Originally published in?Bulletproof TLS Newsletter, a free periodic newsletter designed to keep you informed about the latest developments in SSL/TLS and Internet PKI. Written by?Ivan Risti?.
This newsletter launched in October 2014 as a way of helping the readers of?Bulletproof SSL and TLS?(as it was called then) stay informed of the developments in the transport security space. I am very pleased that we’ve kept with our newsletter for one hundred issues. I can’t say that it’s always been easy, but it’s definitely rewarding, especially at a milestone like this one.
Coincidentally, we have another milestone to celebrate. In May 2013, exactly ten years ago, we released the?first edition of?OpenSSL Cookbook?as a free book.
To celebrate these two milestones, we decided to?relicense?OpenSSL Cookbook?under a more permissive content license—more specifically, under the Creative Commons Attribution-NonCommercial license. We hope that this change in licensing will encourage derivative works and possibly lead to creation of new translations.
Here are some things that caught our attention since the previous newsletter:
- Seven messenger applications (Element, Session, Signal, Threema, Viber, WhatsApp, and Wire)?published an open letter?in opposition to the UK’s Online Safety Bill that’s currently in the House of Lords.
- A group of researchers published their research into ticket-based TLS session resumption in a blog post titled “We Really Need to Talk About Session Tickets.” This is the same group that discovered a critical problem with the implementation used by?AWS in 2021.
- Fastly announced?Certainly, a new CA that it will use to issue certificates for its customers. By default, Certainly uses certificates that are valid for only 30 days.
- The Real World Crypto 2023 conference took place in Tokyo in late March. Slides and video recordings are?available?for those who could not attend.
- OpenSSL 3.2 will support?RFC 7250, which defines a new certificate type and TLS extensions to support the use of raw keys in TLS handshakes, as announced by?Viktor Dukhovni.
- E-Tugra, a Turkish CA, still has an?open ticket?related to an incident that took place more than five months ago. The reactions?haven’t been favorable.
- Thai Duong published a slideshow titled “Fantastic Crypto Bugs and Where to Find Them,” a brief overview of the most common cryptography implementation mistakes.
- Chromium will?deprecate SHA-1 signatures in the TLS handshake. (Not to be confused with SHA-1 signatures in certificates, which were deprecated a while ago.)
- ACME Renewal Information (ARI) is starting to get?attention?from?developers.
- OpenSSL is seeking feedback on the?draft of its mission and values statement. Unusually, there’s no mention of code quality and security at the moment.
- Chrome’s “Always Use Secure Connections” option can be?force-enabled?via enterprise policy as of version 112.
- The inimitable Peter Gutmann?explains post-quantum cryptography.
- Kathleen Moriarty discusses?how companies can prepare?for the inevitable post-quantum crypto apocalypse in a blog post for APNIC.
- The Dutch National Communications Security Agency released the?PQC Migration Handbook, its?post-quantum cryptography migration guide.
- The Dutch government?will adopt RPKI?by the end of 2024.
- Biscuit 3.0 has been released, with a reference implementation in Rust.
- Researchers have found a way to?defeat Wi-Fi encryption?by exploiting transmit queues.
- ACME is being extended to support?issuance for subdomains?based on proof of control of the parent.
- Pankaj Pipada and Arati Joshi wrote about?Understanding the Overhead of Using BoringSSL FIPS Mode in Go.
- A paper titled?Energy Consumption Evaluation of Post-Quantum TLS 1.3 for Resource-Constrained Embedded Devices?shows that post-quantum cryptography doesn’t always mean worse performance.
- WhatsApp improves security with automatic connection verification based on?public key transparency.
- The?Security Cryptography Whatever?podcast has a?new episode talking about Messaging Layer Security?(MLS) with one of the specification’s coauthors, Raphael Robert.
- Corey Bonnell has created a project for?generation of example S/MIME certificates.
- Sectigo’s crt.sh has a?certificate linter?(via Ryan Hurst).
- Neil Madden has two blog posts out, one about?handling JWK Sets?and the other about?entity authentication with a KEM.