Profile picture
Nick Sullivan @grittygrease
, 14 tweets, 4 min read Read on Twitter
I want to highlight a behind-the-scenes change that improves the security guarantees provided by Cloudflare’s global HTTPS service. Since last year, Cloudflare has been using a different set of session ticket encryption keys (STEKs) in each datacenter for TLS resumption.
Previously, the same key was used across multiple datacenters, rotated every hour (blog.cloudflare.com/tls-session-re…). This was modeled after work by @j4cob and @jmhodges at Twitter (blog.twitter.com/engineering/en…) with more aggressive key rotation.
This aggressive rotation of ticket keys was not something server operators had attempted at scale and it uncovered some interesting client bugs, most notably in Microsoft Schannel (blog.cloudflare.com/microsoft-tls-…).
However, the same STEKs were used in all of Cloudflare’s 100+ locations. This sharing enabled the latency improvements of TLS resumption (one round-trip faster) to still apply when a location is taken out for maintenance and users are routed to a different one.
Global key sharing does not provide the strongest possible compromise resilience properties. If a STEK is compromised in one location, then any connection made anywhere in the world during that hour can be passively decrypted with that STEK.
This is due to the design of TLS versions prior to 1.3 in which handshake messages (including session tickets and the certificate) are always transmitted unencrypted.
Interestingly enough, this “attack” is also the inspiration for a hotly debated datacenter visibility proposal for TLS 1.3 (datatracker.ietf.org/doc/draft-rhrd…). Hint: give the STEK to whomever needs to decrypt the data.
In 2016, Drew Springall (@_aaspring_) and others did a study to measure the use of STEKs on the internet. Their findings were dire: most servers didn’t even rotate keys (aaspring.com/imc2016/crypto…)!
Due to an oversight in the research methodology (with BGP anycast, servers in different physical geographies can share the same IP) the paper does not measure resumption from multiple vantage points and therefore missed the fact that Cloudflare shared STEKs across geographies.
Each Cloudflare location now has a unique key that is mixed with an hourly key to create the STEK. The distribution mechanism was built during the development of Geo Key Manager (blog.cloudflare.com/geo-key-manage…), which limits Cloudflare’s access to private keys in different geographies.
This change tightens the risk window from STEK compromise considerably. TLS 1.3 improves things further because handshake messages sent from the server are encrypted. This reduces the risk of passive decryption with a compromised STEK to data sent over 0-RTT only.
These short-lived STEKs are still important to protect. TLS 1.3 only reduces the risk from a global passive adversary, not an active one. An active MITM can still hijack connections from clients who are resuming connections originally instantiated with a compromised STEK.
That said, Cloudflare is in a much better position to protect the confidentiality of people’s data in the event of a compromise now than previously. This is even more important now as people start to DNS-over-HTTPS with the 1.1.1.1 resolver.
As TLS 1.3 is deployed (3-4% connection to Cloudflare are TLS 1.3 already), it would be interesting to know how many big industry players followed @_aaspring_’s advice. I, for one, am happy Cloudflare made this change and encourage other service providers to do the same.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Nick Sullivan
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @grittygrease see all

Profile picture
Richard Barnes (@rlbarnes) just kicked off #RealWorldCrypto with a great overview of MLS, a new proposed standard for group message encryption. There’s still time to contribute: mlswg.github.io
Joanne Woodage (@joannewoodage) outlines a really cool attack on Facebook’s abuse reporting mechanism for encrypted messages. A great example of how popular schemes like AES-GCM can be easily misused. #RealWorldCrypto
The team also came up with a new one-pass authenticated encryption scheme based only on collision-resistant hash functions. It’s somewhat reminiscent of the Keccac team’s Keyac encryption based the a sponge construction: keccak.team/keyak.html
Read 59 tweets
Profile picture
Welcome to #CryptoWeek at @Cloudflare!

Kicking it off with an introduction by me: blog.cloudflare.com/crypto-week-20…

The Distributed Web Gateway (starring IPFS): blog.cloudflare.com/distributed-we…

IPFS Gateway Validator extension: blog.cloudflare.com/e2e-integrity/

Stay tuned every day for new announcements!
You can now access anything on IPFS at cloudflare-ipfs.com/ipfs/<hash>, or you can point any hostname to an IPFS hash and serve that content through HTTPS.

For example, here's a full, searchable mirror of Stack Exchange:
…sec.stackexchange.cloudflare-ipfs.com
If you set up DNSSEC, then users can run our new IPFS Gateway Validator browser extension to make sure they're getting your content with end-to-end integrity validation. Valid sites are highlighted by this beautiful blue fingerprint icon by @kkblinder. addons.mozilla.org/en-US/firefox/…
Read 3 tweets
Profile picture
Crypto 2018 has affiliated events this year, which is fun. I’m currently attending the Quantum-safe Cryptography for Industry event, a big focus of mine lately. crypto.iacr.org/2018/affevents…

@Cloudflare is a sponsor of Crypto this year, so come see me if you want a webcam cover!
We just heard from Adrian Stanger from the NSA. There is high confidence in the NIST process and no plans to invest in QKD. Algorithm recommendations (key agreement and signatures) to be made around 2023-24. There are no plans to replace AES-256 or SHA2-384.
Brian LaMacchia of @MSFTResearch gives an overview of the cryptographic algorithm transitions we’ve gone through so far in the 21st century.
Read 8 tweets

Related threads

Profile picture
1) This is my Q thread for December 1, 2018

Q posts can be found here: qmap.pub

Android apps:
bit.ly/Q_Drops
bit.ly/Q-alerts

My theme: The First Leak From the Huber Investigation
2) On December 5th, House Republicans will hold a hearing to receive testimony from witnesses regarding the DOJ's investigation into the Clinton Foundation.

House Judicial Chair Bob Goodlatte discussed the hearing.
3) According to this report by The Hill, the Clinton's involvement in the sale of Uranium One to the Russian Company Rosatom may also be discussed during the hearing.
thehill.com/hilltv/rising/…
Read 153 tweets
Profile picture
{#taekook/#vkook au} Phoenix hybrid!Taehyung always creates fires by accident. Fireman!Jungkook often comes to stop these fires but is always surprised to see a shy young boy turn to ashes whenever their eyes meet. Before returning from the ashes as soon as the wolf hybrid leaves
- NSFW warning (dunno if there'll be smut 😕 but you can expect violence/death scenes and implied hybrid abuse)
- Angst but fluff and good ending too
- Ageswap (Jk's 24 y/o and Tae's 22 y/o)
- If you want to comment do not reply to this thread, quote instead
Taehyung had always lived away from society because his parents were afraid he’d become a slave like most hybrids. So, they lived isolated in a cottage in the middle of a huge forest since Taehyng was born.
Read 142 tweets
Profile picture
(1) #TeamTrump #PhotoThread from April 18, 2018.

🇺🇸Previous thread includes first half of Japan PM visit to Mar-a-lago:

🇺🇸30+ previous threads like this one: godlessnz.wordpress.com/2017/10/27/lin…

🇺🇸Unrolled versions: threadreaderapp.com/user/GodlessNZ

#MAGA
(2) Special thread: Japan PM visit:

(3) When the French President and First Lady visit next week, they will be treated to a private dinner at historic Mount Vernon. This is going to be epic! Followed the next night by a State Dinner at the WH.🤵👸 

America's oldest friend. #ViveLaLiberte🇫🇷 #MAGA🇺🇸
Read 39 tweets
Profile picture
Communication without privacy is slavery to the controllers of the communication channel. Manipulations can occur as your data isn't in your control.

Welcome to a new era of secured communications as we introduce @Mainframe_HQ platform.

#crypto, #tech

👇👇
@Mainframe_HQ 1/ Mainframe is an incentivized and fully decentralized communications platform that enables reliable packet routing, packet holding, packet delivery, file storage and data services.

It's security model provides encryption, resistance to censorship and surveillance.

#crypto
@Mainframe_HQ 2/ A simple illustration of how information is transferred over the internet. Mr. A. switches on his data, his ID assigns him an IP address using DHCP (Dynamic Host Configuration Protocol).

The IP address contains personal info. about Mr. A such as his geographical location.
Read 24 tweets
Profile picture
Last year I posted a preprint.

Doing this set off a chain of events that convinced me I should post a preprint for ALL my manuscripts.

Here’s my story (1/17)
First, some background.

Over the past few years, I’ve become interested in using Bayesian inference to complement my frequentist inferences. So, I put together a short presentation on Bayesian alternatives for NHST for my research group. (2/17)
Rather than limiting my presentation to the people that attended, I posted the slide deck on @OSFramework (OSF), so that anyone could access it. I’m ALWAYS looking for ways to repurpose my work for different mediums, so posting these slides online fit the bill nicely. (3/17)
Read 17 tweets
Profile picture
Thoughts on the “required” #Resistance reading, from someone fully immersed in how republicans think, a thread:
The article in question. It gets some things right, and some things very wrong. I detail them for you.
washingtonpost.com/amphtml/news/p…
This bit is an aside to the author’s main point, but it’s important:
“his base — the only people Trump appears to think he needs to answer to —“
Republicans of this kind are notorious for isolating themselves to like-minded people.
Read 31 tweets

Trending hashtags

#TrumpEpstein #EnoughIsEnough #PhotoThreads #UraniumOne #disinformation #JobsReport #LRA #democracy #civil #ExecutiveOrder #ConsumerProtection #ViveLaLiberte #Kristallnacht #LiberalHypocrisy #police #Values #KGB #tech #Turkey #campaign #mapoli #teachers #JulianAssanage #Dems #BTC

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!