[LACNIC/Seguridad] Fwd: Bulletproof TLS Newsletter - Google plans to distrust all current Symantec certificates
Fernando Gont
fgont en si6networks.com
Lun Abr 3 19:36:06 BRT 2017
FYI
(Lo reenvio porque tiene varios links interesantes)
-------- Forwarded Message --------
Subject: Bulletproof TLS Newsletter - Google plans to distrust all
current Symantec certificates
Date: Thu, 30 Mar 2017 11:35:08 +0000
From: Feisty Duck TLS News <newsletter en feistyduck.com>
Reply-To: newsletter en feistyduck.com
To: fgont en si6networks.com
Feisty Duck - Newsletter #26 - 30 March 2017
Read online
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXCzXWkifVJHDncEFwYis9sTNioiE0Pyvmqwv91FM7uyp54rpA0l25-2FvK956lUE-2Fa9xY7TkK-2B1D1s3lsiGVk5azV9-2Fs4FTmDwc4h1V2-2FgvO8WAHOSm-2BR-2B-2FNDxfxCqTVaN5TOqP4T6B-2FDY8iwoy-2FCvO1XIa0FgcACLWfqQnFtSyaMN_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1cHRhXg-2B7UjjoEgmc2mg-2Fs6amHGPtudGSSglSH8NQh0oGOPeTSc5yzfXseHHpPWtRyUncXt-2FfmajNTJQOs3j645UpFUitum4-2FXUlGcKgcbyE2DrxkE2ElZE1Tlck9Z-2BCAd8h4299mJt14Cl790JAhsvcg54bzap-2Fu0I5qmTN4ke5JU7FQF4NJ1yl6yQ5H6HGckhmJnV144i8ZD0GwOxyKBw-3D>
Feisty Duck
*Bulletproof TLS Newsletter #26*
March 2017
Dear Fernando
Bulletproof TLS Newsletter is a free periodic newsletter bringing you
commentary and news surrounding SSL/TLS and Internet PKI, designed to
keep you informed about the latest developments in this space.
*Author: Hanno Böck
<https://sg.feistyduck.com/wf/click?upn=JirIori8H183PpV0ugHS14zYTvLf-2FsY7BJc59wxtwRg-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1a-2F0P65M2GpUL6M8fIywHn1bZ6X9yS9RWSVySbKjLqpHGVd9uUzIl-2FY-2B2soy1cIrFZjYVR5-2B3gBc8zDWSiesenHzzsOenwukc-2BBtKcjIHXDNYnA7SmLbG76fuEDrV2ksUeHi82RL453E28L32n83dWew1-2BY6oCdyzAdQmfHMhvahUO2Ey-2FHXVfLH0tpKTbvUIwPdhioeXV8G3yrOAL1RdkY-3D>*
In this issue:
1. Google plans to distrust all current Symantec certificates
2. Short news
RuhrSec 2017
Feisty Duck is happy to support RuhrSec 2017
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXE73r6dqlLaYHnbiCFv-2Bza-2FNH5vIQfJAY2Q10eTttmmt_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1WwXy2zHz7N3sv540B54tJEBuVIXya4ZL4Evc6WWGvYjU4zep3AxNbjlej3PqRnSbeApQWHx1CQXKeDLI8Od17fMgz6QGt-2FAXCaQg3v1h1TTsRgVvSkcDD1TDfh-2FLBy3guOhXK9LszJWFDk5v06M9KQ7SnwvuSOqBREcdR8UigrLNQBqBKgr6HF5N8M76RSN6e5-2Fz8JnkukJM1QgNCY-2BSrY-3D>,
a non-profit security conference at the Ruhr University Bochum, 2-5 May
2017. International speakers, interesting crypto and TLS talks and
social events!
Google plans to distrust all current Symantec certificates
Google has proposed taking very severe steps against Symantec due to
violations of its responsibilities
<https://sg.feistyduck.com/wf/click?upn=oQtz6-2BN3LpFOOQ1jijZJXM1ldT1stZa4FOoYpexB9UkNzc0jeOy8Wwb7LZNm5DHqnI9zGBMdxhxxYYa16-2FjrqZEomm-2B7extJ6NlaM18fhltIlfEDtYuibuAUGIT6zvrj_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1cs8kBR3dNdth5RFQO4bbR9q-2B-2Bpn4Af2Up6m8RNvyIwp7EnOr2xAwMr1ZWKMHemvBRM6oOWCiEQmBkZB3KN-2BXep9G5zFgxKR-2Bjn8jvxhg-2FhlGk-2B0b3rtDTDByyfvSe80J00ECU1hr-2BagCKFEmb3iDxPSrs8TmRy-2FZ-2F3ueJvdZsxrISKecCoOKeunKsOM2CuPU5-2BVo3yPaF-2FJnPIArnHanAU-3D>
as a certificate authority. In January, it became known
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXCzXWkifVJHDncEFwYis9sTNioiE0Pyvmqwv91FM7uyp54rpA0l25-2FvK956lUE-2Fa95-2FFRpoK5JBjxia7phXeyF6pOQIQmK-2FM6YPlgO1Hh8kc3X4yt0Nk0GDmQ-2B9Q5Drc2sn6XUZyCRcjNeUegvPRqTUgo7hl6SXtI4HoTE4Xe4To_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1YpkRI2W5nyBs-2FjbphehzJ6Gyw-2BRRCgJl6fBT5YorHsOWjVjeWyZRNoi759xgzv5RVTpHerXnd-2FUA01jsQK7TMBy8Gp6mPZLh5m5lbAXST7grV3Mpc6HEP17PM969GCgf66aezyzMcLodeYXwtpasQ-2F1Y8mU9i7vtd6nzF7s9VO-2FeUHKDdWIr-2Ff4mFlxrL0J2FqVQSrMlRJ88VlvLcE55dM-3D>
that Symantec had issued several certificates for domains that weren't
requested by their owners. These certificates were created by the South
Korean company Crosscert, to which Symantec had given access to its
certificate issuance infrastructure.
Over the course of the investigation, it became clear that multiple
companies had been given similar access to Symantec's infrastructure
without sufficient oversight. Symantec knew about some of the problems
and didn't come forward with that knowledge. All together, around 30,000
certificates have been issued by these companies.
Google now plans to phase out all currently valid Symantec certificates.
Via several steps, the Chrome browser would distrust certificates with
certain validity times. In the end, Symantec would only be allowed to
issue certificates with a validity of nine months in the future. Also,
Symantec would lose its ability to issue Extended Validation (EV)
certificates. Although many people question the utility of
EV-certificates, they’re a major source of income for certificate
authorities due to their higher prices .
Symantec noted that it finds Google’s actions irresponsible
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXDC-2FtDbhvFRiKTSYGxJrTMoquSZn8p2QOqTPINLQXR4g3QN-2FYmB0BRLXv6IoYXrXoUAwR2llBpEWwwBnYNHrVD8-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1byL2PrAjGiBLpXJG9vEFB7whqUq19-2Bt08tHjSC7YGH73tSkUzj-2FF6dS2fFXsn3EJ-2BQZCPZTqrip8pHvkF25x76OXnCpwhFL132tYQGwHCXRyK2sZVrg3PhaUFIwOYfBluGxrOdGuV6fCWMbLks8QNPjtJ95cAHDrlme0UOC0asDFs-2F8w-2Fd9gj-2F3bwayVg4Jb-2BR8zjkwxSISc9pGHeXXtBQ-3D>.
In an emailed statement, as reported by Ars Technica
<https://sg.feistyduck.com/wf/click?upn=fYxuIZgCn6axJ2NWlsZgccdJwRwxxtwzizAPDL0Hj3htd6mSXPVknc24lX-2BypHW9z5a-2Bt3RnriHh4B7QOwZiinKiSxi3scRKkIDzr5dlZKdjnlufwPZ0WCB-2Bq0bKGC9XHQeBZ2KYFWpwUkuGGVQNC8oS9SnqjIS-2FaNri0st5G2g-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1SVBWIvFEhEvGqZfQo80XZzFRvbT4zFyqZcU1m0zPlrGUZrggH14WsvlrCAItyjoDdj9FADMzHFHBg24ibs289fmtyrbRHsnSJI4-2FRkAz82VAFpNHtqx6WqdP-2Fnn0nB33KOkc467-2Fo7rSsOtdnn2UR8g57YgPjmsiCqXeBhb0IC4JG5AqCnBLVfuTgfB7kHgiYem0t8t6rY0eqS4TXdaNjc-3D>,
Symantec wrote: “Our SSL/TLS certificate customers and partners need to
know that this does not require any action at this time.”
------------------------------------------------------------------------
Short news
* OpenSSL has planned a license change to the Apache License Version
2.0
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXOcG-2BknP2O4RjW4Vb8M0jG23qbUF1Gwu-2BvRb4qe3HHoh7uXC-2F367aaxJVEgdRRRWkw-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1Q5AW5XyvzpbTnkqzKMe1-2Fn4xeSF-2Bap33Bt7wdW9hkrBv1u30rPeKhhmuaoeNyOb0CrsaAwXDkgOUoRFwznWxy-2B6p7nfvJvLy9ore3mRjF8rm8MUWeZ2HmUfZ0wv1nFHnzlm4J-2F5ykNIEUWskqB92mgBSBVN4yDvq2p-2BSSE0jENfh-2BAqjn9eUHmojzJW8MNE7cEojwpYJmWZ05gpZxo6B4Q-3D>
and asked all former contributors whether they agree to the proposed
change
<https://sg.feistyduck.com/wf/click?upn=DiUWlcj-2BSyZbTxywQJ3PwyFPVH9bGSVE3xzsLkfwoxAl7GAhasAz7TJfMoVf-2FFNS_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1V5J9j9TcI5vOn9zo0FA6WW7LC20pXtPMZPZPP3qappvw8jDG9pexdh0-2B81mCGSP0W0f1INuygZrytVrF3t5bH1Lze6-2BBDC2ye2LtqE-2BeGY3zdwO7oMwBtxILUCkSt-2BQXfxfhqiww9ELTcfsrRYTS4VUhYQdH4-2BFVkIOt3lHz63FSeHQ4dSfFwkcH0yjKCD-2BabAOrwB3-2FxKAGL1zOsrxh2E-3D>.
The OpenSSL license has long been unpopular due to its unusual
advertising clause. However, the license change to the Apache
license is controversial, because it will still mean that OpenSSL is
incompatible with GPL version 2
<https://sg.feistyduck.com/wf/click?upn=aL9b-2FRnHMdvj4fhEmnJTe0J3nh9pQf5-2B-2B4lhUe2EUv1LUPikC8q6Y3Gkm5MBg1On7CAfj1qMyXLhDxyYjsoULCMAxAahHWhtFeNIgyCwu3o-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1V8ykv8W1WN8z-2B5WsjRqVtPjLqyykz2HaEvuR53Fmv6hLwmtZMROkq9ArYf8RcJBsgGULifnDnzFnM96BlqmTlBXM7ySreVWAQ3s4Oi7JorOfqpfg43-2BQ3m2MwbG3koO0r9lV0NMNF7eIaaZlpuoJETuCSpmpI1q9i8q4pprtJNkGr5kqRMz9pjmmJvBuysDMvKuGqqoYWPuO1yOMWvEkCs-3D>.
Code under GPL 3 will be compatible, however.
* CA/Browser Forum voted in favor of a rule
<https://sg.feistyduck.com/wf/click?upn=tEAq31L8uYmnQi8IyuifE0CPCZCVqrEMpgv1-2FBCtynV3d1kLKN-2ByQSab2ItDAkdJuTayu2rZQP5hna5H-2BM01UxhydaUie-2FrUSYb8FURBj0U-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1RElK4LsxINW1spLYfyRhJ29HD3O5C-2BifiMYd6PxFrxCl3-2FAyUwjaj1eOZsGuoYgGl6A2NXmgrKAhRKNqZutcpoYrN6rsuNMDmQG-2FJr8o97q2vP1uaLSrdNVeaYoXB7hcyrEDBvS1z9uEAazjoGJbgEgBpIa9cFPF-2B4qgTdHY151mLEQ92BddAsAWzegumoo4QwW7-2FC2-2B80gI-2B1MqlK933U-3D>
that will make checking of CAA records mandatory. With CAA
<https://sg.feistyduck.com/wf/click?upn=myJiOmFt5GHgS9XfiBqrbgctRrGhAHxJiB-2Bi-2Fonc-2FmhJzhhyGlY8C47Uds3uCoAf_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1ZGALLhIIrSeuN5Io6QX1FNm52TfJ9RVYFzRaV6URK1ZVOuE8pV99lgcmmTOVv4waWYDdkoRkJhyJwID9uGwroxSGo86icaPxOzmf0daQQjGX3Ltdxj7CM7BgI6-2BTaB1sUsbqrlntpEQ41Dz-2BLrjsBHF1-2BF6RQRXpuAglpYn1x21-2FX2IpU8dd-2FNCXngzGzgiQuYZh-2BNh3pw16aQn3NuSiZQ-3D>,
domain owners can set a DNS record that defines which certificate
authorities are allowed to issue certificates for it.
* Cloudflare enabled support for TLS 1.3 with zero round-trip
handshakes (0-RTT).
<https://sg.feistyduck.com/wf/click?upn=dhp-2FhXTuwZnABPAaiCIMNtimqfRpEWkeq5Z4zthTjQh5cn7kSFJaw6RBGPc941UvnvMxbV1GdIsKp4eI09i94Q-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1cS3oa4aoTDvUVxwBmFpCImqDMWNj5Ag-2BTYhd-2Bsxys0Fmd5HiS0Xq4ceRPZJ-2B6cgsm-2FdyNLxJoQyJ4AoiO4aWQbswfsQDbN9oHAqwJbaiXxHI27ywAP-2FQktBYqZ99TjaEduAUoSzhH4LSrAioO7gC-2Fkc-2BgHC2E69sfuX8kYfjcYhRT2Txa3NxfRfQ0j4o4MFHBHFcr3OL9E52jyPpH2j-2FOY-3D>
Although 0-RTT is a win for performance, it’s also a security risk
because it can enable replay attacks. Cloudflare tries to solve this
problem by restricting 0-RTT to requests for which such problems are
unlikely.
* The debate about TLS interception devices continues. US-CERT has
issued a warning about the security risks of such devices and
software
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXJdWeMSzGNP7XCmi7XiiW8YTkgpNSqqK2MCGUVTIyDTH2tD52JE6FYE-2FKmjF0PZGRg-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1YytL4B5NnWmDYPuaSXJmh2VHWkWZAhmWLvIpiRPXpj-2BL0iCjolnL1rNDiOxzFUSddG2aPRZGrEWtjZOCTuSRongVGovpGvy38I9DMmQXJB6nDoSfegi8FcZvr-2BtKzXOGwrFVkKQf1ZIF9CqZnd114WKytfFznLEb017-2ByEMUIe-2BwrMRuREoExs-2BRGNllnK7IqexA4aXqvCu8M4LSjrbU8k-3D>.
Martijn Grooten from Virus Bulletin still sees value in TLS
interception
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXIIfOgtPifm8qKzrtxVTQoVzm1i7DSNfPRvl4kUnSr5wVrukkJKz17-2Fx9N8mv8fES8gsZekAn0sHXSKGcQ3S3F1HmNFRwVvxVBWTg7xhVcyh_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1SiDGNQaHcgk0dGnR4UPz59a2hFoG5F4upBN3Adv9EUfT5fE2GDhck6K3rKhAvGTYIzryjRdnSCfimRQJwOs965IuHzG5NnjLbBcvqZDsXFCP0Chq21bpds7-2FbN52RFEXdzUyrmYljt2R4mXNvHv26yizmERDDITVdYQw2Mdtciu2yGGYMJebGAlRuniyWvnxvogXtEOMvdXKQLf2vpC1rI-3D>,
despite the security risks that come with it.
* The downtime of Amazon's S3 services caused some problems for the
Certificate Transparency logs of the company Venafi. The logs gave
inconsistent replies
<https://sg.feistyduck.com/wf/click?upn=oQtz6-2BN3LpFOOQ1jijZJXM1ldT1stZa4FOoYpexB9UkNzc0jeOy8Wwb7LZNm5DHqxu8cCwwgBFFLsSe2j0-2BbyDskF-2BHUYHiqaVxTlUObAhsHpHpsiqCuIE3XGieQL2Uw_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1clhJuVMvYluOVFYWdA7dkf1LX164C5dYaHLl-2BcwEYNFGp-2Bs0geQ1XcDrd8TOsmAqgeyfybgpT6IXvFQYkCvkszxJUE-2F3jAC4PGCL1KM4xKexW1ZIea5S8Wi7chZndy-2Bg3DXKZr0xJqbC0FAoUy-2By-2FLWUe5oR-2FC8OKMefSkgIQukQfSOyB6dMSHB4Z-2BNSKzJqdPvdNgqaMZCPw-2FkbF7mt2c-3D>,
which is a severe violation of the responsibilities of a Certificate
Transparency log. Future Chrome versions will no longer accept these
Venafi logs.
* Akamai published statistics about the prevalence of support for SNI
<https://sg.feistyduck.com/wf/click?upn=dhp-2FhXTuwZnABPAaiCIMNkDylp6FijiAeRJ6ePBHEk9xR2I0Sj5010PqGmLcu2l4iL1HgsBKRLIpYmVsvZfv4Giux9MQqvChloHg-2F2U0Ulg-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1bTVTGn8VSFYjQe552frMAszwfN-2Bm21ZtCR1MKzR1JQx3Qy8p3JlZo03PMGzd9UKqyCwRtH-2FvkQUZwVkJrcY0CkwdzGPqFUGYFQPy4lX0vEgy67ZybUhoGUmOzAwx0nal13p6vo92KK9eMzooBLXdlAcK1-2FiMGMpHDRV3jzFbruCVYmqZqOoJ-2FOjYuQoWXnBADx63WwnhVJp2-2BjcTivwIzc-3D>.
SNI is a TLS feature that allows using multiple different
certificates for different hostnames on the same IP address.
According to these statistics, fewer than 1 percent of users are
unable to use SNI.
* Mozilla released NSS version 3.30
<https://sg.feistyduck.com/wf/click?upn=ZeWwHd0X4R4qI5wjbFkhXiBUTiGYVY9gkdUKOoY1esVTrFgIZUNLt4LhkBIxoLxPOtDzrSO46ibohSR6xOD2DLy5cOHN2HVLbwM4OcDGYm3MUUR9HmeOr44uTpbkaLBH_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1T93FxFMxgLlZQUt4L7lBRoDt4Qv-2FQfvd1VvcjjsvJ-2F4xYaLgLiAHDl2mhI-2BEMF-2Bu10XiHZbCSGU8FwVqpHdWLQ1WDS5efyy4-2BqvYSTF-2Bt7LplqeFQvXO8YBY1r4TfBlJVrVVUbD36qinTcxDUd3GHHMweN0VqEXmEdpb1pKwnqoHKgTEzDRLL7RqzjZOHaX9qL9JdnuIr1vyYAJB-2FaZCVk-3D>,
which contains mostly bugfixes.
* Supersingular isogenies are a promising method for post-quantum
cryptography. They’re mostly considered for key exchanges, but a
research paper has presented a signature scheme based on this method
<https://sg.feistyduck.com/wf/click?upn=ikqbOGJ6uN3nMQC4Y-2FQQgr5cClJfiIp2tpG86683oe-2BerO-2BFs7XKG6OWv0SGMitT_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1bCg8Wp7FPF6N9cnz4h8ffa3aLB0Si3-2Bw7mEY2iGA2yGKU4wetqBgi68w7POXueqMK-2FVKx5l3rOd0WQpFs0kFeQeAYUqjZ-2BDUnQGNgf5xdXI87IScda8ZGgXJE1WXtOLx2nxjlx809648eb4ASbJyf4P-2FZdSzpuTYh-2FhjPpDD-2B9yLHEXZ3qx6u4YZ-2B7viFSRPDToQrPg7R8baum9mAiJnzU-3D>.
* David Urbanik wrote a friendly introduction to supersingular isogeny
Diffie-Hellman
<https://sg.feistyduck.com/wf/click?upn=s-2BAKi3T1T-2BSMG7-2BKVm9CsR7iimUneg2nb7GR4Ju1MU5R9qBb9gbmhvaba6vxwWQPpXlUARqLS-2B4jsMh1uzMBl5ElWhO-2FcOz5RfoZcmLslrM-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1QUtecNlVRSC20uqjfZrmd5-2BOTUZBg3pkEnqr229Ez1vnukCp9Q23JOo7dquFtj4n1P96OGU3mQjfFQ0q0pP2cP1jNPeai9-2BjDLhyrjBJjeO9R3hexuzmweVNJUaT6sB5GkFGEb7OJ2wZBeN9eKC-2F6p5Ukj3FoGy8njQg-2B-2Fp-2FhV8T5-2FdtidSj1Ae2BBlqMIuc0codALCr8qoSj7SFgbYUfI-3D>.
* A new compression method for supersingular isogeny Diffie-Hellman
keys allows smaller key sizes
<https://sg.feistyduck.com/wf/click?upn=ikqbOGJ6uN3nMQC4Y-2FQQgr5cClJfiIp2tpG86683oe9UPbaeXdOVIQ-2FU89zeh1l7_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1SpuAI-2F29RSeRvpXivayitWurt-2F9rL4-2B8gKSMASfXdQh3JMolTbgrjCq0aKtJFAcDGK9l7ufUa7sNOykHV7qGqeoZFh8lM9IoOrl1eDtP4uDKf7FiTAlIYMU-2F8YkCeuON2cPdwPUU-2FsbRQtq6XWGicAdU2x5sI7mNhT5ZJiCA92Qbf4OExL9vMLxduESXKbxqWS7vvEHjR1I1l83XxLthRo-3D>,
but comes with significant performance costs.
* Firefox 55 will restrict the Geolocation API to secure contexts.
<https://sg.feistyduck.com/wf/click?upn=Hwh8nn-2F5YAeqSRukXDHNdvanb8qd6E0ZZJ-2F06q9LXktusgQLk-2F4CNsPnXAigjgVemzRwXw5WyavZ-2F-2BYMPQUTsg-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1UKiMjKJD0m-2BezGab9qCK4KR3Ny1e-2BE4hLUSpsD4vF90GELsgr8zBLmNX3A236a3-2Fu3zypdlAd9U0jrLg0SL68hBRFeWGhv4iBcHScqvstGgqppbqNbGMF2GfUb9jJstfb0k-2B8PtWS8MyEtwR7YNG4vDa3Qh0pAJkaI4AcdrpoqohBDZOiM1XFYH5XGTdQxMDwZ8RUrDdt0yCF7Lq-2Bhpwxk-3D>
In Chrome, this is already the case. This is in line with the
browser’s plans to restrict powerful features to HTTPS sites.
* Guido Vranken found several minor vulnerabilities in the mbedTLS
library.
<https://sg.feistyduck.com/wf/click?upn=VURj-2BKynrsQHin2XqWOCxlSzCa56jHh5hLujBzxTqVqfmX4C0tmDsAlp-2F-2B3hNxUZtMI9px35ZSvmvCJ-2FVWsnwOjniFx0BfeM-2B5Mt1q-2FMo-2Bn9TgKwi9rjX8yKGYoXtP6v_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1bS05rJLhHPFLKCyvsQoy7T2-2BHm4xoKA1l4G7FFldN7EdUIAs3OFtc3o-2FSG58dGz66fSBvXakexpv-2FHg5q2OB-2BfbjByRO7pvURvuyM08qWJY-2Fu-2B3mFNoTPyfe5lcHsA0oY-2BYNs4Q8p1xwbLKPLvxYMBU7MXs-2FZlVlkRebVipSCu5Srhl6Qz5WS0AU0V5v4DRYh1O1EuU7FDkty6uDN5mhcw-3D>
* A posting on the CFRG mailing list by one of the designers of NTRU
indicates that the company owning the patent may put it into the
public domain
<https://sg.feistyduck.com/wf/click?upn=BXvY9YPIt-2FWPTn5S8h29tO2KkkXGTYm8jK9jFz2R1enskZlAALqI8ndeZQUZEltAclH9ke-2F5GNYppQQm-2FyHvag-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1RtcPXa460J2BeoeapxAPSOJW-2BUA5qE9H29I4J1FtNwDCuF1x4V1lCOBz3XFRnHywxizjQ1fECYpuZaigoMDJG-2FoJHZjRSdOmX2AFqwMZtN9hHf1GfxWpxUMPUbFtLxWsBkLOQ-2FaVKYGg2xbSuXxv9AftWI-2BkQHIv-2B0Qun9gVFSQg9nDrhT-2B8-2Bh0WR-2Bf4azIoZvjR68tfUnbNXUDlVsr-2FnQ-3D>.
NTRU is a post-quantum encryption algorithm that has been around for
awhile but, because it’s patented, has seen little adoption.
* Comodo started operating two Certificate Transparency logs;
<https://sg.feistyduck.com/wf/click?upn=Hwh8nn-2F5YAeqSRukXDHNdgllp9PDimxiKvJtE1sIWYbPGmkugTJwhMG4O7MXx8waqDoIhl3RiskPw9zShl4tQA-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1Y3PGANV0WlhF7MSbVd94muyrjb5uZFWeGgUsWH6aBb-2FtuQMwJ-2BRAtios6z7P0QnHhmreqExeEqAwj2oBoVt53ZI5xj246X5izFeeQKQAanmZC2tiNvZZqRkN2SZR5rHEfjXnL4-2BYNfUA6mxlqtcs2zErtzFzXVevsNIaOb-2BhJkywfKN5-2BRCLdxmv-2Fh7bin0fT2iX7F0YSg8dIlAJahbYYw-3D>
also, a log operated by the company PuChuangSida passed the 90-day
compliance period
<https://sg.feistyduck.com/wf/click?upn=dHmh4ogTSuW6asu3QCqEuILs-2FFup-2BODHdKGl-2FOi2BWLVAhI29KnuMXf-2BDVYvUhwhtCHNkafAA7nFrPsueu7WtCPxMM9S3YCdFVKc8MhJJWA-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1aKejTa0KxrqiGRfodGan6FFNe-2Bj-2FH5kbne3mE-2Fo1un8AU2QUxdl1DWsdBvQh3-2B-2FLQAtZbCK21-2B6LfRBtwpgwkMD-2BfukEI8cwZJAH0XMoxNHKprdDoMEVkWVmlaRNx5YqQw5FAL82P-2F9ox0iw5l7ZkYviwq6mE6ZyJzLPooF32N5gRMy7EyhGVHT6bf-2FPhm6AKtVFTpyQek4DQKHWkgoPdk-3D>.
* Frustrated over the lack of a secure option to access man pages of
OpenBSD, Filippo Valsorda started mirroring them on an HTTPS site
<https://sg.feistyduck.com/wf/click?upn=Hwh8nn-2F5YAeqSRukXDHNdsd2gPjbHBsFX61qqUwkk2c0ow3ee0UXiOza8iw34V770xHXXiiuwCaGi0JubUr-2BHQ-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1b0sF1zE8Xb-2F0KFuMWmXCCh9zvodl8tC6NWS7uDjMCbIMT2mWhcqq-2F0SQk95vq0JAh-2FNbbKtSxJyNaKeKSpleSNs7eti8eDH43CBAzsLODArSvZD39A11Vjfg4mADLO9qc0qllTaxsVdyP6zqlcBkt8yTrzsxLgZd2kBsxbWEbKlldVbyZ1fba1YtjwiiesbxOso593y8v6LxDfi-2FiL8YL0-3D>.
* Brian Campbell provides a demo for Token Binding technology.
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXDGsfWZzKVelmAxnRmgJnE9rG2SRV0LZbZbcCtH9byeSu8tCMRDlOKK2BVAyPYjA6ttRYc-2BofBcfwuH15vIGtQo-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1SsYrMs-2F6MjKQiyr0DAU7iSyKZhy6o2gjCVmkfYX-2F2KivZp1fx9UCEyq4Q-2BQKOWuMBlp-2BVtFjEwA4ozb-2F-2BvNncAYcLCBVtUv38N4oZ2j3h8-2BnGau087EyZ6HOHdL-2BnRnDm57xa7lGYjhbl6tXyVUD1R9OtxZHktxiGcOpli1xr8eBB10NFhKsBrFL28oc-2FovSuWTPu8TZAWquWrfGPSJM8A-3D>
Token Binding allows applications to cryptographically connect
security tokens to a TLS session; it’s currently in a draft state
<https://sg.feistyduck.com/wf/click?upn=myJiOmFt5GHgS9XfiBqrbgctRrGhAHxJiB-2Bi-2Fonc-2Fmiv3H-2FX1xaz-2BUZ6XpJwILv1QvKANSlZtrDEbu1hshe9-2FA-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1bi0zUA7QeLiP-2BvHQIuOUW6VyBQ29Z-2BxpKh6WGHaEOZY6UD-2BH3fO38HrKTI2BFEgl1XAZsNAp9TmwPrjeA5Qnm-2FCBcdTbLAv9udEOc37DO7rPLrm0-2BkBJoL-2BgftOlYbps-2FyIrBEOgPe8UhNsj2YUut3QC3GNo8gYJkt0o5rZosX-2BkZzTdLF9F92mMDKleH5GNUM94Ufp76KmK-2B9HueeY8hY-3D>.
* The German government agency Bundesamt für Sicherheit in der
Informationstechnik (BSI) has supported the development
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXK-2FPIjI1-2BWT74wotwmhS79j68ZPa9poO99O-2B-2FV-2FnODe4Wfcpq7THZz4lBD4C-2BBQ6SSusUeAXZd0qqtnKHNk08QlsZWpKkkEpL20fzJs196bEu-2Bu668ZFBHMNlB1JEtr24g-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1T1D-2B2xkS6ep3NOZbmr-2BhVwfd4fL11AQOpsUI9OYBvXW3Y4HIwJ6FlARF4uij5d5yinnMqu0gpQnDh0A8UeIprx6DW5mNcCuq9APZjR1R06B3SpW-2BqJdtafSP6oXQNKrZUiJ17uOfN3GNYgsOyZ2xGKn-2FVezwdJvjitdhQjzcP2cb-2FwJRThpHraQkgeb6H9CtouflJFcLAfcMyPUrUx7NQ8-3D>
of version 2.0 of the cryptographic library Botan
<https://sg.feistyduck.com/wf/click?upn=ZUwuuh4qv9PWb04sSFAZDfHxaUysgnGr5FOXyx9aHp9njqzDz3QkoTe3Yd-2FjGpA5_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1Z9AABX11yirLwhT1QdRs7ttf-2BPKGu3QWR3M-2BzxG1YLuQ-2F51Elp-2FP2U-2FyzDNMRYVOjOYIjDttaMaz9SlcUqMeB-2FOhlGZAQQaT51bmZ3Hxf0rQ-2FTO53JMog3PHdEn3U3CDj3unn2Q8VdDx9g9s8XQHfqeA9AjCBp4IHaAP4oNHOVrq0ySixz7A-2Fz3Nbbjnpo459IWJYAdMI1-2B0ElWlCzEkrg-3D>.
* According to a report on Twitter
<https://sg.feistyduck.com/wf/click?upn=Hwh8nn-2F5YAeqSRukXDHNdgOJXJWLPFj3Zbdui8u4YO92eD7VHRKwfBRu3LH5aAFr4OaXrwzMPxYkSs9m-2Frurb-2B9sLD2O4deuRT139C-2FPMHQ-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1bBbQV103wqaOFbYyx02u7GaO-2FxhL7i1C1tTbZh8vSrreZ6UyZi-2FupS-2FFt8KaBrs-2FCqh45M4duObNc2JC6-2FY7-2FNusZOianxkVzooIK9XLpNAsPzUMmoZSPyxXniub1QuH0a4uuxmo74jx-2BhFnaZhVZstoC2IaXtTX74sqSvesSsfvtUIqTib4Zbo2C0Lst148Cw7Oay3liRiBZN74KPsBLU-3D>,
an IoT humidifier flooded a room due to an expired TLS certificate.
However, no details were provided about the vendor.
* A paper from SBA Research investigates faster methods for
Internet-wide TLS scanning.
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXMqdCOa8ommYB6-2FhKzqhldcmb6Y6G2z-2BWrdcQ9l-2FTVv0KpbPNabN3p7fraJLIuxUt4v-2B2x2YiTGd52E1khWOI-2B8xJUVGKZBL-2F9c1XmsXAO9-2F_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1eFlH4v1tUdxG4y4gWnetLFX9N5ztTaxjKE-2BcY4sSWJCAIKyZ1AZ9uF6oNAmyLqsTgNyzfOhU6IUcWA0m0Y1yuEiyTgY0RcVVckdbwpfrJTDQvNxLpsnXlqtQH6BCAUjIOmIS7eaop6zTO-2BAG94Z1-2BOS5bo5iZ6DFVLEBv9L7xn1XyoaDOn2KXrn8Ale2sFnW9Z2vdL5HCwLUYNiFn-2FMUok-3D>
* TLS 1.3 draft 19
<https://sg.feistyduck.com/wf/click?upn=myJiOmFt5GHgS9XfiBqrbgctRrGhAHxJiB-2Bi-2Fonc-2FmhrQUzfhoGybq8RVVIWgvie7f30ydbI792QlqL85c-2FULw-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1Z066HQ-2Byo3dla1xzO7GaBsvRhxKxCw7JZor72YKFrwD-2FCAvTomMy3wtLlDmVFT6BwXGJvsLmieWkRvN7TIxJXUJOwKh-2FvsPnCfK4XUGtxNfkogqi1tgxhfld4HcbB4YQDtpPUD5v1LLBCSgo5S3AW9uPTZIURzt3ySmXxKxMsrf3hHOZTWseYI550pKvwDJqXLVQsxJLcce8iFRsyK3aJY-3D>
has been published.
* Heroku has added support for automatic TLS certificates for all paid
dynos
<https://sg.feistyduck.com/wf/click?upn=dhp-2FhXTuwZnABPAaiCIMNgfM-2BRk-2B23R6qZ2jJehEajOS7vT51POtRlKlZpXVzfpVZfMAgnXBKpYyTI04dnYBp6LLJZrCX4y-2BWgXaA2uq-2Bq0-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1ZSSNUo-2FkslM9zX6v6YWyAjZFA86mHpb9L4zKMMAtq3YfM8H69IA-2BcpNXesuWeDgwRDUjVyvu3Nj7Z6zfcDsYUUT83iay22Ggb4rsdd3M72ypLqJq2ctJB9xPzYm-2BL7lFueHcbYzSYkztGSldpfS5TgHJEu5n7dHh-2FiW9elqARYPFOJ1w0Q7sfA0ovd2-2BC2jeoLTXHYS1VJzzZunZeVIoiE-3D>
(Linux Containers).
* Chrome on Android now supports AIA
<https://sg.feistyduck.com/wf/click?upn=Hwh8nn-2F5YAeqSRukXDHNdtUAMyfAiO6H-2FJdWtkdfP9kJGvgiy-2FKrdy40X4sbimjAbrJHZeBlEFxvxc14oo-2BHZA-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1bv1q4E2A1gQ6fb8KFk-2F5e7fJ-2B9tVVDnEjiUK1UqeXHE9tQaP6s3aX8MxsXaHa5DA6G5cCXNgumbdGhrVaxp9jPuTPKKZKF8J6iuhZOT2glQNmsl8djWnl5pF7yhG5XnisUVuilxazIgD2cqsqFTQgQNq7-2FwwEsoNS9Ke5USB3Qx58HjHgR-2BpyeW7DK7IuOD0riuo1Ec3xfR-2BKWTcKGYt-2FA-3D>,
a feature that fetches missing intermediate certificates.
* Andrew Ayer has set up a tool to detect inconsistencies in
Certificate Transparency logs via the gossiping feature.
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXDGsfWZzKVelmAxnRmgJnE-2Bau6aHUW08qpr7wErTbBF3F5RzkQXE5czd3eemW2bJ3uW5J-2FX-2FUbIk2OJRHyPP-2FEg-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1RrTcckP0q2h2ruJLWLy6olEE8l4QFoWYglUksg870CGjLugveZfe38DFmECcbQlHyoHNoFZ-2BqYPvbhypdN7jZZSqbERcs-2BoD-2BvF2OyrW7gDt37NW8XazuOStfiU9Z6eU-2Br7j5C2bGx3moUVg-2Fh8cfu7aOoc2sM0BWusHd5kItgy-2BjNpLtFWQ2OA47IyJ4eZgPL4VI0dcOWA4iWhDQLgRBI-3D>
* A new research paper investigates privacy problems in Certificate
Transparency and potential solutions
<https://sg.feistyduck.com/wf/click?upn=fYxuIZgCn6axJ2NWlsZgcVShCdJwJRgiR-2BROx04sU13s213HRjog2rhKSfLTEsOg_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1bp5LPYwRSzp2cvWK6E5DQ2xoh7umcla32GD2PD9-2FZuEZ8idb8g8pTsb16Nv17u6He67SZTAyBkDHKEcXEcBcphZ1uRCCpKyttxixb-2BuGGjuGocPnw-2B8-2FxSDzBJbOpsj9GYXzUmr9SFrV23JKbLOEKRUTrA0FvGi06V9HuQq-2BQjuM0vzX8JSKDATQgPUOUVeatj5RYLfIGN8yYViuXEB5ew-3D>.
* The use of modern elliptic curve signatures (Ed25519, Ed448) will
soon be possible within X.509 certificates according to Rob
Stradling from Comodo
<https://sg.feistyduck.com/wf/click?upn=Hwh8nn-2F5YAeqSRukXDHNdgllp9PDimxiKvJtE1sIWYZzelN-2BRVXXFur80xgO2zEED-2F-2FIcz0EO8oqBnQjvhSk-2BQ-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1SOIIAsYmzgza3VM9M6rwr30PS0EAA-2BtoHNu08TMzUv-2FFxKcv11lwR91m-2BqrWHQ8nhm17Okqan1ALKJSIsZYuK-2Bf-2Bs9YOL4iIotUzvFh8s4R-2BGgjbXrqd6Uiv8WXfeeAYZ9-2BAljKbdVVSHWo4wR0vlwo0gCyt3dzSMQPIXqB-2Fo-2FOE15S94y-2BPlfVGwYAu0PNsuTzej8gsUdrGQjtrrSHOkA-3D>.
An RFC will be published soon.
* A research paper proposes a new mechanism for certificate revocation
in browsers: CRLite
<https://sg.feistyduck.com/wf/click?upn=jVO2N-2F3-2F1tZuoJM9NSjPkk0gesHdGJtiii611B6o-2BDRdzcBwQl-2FcWTGiDtIhbtsJ3PoS1TbL8Jk-2B4oWkmsPpi2zcLslsp7VdN28ECL-2BV-2BMU-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1ZwlQ5rqfGaynKOtrgvlnW1C7-2FOOQsY8Pv0XWtwTcliW7sZKtKXSrYOTfS0SbFOGx8SvYkE0k6hS5b0OSwtdOBCFQw-2BOB54rQ3t9Vy-2BtBwxMfnZigEzFK1gU83VrQOkWfPjOO6qokSbDWBacC2UZK3XLsjpc6lVlPEzUHWx8O4pUnj8KwVnJrTezpdcGqCpDw5fF8CWvCbHf0MER-2BwRoWIM-3D>.
* Guido Vranken writes about a subtle and hard to spot memory
corruption bug in OpenSSL
<https://sg.feistyduck.com/wf/click?upn=VURj-2BKynrsQHin2XqWOCxlSzCa56jHh5hLujBzxTqVojnxC38Gls8QH0Dx8PVBlAm1ZRtXuPpn3jrml3fxrB5JBc4eeqwXcV6GAxIlBVrR-2Bvs4-2BArV1xyDd03mHPwjCI_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1a2G-2BZgpyw4H4nDqe2UW6KNl-2BKyV-2BvxwoDDv3iABwk0WmBaCa4XT89kaymd-2Bjwn-2F-2BRUIudgRTWG4wubuUBAyzXtjMZPVbWnB2GgQleqir9wgd1AiNkGZj8PMQ6V7RaPpRpB-2Bd1keDtnXojEgJQQqsCU12-2BTujMzNAJ69-2F4WQSfNtf75-2FoLy0Oy478dlFuXBx6FKNagW-2FbkY852qRgjb04Fk-3D>.
* The web page fraudmarc provides a check tool for MTA STS policies
and records
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXLA776CPeNPoTwkpdOFjThbk54buStfEHpduN-2BTqqqW3c6Zg6zJJWdkzaGcECKVeWg-3D-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1UhLqoB-2BP8ZxEi-2FBjMhencigEJWohLPNaWw8zhHIBd4PVv-2BdLJ-2FcDrZvu2NghGaB2rf5k15NiQV-2FW0VyNEW-2FtdcVvrK5eRhxZCadvq-2FLwQtaGi07vlxi7ORjJbe9mPKbxMKuc9ZTyBFFlevYnXYy23dvP3Zzk8pcyxQOTe6YidKbuufjDKNkxA2HljIZM-2BVvoqDNOi5T6I-2FDvq1XEIorO2U-3D>.
MTA STS is a draft for a standard enabling authenticated TLS
connections between mail servers.
* snuck.me
<https://sg.feistyduck.com/wf/click?upn=xKzDZpO8efo8-2FWH8LXyydaFm7Ht1EgkhBAbzatDpFrM-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1fN8Hyz2n70MTUIv3-2BKpHlIY5wVtLM4uqfuWRlrwtER-2F6p78d-2Fti2TtCI3ADmd2wks62GPtRSI2m4AwxiS4D9vZqBnqISpaK5GlDUZxLUUV4gdtCxylrOPG2RfxY4yUyW9NTtZHcLBbg-2Bq5gtTUUi71cR64KAKL66nqPUJcgsdOf2SlVpyIVWxks1QxMJ5Ut0Oo6lD162aAETmU37EAkEVw-3D>
provides a check for TLS interception and locally installed root
certificates.
*© 2016-2017 Feisty Duck Ltd*
Registered address: 2nd Floor, 109 Uxbridge Road, London W5 5TL, United
Kingdom
www.feistyduck.com
<https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXCzXWkifVJHDncEFwYis9sQ-3D_tONh1HsRScM1DZBfvR9X25elhsl8elR-2FKcKm2wfQa4ePasvLRPKQ5D9Ae8S-2FedmpIkGf4-2BIO-2FyKz8ExebGDA6VjY4HkupY-2BuAzKZt9VtyCwwksFPHeMIaTg0Tae6eqvH1OFAHW8Gy8-2FrakBtvnylYwJXKw-2Fg7L-2BzWIHP42zqeLzFvi0T92R2cRhCgfvilKKG4gdtHMqU4-2FjnSxcVi69k1UXTL-2BdJSHHZ8r7W3L29K50NO7M-2FQ7iGJTS2-2BMh5aexttV6JxijBHRj51e6CGwKNKLXgcTgze5EHJXdOeFOuO4-2FN-2BXniYNFVGNnZKIcBnxC-2FJhtc-2FEkooNQf-2FQRATgXF3AEySK8ieI-2BD8OsZbsPNxjfbVTJT-2FUAoLQbxPfLeXYnaZZLgXJEmXYPDp0TDK5aFtlvJ1dP9a7IIvXsTaCyRJyQ-3D>
/ hello en feistyduck.com <mailto:hello en feistyduck.com>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20170404/ed256ef3/attachment.html>
Más información sobre la lista de distribución Seguridad