Cryptography & Security Newsletter

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Hanno Böck.

Let's Encrypt downtime

It’s been a relatively quiet month for TLS news without any major stories, but of course there are many shorter news to share. This issue of the Cryptography & Security Newsletter will be a bit different than usual, with only short news items rather than any larger stories.

Short News

• Originally, Google planned to require Certificate Transparency starting in October 2017. Now the company has revised this timeline and will allow another six months, moving the deadline to April 2018.
• Researchers from UC Berkeley and Intel are investigating new methods for traffic analysis of TLS. In many cases, they have been able to guess information about content based on an analysis of encrypted traffic patterns. Another recent research paper looked specifically at identifying Netflix videos based on traffic analysis.
• Many sites have moved to HTTPS recently—including porn sites. The latest sites to protect their users’ connections are Youporn and Pornhub.
• A recent research paper investigates a new algorithm to solve the elliptic curve Diffie-Hellman problem, on which the security of many public key algorithms is based. However, the algorithm only works on specific curves and isn’t relevant for the curves usually used for cryptography.
• Hammer CLI, a tool that’s part of the Foreman system administration software, had a vulnerability in its TLS certificate validation.
• An analysis of keys used for Tor relays identified some broken keys. Some of them had shared moduli and shared prime factors, but the number of keys with defects overall was small.
• GnuTLS fixed a minor security issue in the parsing of OpenPGP certificates.
• In two blog posts, Red Hat provided an overview of the changes coming to TLS with version 1.3.
• Most web browsers cache intermediate certificates and will use them if they access sites that don’t send a proper certificate chain, which can allow tracking and fingerprinting users based on the installed intermediates.
• In a recent post, Adam Caudill explains extended validation certificates and sees little value in them.
• Certificate Authority Authorization (CAA) records have recently seen some increased interest. Mattias Geniar explains them in a blog post, and Royce Williams has created an overview of software and providers that support CAA.
• Kudelski Security explained how to properly validate DSA and ECDSA keys.
• Michael Dexter is skeptical about the planned license change at OpenSSL.
• BetterTLS is a browser test suite developed by Netflix for to test name constraints in certificates.
• Microsoft explained how to use Enterprise Certificate Pinning for certain domains in a Windows environment.
• Several cameras from the vendor Foscam had a shared TLS certificate and private key—an obvious security vulnerability.
• Matthew Garret explained how to patch a binary using curl so that it no longer performs certificate validation, an action that allows him to debug IoT devices.
• The DNS Privacy Project maintains a list of public DNS servers that support DNS over TLS.
• Moving to HTTPS gives web page operators guidelines for how to plan and implement a switch from HTTP to HTTPS.
• The security company Cure53 has audited Let’s Encrypt.
• Daniel Bernstein and Tanja Lange have published a paper explaining the need for postquantum cryptography.
• The authors of the so-called Ring-Road Bug point out that Google’s QUIC protocol leaks the length of the plaintext in an encrypted connection. However, it seems they were quite sloppy in their research; this property is also present in TLS and has been called the HTTPS Bicycle vulnerability before (see our January 2016 newsletter). The authors of the Ring-Road Bug recommend disabling QUIC, which makes no sense and provides no protection against this bug.
• Several banking apps in the United Kingdom “can’t get TLS certificate validation right.”
• Douglas Stebila proposed an extension to TLS to allow for additional keyshare algorithms. This extension could be used for early postquantum algorithms, in which someone would want to combine an existing, safe key exchange with an experimental postquantum one.
• Alex Gaynor posted an introduction to Certificate Transparency.
• A research team led by Karthikeyan Bhargavan analyzed Cloudflare’s keyless SSL feature. The team presented attacks and came to the conclusion that keyless SSL doesn’t meet its intended security goals.
• testssl.sh now contains a check for the Ticketbleed vulnerability.
• A new attack demonstrates how to use unicode characters to create domain names that look identical to common brand names. This isn’t a new attack vector, but it indicates that current countermeasures aren’t sufficient.
• Apple announces that in iOS 10.3, manually added certificates are handled differently and aren’t automatically trusted for TLS connections.
• Riddle is a vulnerability in the certificate handling of MySQL 5.5 and 5.6. It’s similar to the BACKRONYM vulnerability, which was discovered in 2015. Both BACKRONYM’s and Riddle’s webpages poke fun at the trend of having names, logos, and webpages for vulnerabilities.
• Cloudflare now provides TLS support for SaaS.
• Ryan Sleevi wrote some advice for server software in which people want to implement support for Certificate Transparency. There’s a discussion in the bug tracker of the Caddy HTTPS server about this as well.
• As announced in January (and mentioned in our newsletter) the latest Chrome versions ignore the CommonName field in certificates. This field has been declared deprecated since 2000 in RFC 2818. Eric Lawrence explains the details in a blog post. It seems not everyone received this information in time; the man-in-the-middle feature of Sophos UTM firewalls creates certificates that exclusively use CommonName, thus leaving many users unable to surf to HTTPS pages. This is yet another example of man-in-the-middle or TLS interception devices causing breakage.
• Mozilla NSS fixes some security vulnerabilities: An out-of-bounds read in the Base64 decoder and a bug in the random number generator.
• It’s theoretically possible to use a variant of RSA that provides post quantum security, but it’s not very practical: The key size is one terabyte.
• Nikos Mavrogiannopoulos explained recent changes and simplifications to the random number generator used by GnuTLS.
• TaLoS is an implementation of TLS within the Intel SGX enclave.
• A forged Google root certificate seems to be in use as a code signing certificate for some shady software, but it’s unclear how it was installed on systems in the first place.
• RFC 8143 provides recommendations about the use of TLS for NNTP and newsgroups.
• As noted earlier, many sites are switching to HTTPS these days—but the US Patent Office has done the opposite and switched back to insecure HTTP from HTTPS.
• Mozilla has published the code of TLS Canary, a regression test suite for the TLS functionality in Firefox.
• Kudelski Security provided some guidance for how to start auditing crypto code.
• Cloudflare provided some statistics about the decline of AES-CBC in TLS. AES-CBC has been the subject of many padding oracle attacks in the past, but modern TLS connections usually use the AES-GCM or Chacha20/Poly1305 authenticated encryption modes.
• Thomas Pornin gave a talk about BearSSL at the BSides Edinburgh conference.
• A recent paper discusses postquantum signature schemes and zero-knowledge protocols based on symmetric encryption primitives.
• Carl Mehner has provided some visual guides explaining elliptic curve cryptography.
• NGINX 1.13.0 provides experimental support for TLS 1.3.
• Kudelski Security discussed whether keys in Curve25519-based algorithms need to be validated. In standard settings, doing so isn’t necessary. However, there can be protocols for which the lack of key validation causes security issues, as an older blog post by Thai Duong shows.
• Several Extended Validation (EV) and Organization Validation (OV) certificates issued by DigiCert contain bogus location information. They include cities in the wrong province and sometimes US states for certificates not located in the US. Here’s DigiCert’s response.
• Symantec has written a proposal on how they plan to avoid further problems in their certificate issuance process in the hope of avoiding the harsh actions planned by Google (see last month’s newsletter).
• Vulnerabilities in JSON Web Encryption have recently led to debates about the quality of JSON’s cryptography features.