New blog post: Post-OCSP certificate revocation in the Web PKI.

With OCSP in all forms going away, I decided to look at the history and possible futures of certificate revocation in the Web PKI. I also threw in some of my own proposals to work alongside existing ones.

I think this is the most comprehensive current look at certificate revocation right now.

#security #WebPKI #LetsEncrypt #TLS #OCSP

For a blog post I’m writing about dealing with certificate revocation, here are the topics I’m covering:

• OCSP (inc. stapling, must-staple, the never-adopted expect-staple, discontinuation from BoringSSL and Let’s Encrypt)
• CRLs, inc. CRLite, CRLSets, and Let’s Revoke.
• Short-lived certs (inc. ACME-STAR, Delegated Credentials, and notAfter)

Anything else I should cover?

#WebPKI #TLS

#TLS #EncryptedClientHello #ECH support has been merged in #curl!

github.com/curl/curl/pull/1192…

ECH experimental by sftcd · Pull Request #11922 · curl/curl

This is an (as-promised, on the mailing list) early pull request for adding HTTPS RR an ECH support to cURL, that has had so far minimal testing when using OpenSSL or wolfSSL as the TLS provider, b...

^GitHub

Open Letter regarding the #eIDAS Regulation:

We strongly warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communication; without establishing proper safeguards as outlined above, it instead substantially increases the potential for harm.

See the full Joint statement of scientists and NGOs on the EU’s proposed eIDAS reform here: blog.fiff.de/eidas-open-letter… #TLS

Open Letter regarding the eIDAS Regulation

We strongly warn against the currently proposed trilogue agreement.

^{Rainer Rehak (FIfF e.V.)}

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident, part 2: XMPP-specific mitigations

devever.net/~hl/xmpp-incident-…

#xmpp #mitm #tls

Hey there -- we're Let's Encrypt, the free and open certificate authority serving over 300 million websites worldwide. We're new to Mastodon and are excited to get to know the infosec community in this new space!

letsencrypt.org/

#opensource #TLS #PKI #infosec

Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

^{letsencrypt.org}

I've asked it in a poll in 8/2021 at Mastodon.technology, now it's time for a refresher: To improve #security I finally consider to really drop support for #TLS 1.0/1.1 (see blog.qualys.com/product-tech/2… and e.g. ssllabs.com/ssltest/analyze.ht…). This basically would affect devices running Android < 4.4. As I do not want to lock anybody out, I'd like to see how many of you would this effect.

🇩🇪 Noch wer mit Android < 4.4 unterwegs und somit auf TLS 1.0/1.1 angewiesen (1. ja, 2. macht nix, 3. nein)?

So:

SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols | Qualys Security Blog

Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade. Update 1/16/2020: The grade change is now live on the development…

^{Qualys Security Blog}

• I still use such a device and need compatibility (1%, 4 votes)
• I still use such a device but wouldn't mind (6%, 21 votes)
• I don't care (92%, 320 votes)

I’m not going to use bloody bugzilla, so if anyone from Mozilla sees this, your enterprise flow for adding certificate authorities (CAs) to Firefox on Linux fails on Fedora Silverblue.

Since Fedora Silverblue is seen as the possible future of Fedora/Red Hat, you folks might want to talk to the Fedora folks about it and come up with a solution.

github.com/fedora-silverblue/i…

#mozilla #firefox #fedora #fedoraSilverblue #bug #tls #ssl #redHat #linux #enterprise #certificates

Cannot add certificate authorities to Firefox using enterprise policy · Issue #397 · fedora-silverblue/issue-tracker

In Firefox version 64+, you can add your custom certificate authorities to Firefox using an enterprise policy file and by copying your certificates to /usr/lib/mozilla/certificates or /usr64/lib/mo...

^GitHub

Now that we made it all through the holidays, we're happy to do some releases again!

First up is our #RPKI relying party software Routinator. 🚀 Version 0.12.1 fixes a small number of bugs. Most importantly, the #TLS-enabled servers for both HTTP and RTR now also accept private keys formatted as PKCS#1 RSA keys rather than only accepting PKCS#8 keys. #RoutingSecurity #rustlang

github.com/NLnetLabs/routinato…

Release 0.12.1 ‘Plan uw reis in de app’ · NLnetLabs/routinator

Bug Fixes Actually use the extra-tals-dir config file option. (#821) Allow private keys prefixed both with BEGIN PRIVATE KEY and BEGIN RSA PRIVATE KEY in the files referred to by http-tls-key and ...

^GitHub

Folks, if you’re using @small-tech/auto-encrypt in your projects, please make sure you’re running the latest version of the package (3.1.0) or certificate provisioning/renewal will fail due to the latest Let’s Encrypt protocol update.

codeberg.org/small-tech/auto-e…

#tls #https #letsEncrypt #autoEncrypt #js #javaScript #nodeJS #web #dev #smallWeb #smallTech

auto-encrypt

Automatically-provisioned TLS certificates for Node.js servers using Let’s Encrypt.

^Codeberg.org