Current location - Quotes Website - Signature design - What happened in the SSL industry in the past February?
What happened in the SSL industry in the past February?

SSL industry, important developments in February:

TLS 1.3 has been approved by the IETF; the final RFC may be launched soon.

The nearly completed TLS 1.3 has once again started discussions about interception proxies and data center visibility. The UK's National Cyber ??Security Center has weighed in on the debate, but as Adam Langley points out, there are some factually incorrect claims. In particular, some misunderstandings about the method of intercepting traffic in TLS versions prior to 1.2 were responsible for issues that delayed the deployment of TLS 1.3 by several months. The issue of visibility was also raised again at the IETF meeting in London.

OpenSSL is trying to change its code to the Apache license. They are now looking for final contributors and have not yet received approval for their license changes.

Facebook has launched a feature that will proactively rewrite HTTP links to HTTPS for URLs that are in the HSTS preload list or set HSTS headers.

NSS has released version 3.36 and replaced its Chacha20 algorithm with an officially verified version from the HACL* project.

Google explained its ultimate plan to discard some Symantec certificates next month and all remaining certificates later this year. As we reported last month, there are still many websites using these certificates, which are quickly no longer trusted and are already causing warnings in Firefox Nightly and Chrome beta versions. The Mozilla TLS Observatory has provided some new data on the topic.

Apple has made some changes to HSTS to prevent abuse of user tracking features.

Android P will enforce the need for TLS traffic in apps and block all non-TLS traffic if developers don't explicitly choose to encrypt the traffic.

Mozilla’s experiment with testing DNS over HTTPS has caused some controversy. This means that DNS queries go through an encrypted channel to a server controlled by Mozilla. From a privacy perspective, this has both advantages and disadvantages: the traffic itself is encrypted and cannot be read, but a central server (in Mozilla's case, using Cloudflare) has access to large troves of user DNS data.

The ACME specification for automated certificate issuance is in final review and may soon become an IETF RFC.

The encrypted.google.com subdomain provides an alternative way to access the Google search engine over HTTPS. ?It is now deprecated as search engines have been accessing it over HTTPS by default for some time.

Hanno B?ck? posted details of a stack buffer overflow in the WolfSSL library.

Let's Encrypt now supports wildcard certificates.

LibreSSL fixes a certificate validation vulnerability in version 2.7.1 that was discovered by Python developer Christian Heimes, who also implemented a workaround in Python itself.

OpenSSL fixes two vulnerabilities, a stack exhaustion in the ASN.1 parser and a bug in the HP-UX/RISC assembly code of the CRYPTO_memcmp function.

Researchers published a paper analyzing the consistency of certificates in Certificate Transparency logs with benchmark requirements.

Like other browsers, Safari also warns users when they use forms on unprotected HTTP pages.

CurveSwap is a possible theoretical attack scenario because part of the TLS handshake is not authenticated. A research paper uses this as a starting point to investigate alternative applications of elliptic curve cryptography.

Cloudflare announced its Certificate Transparency log, called Nimbus.

Tinydoh is a Go implementation of DNS based on HTTPS.

A growing number of companies and projects are announcing deprecations of older TLS versions 1.0 and 1.1, including: certificate authority DigiCert, KeyCDN Inc., and Python package repository PyPI.

Starting in April, Chrome will need to obtain the SCT for all new certificates from the Certificate Transparency log. Let's Encrypt has started embedding them into all new certificates automatically.

Mike West wrote a proposal to limit the validity period of cookies sent over insecure HTTP connections.

Vodafone Portugal has rewritten the Content Security Policy header of HTTP requests. Commercial manipulation of HTTP by ISPs is one of the reasons why all static web pages should use HTTPS.

Kudelski security company explains Manger attack on RSA OAEP.

Adam Langley wrote about Cloudflare and Google testing to determine the feasibility of post-quantum key exchange in TLS 1.3. Post-quantum algorithms typically come with larger key sizes; this experiment simulates this by adding virtual extensions to the TLS handshake. Independent of testing, researchers at Cisco have built an experimental post-quantum PKI that uses X.509 extensions to add post-quantum capabilities to certificates.

Mozilla's Franziskus Kiefer wrote a blog post about Mozilla's use of formally verified cryptography in the HACL project.

OpenSSL has published recommendations on timing issues in RSA key generation. The corresponding research paper has been published on the Cryptology ePrint Archive.

A paper explores dynamically replacing encryption algorithms in OpenSSL with other implementations, resulting in significant speed improvements in some cases.

The forum provider Discourse’s default blog supports HTTPS.

Ian Carroll once again applied for an extended validation certificate for one of his subdomains in the name of "Stripe, Inc.". He had registered a company in that name, and it wasn't the well-known payments provider Stripe. This shows that Extended Validation certificates are of little value. The certificate has been revoked by the certificate authority GoDaddy, which in turn has sparked debate over whether the revocation is legal. Scott Helme discusses this debate in a blog post.

A research paper investigates security issues with Java keystores.

The certificate for the domain hosting the official jQuery library has expired and is causing a large number of websites to crash. Because common practice is to include jQuery from an upstream host and not host it locally.

The testssl.sh tool has released the 3.0 beta version, including support for TLS 1.3, detection of ROBOT vulnerabilities and support for OpenSSL 1.1.

A flaw in Bouncy Castle's RSA key generation algorithm can cause the number of primality tests to be too low. If the probability is low, it may result in a weak key.

BGP hijacking was used to attack visitors to the Ethereum website MyEtherWallet. This prompted some discussion about the risk of BGP vulnerabilities being used to forge certificate issuance - although no such certificate forgery occurred in this case. Discussion of the risk of holes being used to forge certificate issuance - although no such certificate forgery occurred in this case. Cloudflare's blog post explains the details. This attack scenario is not new; it was discussed in 2015 Black Hat conferences and research papers.