Anatomy of a Deprecation
Disabling TLS-SNI validation at Let's Encrypt
Jacob is a lead developer on Let's Encrypt, the free and automated Certificate Authority. He also works on EFF's Encrypt the Web initiative and helps maintain the HTTPS Everywhere browser extension. Prior to working at EFF, Jacob was on Twitter's anti-spam and security teams. On the security team, he implemented HTTPS-by-default with forward secrecy, key pinning, HSTS, and CSP. On anti-spam, he deployed new machine-learned models to detect and block spam in realtime. Before Twitter, he worked at Google, variously on the maps, transit, and shopping teams.
In January 2018, Frans Rosen found a vulnerability in TLS-SNI-01, a validation method used by Let’s Encrypt and other CAs. Over the past year, Let’s Encrypt and Certbot have been working to deprecate the method and migrate clients. We’ll talk about what went well, what could have gone better, and the challenges of distributing up-to-date software to a wide variety of operating systems.