cookies secure, with features such as the Secure flag, then the HttpOnly flag, another feature called Name Prefixes, and then the Same-Site concept. And those are in addition to a series of changes to how browsers handle cookies. All of this helped, but it didn’t solve the problem.

My own research into this situation—too many years ago—led me to look into the possibility of binding HTTP sessions to TLS sessions. The idea was simple: You attach the observed TLS session identifier to the HTTP session on the first request, then you check that it remains the same on subsequent requests. The thinking was that the TLS session was going to stay the same for the original user, but be something else for the attackers. I was very pleased to discover that it worked in all browsers—except in Internet Explorer, which limited the duration of TLS sessions to only five minutes. And that was that.

The Rise of Cookie-Theft Malware

In the early days of session hijacking, the main attack vector was lack of encryption. Anyone with access to the local network traffic could observe session identifiers in plaintext—for example, by using Wireshark. In fact, there was once (in 2010) a famous Firefox extension called Firesheep that automated the entire attack and made it trivial for anyone to execute.

Eventually, HTTPS became ubiquitous, and cookies became sufficiently secure to make session hijacking a thing of the past. However, as our security started to improve, the criminal networks looked for other options. For many years, password compromise was the preferred exploitation option, but the rise of two-factor authentication made that venue less and less feasible. The attackers then pivoted to cookie-theft malware.

An infostealer, as this type of malware is also called, is conceptually simple: It tricks the victim into running a piece of software that looks around their hard disks for anything of value; in the past, this included passwords, and now it also includes session tokens. Passwords may be worthless to access accounts protected with two-factor authentication, but session tokens can be used immediately.

Enter Device-Bound Session Credentials

For more than a decade, plenty of people at Google tried to design a channel binding mechanism to improve HTTP session security in such a way that session hijacking would become impossible. You may have heard the same concept called channel ID or token binding. For one reason or another, they couldn’t get it to work—until, perhaps, now.

The first we heard about Device-Bound Session Credentials (DBSC) was in a blog post from April 2024, when Google announced that it was experimenting with something new. Fast-forward to last month, when Google announced a beta of the new protections in Google Workspace for users running Chrome on Windows. In the UI, there’s just a checkbox that you need to tick.

Underneath, DBSC is based on public-key cryptography. For every session, a pair of keys is created and stored securely on the device, in a way that makes them difficult to recover. On Windows, Chrome will use Trusted Platform Module (TPM), which is available in about 60 percent of installations. The session-specific private key can be used periodically to prove that the access is attempted from the same device. With this, session identifiers become useless on any other device.

Sounds great! Now we just have to wait to see if the other browser vendors like the idea. If they do and they adopt DBSC, then session hijacking will finally become a thing of the past. It’d be nice to know that some problems are never coming back. The DBSC standard lives as a W3C standard.

Selected Usenix Security ‘25 Papers

The 34th Usenix Security Symposium has been held in Seattle, and the materials are now available. There is a ton of information to process; the full proceedings are in a 1.2 GB PDF file. Here’s my list of interesting papers related to cryptography, without commentary and in the order I discovered them:

• X.509DoS: Exploiting and Detecting Denial-of-Service Vulnerabilities in Cryptographic Libraries using Crafted X.509 Certificates
• IRBlock: A Large-Scale Measurement Study of the Great Firewall of Iran
• Email Spoofing with SMTP Smuggling: How the Shared Email Infrastructures Magnify this Vulnerability
• Catch-22: Uncovering Compromised Hosts using SSH Public Keys
• SoK: An Introspective Analysis of RPKI Security
• A Tale of Two Worlds, a Formal Story of WireGuard Hybridization
• An Interview Study on Practices, Experiences, and Challenges of Updating Cryptographic Code
• A Formal Analysis of Apple's iMessage PQ3 Protocol
• Towards Practical, End-to-End Formally Verified X.509 Certificate Validators with Verdict
• Exploring How to Authenticate Application Messages in MLS: More Efficient, Post-Quantum, and Anonymous Blocklistable
• How to Compare Bandwidth Constrained Two-Party Secure Messaging Protocols: A Quest for A More Efficient and Secure Post-Quantum Protocol
• S/MINE: Collecting and Analyzing S/MIME Certificates at Scale
• Bundled Authenticated Key Exchange: A Concrete Treatment of Signal's Handshake Protocol and Post-Quantum Security
• Comprehensive Deniability Analysis of Signal Handshake Protocols: X3DH, PQXDH to Fully Post-Quantum with Deniable Ring Signatures
• Towards Internet-Based State Learning of TLS State Machines
• STEK Sharing is Not Caring: Bypassing TLS Authentication in Web Servers using Session Tickets

Short News

We have a great many news stories this month. Short news, long list. Happy reading!

• It is rumored that the UK has agreed to drop its demands for access to Apple’s user data.
• Nadim Kobeissi has published the complete materials for the Applied Cryptography course at the American University of Beirut.
• Buypass, a Norwegian CA, is getting out of the public TLS certificate business. Is this the first of many to follow? How will CAs make money after everybody switches to free certificates?
• Evgeny Poberezkin has published a critique of Messaging Layer Security (MLS). Soatok responded.
• Mozilla shared an update about its CRLite deployment; in brief, it’s working very well and Mozilla is now dropping OCSP for domain-validated certificates in Firefox 142. Future improvements to CRLite are planned.
• There’s a good section on Encrypted Client Hello (ECH) in Caddy’s documentation. It’s neat that Caddy can be configured to public ECH keys to DNS.
• Microsoft published an update on its post-quantum migration.
• The 2025 Workshop on Elliptic Curve Cryptography celebrated the founding of ECC 40 years ago and offered personal reflections from Victor Miller and Neal Koblitz.
• On the topic of cryptographic agility, NIST has released the second draft of Considerations for Achieving Cryptographic Agility: Strategies and Practices.
• NIST has also released the fourth revision of its Digital Identity Guidelines.
• A group of researchers has added new linters to jzlint to support ML-KEM and ML-DSA.
• From last year, but still interesting: A large-scale survey of public keys on the internet didn’t find any RSA keys that could be factorized.
• Seven new security vulnerabilities in the TETRA protocols have been published; three are critical.
• Let’s Encrypt is retiring its first-generation (RFC 6962) CT logs.
• TesseraCT is a new tile-based CT log implementation.
• Filippo Valsorda is experimenting with an extension of the Static CT API to make it easier to get only domains and IP addresses embedded in certificates. This move is intended to reduce the pressure on the CT logs, because the dominant use case for CT log monitoring is now subdomain enumeration.
• In late July, the UK introduced mandatory age checks for adult services; it’s not going well. The Wikimedia Foundation recently asked for and was refused protection from the Online Safety Act.
• In Europe, the fight over the chat control proposal continues. VPNs could be next.
• OpenSSH 10.1 will start to warn if it encounters a server that doesn’t use a post-quantum key exchange.
• Bouncy Castle’s Jentropy Engine for cryptographic random number generation has been certified to be compliant with the NIST Entropy Source Validation (ESV) program.
• In a LinkedIn post, Cryptomathic outlines the many eIDAS 2.0 implementing acts that define how the new regulation should be used in practice.
• Britain’s NCSC updated its guidance on quantum networking technologies.
• hashcat v7.0.0, a major new release, is now out.
• Let’s Encrypt is planning the next generation of its roots and intermediates, due later in 2025.
• The Fourth ITU-T X.509 Day will take place on September 5, 2025.
• A new paper by Zohaib et al. examines China’s internet censorship: Exposing and Circumventing SNI-Based QUIC Censorship of the Great Firewall of China.
• Bruce Schneier and Davi Ottenheimer discuss the Solid protocol, invented by Sir Tim Berners-Lee, which aims to restore digital agency by giving individuals ownership and control over their personal data stored in user-controlled "data wallets."
• Kintsugi is a protocol for key recovery that allows a user to regain access to end-to-end encrypted data after they have lost their device, if they still have their (potentially low-entropy) password. Also take a look at Juicebox.
• Akamai has added support for post-quantum cryptography to its origin connections. Now in early access and enabled on request, it will enter general availability in October 2025.
• Kyber provides robust security guarantees against quantum attacks while maintaining acceptable performance profiles for most contemporary applications, according to new research.
• Filippo Valsorda is working on a new mutation testing framework for the assembly used in the Go cryptographic library.
• A company called Germ is adding end-to-end encryption to Bluesky’s AT protocol.
• Let’s Encrypt has turned off its OCSP service for good.
• A presentation from a recent Black Hat conference shows how fault injection continues to be effective against modern cryptography, the post-quantum primitives included.
• Native NGINX support for ACME is currently available in preview.
• If you’re not happy with taking post-quantum advice from others, Marin Ivezic has built a do-it-yourself CRQC calculator that can help you determine when quantum computers will be able to break today’s encryption.
• Valentin Chatelard has published seven examples of TLS certificate automation, each with a different environment.
• NIST completed its work on the Ascon-based lightweight cryptography standards.