Current location - Education and Training Encyclopedia - Graduation thesis - What happened in the SSL industry in the past February?
What happened in the SSL industry in the past February?
Important development of SSL industry in February;

TLS 1.3 has been approved by IETF; The final RFC may be launched soon.

TLS 1.3, which is about to be completed, once again opens the discussion about interception agents and data center visibility. The National Cyber Security Center of the United Kingdom participated in this debate, but as Adam Langley pointed out, there are actually some false statements. Especially in the version before TLS 1.2, some misunderstandings in the method of intercepting traffic are the reasons for delaying the deployment of TLS 1.3 for several months. At the IETF meeting in London, the issue of visibility was raised again.

OpenSSL is trying to change its code to an Apache license. They are now looking for the final contributor, and their change permission has not been approved.

Facebook introduces a function that will actively rewrite the HTTP link to HTTPS to get the URL in the HSTS preload list or set the HSTS header.

NSS released version 3.36, which replaced its Chacha20 algorithm with the formal verification version of HACL * project.

Google explained its final plan to give up some Symantec certificates next month and all the remaining certificates later this year. As we reported last month, there are still many websites that use these certificates, and these certificates are soon no longer trusted, and have caused warnings in Firefox Nightly and Chrome Beta. Mozilla TLS Observatory provides some new data on this subject.

Apple has made some changes to HSTS to prevent abuse of user tracking.

Android P will strengthen the application's demand for TLS traffic. If the developer does not explicitly choose to encrypt traffic, it will block all non-TLS traffic.

Mozilla's experiment of testing DNS through HTTPS has caused some controversy. This means that DNS queries will reach Mozilla-controlled servers through encrypted channels. From the perspective of privacy, this has advantages and disadvantages: the traffic itself is encrypted and unreadable, but a central server (in the case of Mozilla, using Cloudflare) can access a large number of user DNS data.

ACME automatic certificate issuance specification is being finalized and may soon become IETF RFC.

Encrypted.google.com subdomain provides another way to access Google search engine through HTTPS. ? Now it has been abandoned, because the search engine has been accessed through HTTPS by default for some time.

Hanno B. ck? The details of stack buffer overflow in WolfSSL library are published.

Let's encrypt certificates that now support wildcards.

LibreSSL fixed the certificate verification vulnerability in version 2.7. 1, which was discovered by Python developer Christian Heimes, who also implemented a solution in Python itself.

OpenSSL fixes two vulnerabilities: stack exhaustion in ASN. 1 parser and an error in HP-UX/RISC assembly code of CRYPTO_memcmp function.

The researchers published a paper to analyze the consistency between certificates and benchmark requirements in the certificate transparency log.

Like other browsers, Safari warns users when they use forms on unprotected HTTP pages.

CurveSwap is a possible theoretical attack scenario because some TLS handshakes are not authenticated. Based on this, a research paper studies the alternative application of elliptic curve cryptography.

Cloudflare published its certificate transparent log, named Nimbus.

Tinydoh is the Go implementation of HTTPS-based DNS.

More and more companies and projects have announced that they will abandon the old TLS versions 1.0 and 1. 1, including: DigiCert, KeyCDN and Python package library PyPI.

Since April, Chrome needs to get SCT of all new certificates from the certificate transparency log. Let's Encrypt has started to automatically embed them in all new certificates.

Mike West wrote a proposal to limit the validity of cookies sent over insecure HTTP connections.

Vodafone Portugal rewrote the content security policy title of HTTP request. The commercial manipulation of HTTP by ISP is one of the reasons why all static web pages should use HTTPS.

Coudre Ski Security Company explained Munger's attack on RSA OAEP.

Adam Langley wrote a test about Cloudflare and Google to determine the feasibility of post-quantum key exchange in TLS 1.3. Post-quantum algorithm usually has a larger key size; This experiment simulates this situation by adding a virtual extension to the TLS handshake. Independent of testing, Cisco researchers have established an experimental post-quantum PKI, which uses X.509 extension to add post-quantum capabilities to certificates.

Franz Kuskiefer of Mozilla wrote a blog post about Mozilla's use of formally verified encryption technology in HACL projects.

OpenSSL has issued suggestions on the time problem in RSA key generation. The corresponding research papers have been published in Cryptography ePrint Archive.

This paper discusses the dynamic replacement of encryption algorithm in OpenSSL with other implementations, which can significantly improve the speed in some cases.

Discussion, the forum provider, supports HTTPS by default.

Ian Carroll once again applied for an extended certification certificate for one of its subdomains in the name of "Stripe, Inc.". He has registered a company with this name, which is not a well-known payment provider Stripe. This shows that the extended certificate is of little value. GoDaddy, the certification body, has revoked the certificate, which has led to a debate about whether the revocation is legal. Scott Helm discussed the debate in his blog.

A research paper investigates the security of Java keystore.

The certificate of the domain hosting the official jQuery library has expired, causing a large number of websites to crash. Because the usual practice is to include jQuery from the upstream host instead of hosting it locally.

Testssl.sh tool has released beta version 3.0, including supporting TLS 1.3, detecting robot vulnerabilities, and supporting OpenSSL 1. 1.

A flaw in Bouncy Castle's RSA key generation algorithm may lead to fewer prime number tests. If the probability is low, the key may be weak.

BGP hijacked the visitor who was used to attack MyEtherWallet, the website of Ethereum. This has led to some discussion about the risk that BGP vulnerabilities are used to forge certificate issuance-although such certificate forgery has not occurred in this case. This hole is used to discuss the risk of issuing forged certificates-although this kind of certificate forgery did not happen in this case. Cloudflare's blog post explains the details. This attack scenario is not new; It was discussed in the black hat conference and research paper on 20 15.

Related articles
  • How to appreciate this composition
  • How to choose the right topic in the paper?
  • What questions do thesis defense instructors usually ask?
  • Several problems about puppy love
  • A Brief Introduction of Junichiro Shimazaki and a Paper on "The Trouble of Birth"
  • If you were asked to tell the story of China's anti-epidemic, how would you tell your paper?
  • Research status of mother-of-pearl
  • What are the parameters for creating a declaration?
  • Words describing argumentative essays
  • 1 The advantage of administrative governance logic is that

    • copyright 2024 Education and Training Encyclopedia All rights reserved