Action No. 30, dated 4 September 1976. Hellman of Hammer Force cover. Treasury of British Comics.

Rebellion announces new Battle Action mini series - our guide to the returning strips

Battle Action, 2000AD publisher's relaunch of the title inspired by two classic British weekly comics, Battle Picture Weekly (aka Battle) and Action, is back as a five-issue miniseries

View On WordPress

50 or so hours into Cyberpunk 2077

This should be roughly the correct amount of time, ive been leaving the game running as I get up to get food or do stretches. Quests are roughly in order I did them

non spoilers above cut:

 i haven't found a single hat/helmet i like, and since you can't hide them I just am not wearing any. It matters that much.

I posted the other day about bugs, every few hours I play I find new bugs. some require me to go back and reload a save others I honestly can’t tell if it’s a bug or just really poor development

there are several perks that don’t quite do what the description says, like the Anamesis perk. Based on reddit and trying it out it seems to just not do anything.

sometimes in car chase segments the passenger will say “look out” as cars spawn in my path and hit me. Can’t tell if that was deliberate or a pop in issue

Yeah I’ve just totally given up on doing pacifist things unless required by a mission. Given up on doing stealth too unless a mission objective, except for sneaking around to set up a fight.

:readmore:

the delemain car quest is fun. From the shock of the one going "beep beep motherfucker" and doing a hit and run to start it off, to the GLADOS car i see a lot of people talking about. It was fun to explore the city when i might have missed places like the landfill apparently there is follow up on T-bug's death if you go back to the quick hack shop in Kabuki. It's not much but better than nothing I made the pass with Panam of "what if the room just had one bed". I know she won't do a wlw romance, which is fine since I wouldn’t have chosen her.  I enjoy her as a character, don’t get me wrong, my V considers her as a friend, but it seems like theres always drama going on which would be tiring. I would have gone for a fling, i like her leotard-pants combo with all the straps

but also her questline was buggy as hell. Multiple cases of having to reload due to clipping into objects, including her in a driving section, or just insta-dying when collision physics with some rocks broke "your neural network can no longer function independantly of the chip" me slapping my desk: s y m b i o te!!! come on lets have some s y m b i o s i s

in the scene with hellman i really liked how Johnny moved around the room. It made him feel like he was really there. it was hard to follow the convo as I left the room, i would not have understood it without subtitles. But i guess Takemura fucking waterboarded hellman. :|

lol I hope the dialogue is different b/c i refuse to smoke for Johnny

i am level 18 and still can't beat the first opponents in the fist fighting quest. ffs

I looked up the romances options so I went to do the I fought the law quest as soon as i got it. ACAB, but like I literally just met River Ward 2 minutes ago, and I really like him. His earring and cyborg eye, his big fluffy coat. I'm definitely gonna sleep with him Ok i like how when River Ward is dealing with the tiger claws if you interject it leads to a fight. It goes better if you follow his instructions and let him deal with it. Seriously I enjoy that sometimes its good to not pick a dialogue choice.

during the red queen club part, there was no dialogue over the phone. So i reloaded a save and got myself spotted and attacked. Then River showed up to help me <3 and it was more enjoyable having him there. I honestly am not sure if him not going to the club level is bug or not.

then uuuuuugh the worst of irl police "cops are my family" from Detective Han. Again ACAB "FRATERNITY OF CITY COPS RESEMBLES A [Nomad] CLAN NOT AT ALL" ok a few minutes ago i was complaining about bugs, but the character modeling in this game is good (when they're there). You can see body posture, characters jiggle their legs when they are nervous. Like I though character A was just throwing a cigarette on the ground, but then character B flinches back; I realize Char A threw it at B as a fuck you

I'm honestly curious if "I fought the Law" quest will have any impact later on. My choices were that I thought there was more going on than Holt being the only person behind this (based on how complicated the main questline heist is, and keeping an eye on some of the in game news), and told him not to take it to internal affairs, and I loved his response of how he doesn't give a shit what we think, he's doing it anyway.

In the elevator to report in, Johnny said "this muck is deeper than you think, tell them nothing", so i just said that the case was complicated. anyway i love how much of a sarcastic asshole V is

I thought i was being nonlethal with the monk quest, but it seems i accidently killed someone. RIP, but thats kind of the problem with this game. Like when i do the non lethal cyberpychosis quests I equip my non lethal modded gun and hope for the est. I like how a go here kill things quest led to Charles the ripperdoc. He's getting all his parts from scav gang members so I felt obligated to take him out. I got a police bounty for it but w/e.

I merged the Delemain fragments with the whole. Guess he's the meta now. (Side note: some of my favorite rvb fanfic plots are Ai consiousness/memory merging with the humans, so I’m having fun with this game and look foward to introspective fanfic)

Honestly Jonny made some good points, the fragments didn't deserve to die; but also destroying the core and freeing the fragments, they couldn't really function alone.

I was able to rescue Saul fine with stealth. Using cameras and the synapse overload really made it easy.  Can't use the sniper rifle reward b/c I don't have the stats for it, and while it has a silencer the fact that it's a ricochette weapon and not a shoot through walls weapons, makes it not as good imo; and theres a legendary one that is stats free for only 100k.

Lol made a pass again at Panam, and she immediately shut me down. I then did Mitch's quest and I love every time someone tells V they area  good person.

I hacked the operation carpe noctem shard, and wow the corporations are using ai to make people have cyberpsychosis, or something like that. What a shocker /s, I've played Deus Ex HR before

lol driving through the unifinished interstate, past the fight from Panam's first quest I found a "batcave" with a very nice car, and a manifesto written by "muckman'. But here's my complaint about the loot, there is a legendary top, but it had 16 armor. My current top has 84 armor, like why would i switch?? then later i found a bunker with soviet spies in it. Wild

Doing River's second quest, love the timing of as soon as you ask, why are we breaking in, someone shows up to tell you he got kicked off the force. It's funny how Johnny comments how maybe River's into you, and V just doubts Johnny's words. Love how the first kid asks River if I'm his girlfriend. also wow like oof both the second parts of Judy and River's quest are SUPER fucked UP!! oof like i stopped doing first person mode on the braindances for those quests as soon as i could, just made me too uncomfortable seeing that in first person.

DRIVING IN THE GAME IS BAD! nowhere is it more apparent than the sinnerman quest, which took me 3 times to get the driving section done, as cars spawned out of nowhere to hit me. Then when you restart, there is a bunch of dialogue it doesn't let you fast forward through. The rest of the Sinnerman questline is interesting. My V took every option to tell the dude that he was messed up, and what he was doing was wrong. idk, I was surprised how much dialogue there was that let you buy into his whole "forgiveness thing" and how there wasn't any real dialogue to call him the fuck out, that in seeking forgiveness he continues to do harm both emotional to the mother of the man he killed, but also that he got the husband killed via cop. The later follow up quest, I told him that what he is doing is crazy, studio is just going to profit off this vid. Then I refused to join him prayer, and told him fuck no i wasn't going to hammer him to the cross, or even watch. Yes, the man is scared of dying, and the corporation is exploiting him, but he keeps creating burdens for others.  I think the discussion on this quest will be interesting to read, it's definitely my own personal experience with religion coloring my view. Anyway back to a main quest, yeah i don't trust Placide, especially in that scene where he grabs my hand, then jacks in. I ran off to do most of the sidequests here and got some criticism from him. I do love how in the cinema the western movie switches to a mission brief as the netwatch agent talks. its a fun enviromental detail.  I took the netwatch offer, i don't think he's being fully honest with me, but he didn't put a virus in my head. As I told Placide later, I didn't pick a side. I like how you can then talk with the agent, who is a fan of Western movies, b/c they show "a simpler time where all good guys carry badges" :eyeroll:, and then V recommends Unforgiven, which from the wiki summary goes against that theme.

Looks like the Voodoo boys all got killed by Netwatch, but I as revenge for them trying to set me up I'm fine with it. Honestly after speaking with ai!Alt I don’t believe their plan of trying to be on good relations with AI would work. 

doing the johnny flashback 2, and wow Johnny really is an asshole. Like I had gotten so used to him in side missions I forgot how self centered and unlikable he was.You constantly get prompts to drink or do drugs, which I ignored. But i do love the goth/punk love Rogue and others have.

lol i called it, when Hellman said that the engram would seek to override the host, put V on the engram. I really like how as the relic malfunctions, you wind up in the chair with a cigarette, which you can either smoke and say you are turning into Johnny or throw away. My dialogue "your problem is the ends justify the means", which is true!!! He and Rogue detonated a nuke downtown, does anyone know that, and like ask Rogue about it????

(Funny you can ask Rouge about Johnny silverhand, over the phone, then the game bugs out and spawns her npc where you are. She doens't say much about the nuke, but she does say no one trusts you for jobs). The line of no one trusting you for jobs is pretty funny at level 46 street cred where im at “respected” status. really loving the family atmosphere at River's 3rd quest. Also his big strong arms, and the fact he is no longer a cop. I totally let the kids win, and wow the family dinner where they GRILL YOU over the relationship and try to set the two of you up, then the water tower scene!!!!! I don't love the first person sex cutscenes but they do have personality. I'm glad afterwards you got to tell River about the biochip and that you might die. Because he's so far removed from your personal plot. So I took that option to back out of a relationship.

I do love that you wake up with "river's tanktop" that says "fuck the police" It actually has extremely good armor stats, so thats what I'll wear now.

panam 3rd quest, when shes like why did you help me, I'm like "because it's important to you". Basically the closest you can get to "when a friend asks for help you help them", which as an ex-nomad backstory I really choose the nomad options when ever i can Paralezes quest part 2! I love the piano song but I always think of it as ocean's 11 music. It's also fun to see the computer and see Judy recommended you for the first quest. The emails talk about "forgetting" to hire a staffer, on the balocony a strange antennia was scannable, the color of the roses was remembered wrong...  lol guess i was right with those giant wall screens. Its fun environmental details that spell things out before you can notice, and it ties into some other quests where people's behavior is being altered. Actually, this quest "Dream On" I love it! For a while I've been like "wheres the illuminati conspiracy! Here it IS! I chose to follow Elisabeth's wishes and not tell her husband he was being brainwashed. In best case they program him to forget again, in worst case he ends up dead. The gaslighting Elisabeth described is CHILLING, her husband describes a vacation she can't remember and she doesn't know whose memories have been messed with. On your way to the plaza you get a call from someone/something that says the know exactly WHAT you are, any you black out!!! It's such a great feeling of helplessness that you're just one person in a world so big that you can't fight every power. As Johnny said, could be a corporation, could be a rogue ai, either way Jefferson is fucked (and so are you).

Forty-five years ago the war comic Battle Picture Weekly crashed down into the British comics scene with such an impact that the aftershocks are still being felt today.

Now, in a special double-sized issue, the award-winning fanzine Journey Planet takes a look back at this fan-favourite — and sometimes controversial — comic, and presents all-new in-depth interviews and features with some of its top artists, writers and editors, as well as never-before-published artwork!

Join Pat Mills, Carlos Ezquerra, Cam Kennedy, John Wagner, Ian Kennedy, Alan Hebden, Mike Dorey and more — as well as a host of today’s comics creators including Maura McHugh and Garth Ennis — as they discuss the impact and legacy of Battle and its stories, from the sublime Charley’s War to the subversive Hellman of Hammer Force.

With special features on the hugely influential creators Joe Colquhoun and Mike Western, this issue of Journey Planet is a must for every Battle fan!

At the low, low price of absolutely free, the fanzine is available now for download from the Journey Planet website!

Edited by Christopher J Garcia, James Bacon, Michael Carroll and special guest editor Paul Trimble, with the assistance of special correspondents John Vaughan and Pádraig Ó Méalóid!

Mike Western, one if my absolutely favourite artists when I was growing up. Years later I worked with his son, who kindly put me in touch with the great man himself. Like so many artists of his generation he was utterly self effacing and incredibly kind. This is the original art to the Action Holiday Special 1978 starring Hookjaw, Hellman of Hammer Force, Dredger, and Spinball. The lettering is original and on an aacetate sheet over the top. #action #2000ad #hookjaw #dredger #ww2 #jaws #comics #comicbook #comicart #originalart #illustration #art #mikewestern

(Via: Hacker News)

For the last five years, the Internet Engineering Task Force (IETF), the standards body that defines internet protocols, has been working on standardizing the latest version of one of its most important security protocols: Transport Layer Security (TLS). TLS is used to secure the web (and much more!), providing encryption and ensuring the authenticity of every HTTPS website and API. The latest version of TLS, TLS 1.3 (RFC 8446) was published today. It is the first major overhaul of the protocol, bringing significant security and performance improvements. This article provides a deep dive into the changes introduced in TLS 1.3 and its impact on the future of internet security.

An evolution

One major way Cloudflare provides security is by supporting HTTPS for websites and web services such as APIs. With HTTPS (the “S” stands for secure) the communication between your browser and the server travels over an encrypted and authenticated channel. Serving your content over HTTPS instead of HTTP provides confidence to the visitor that the content they see is presented by the legitimate content owner and that the communication is safe from eavesdropping. This is a big deal in a world where online privacy is more important than ever.

The machinery under the hood that makes HTTPS secure is a protocol called TLS. It has its roots in a protocol called Secure Sockets Layer (SSL) developed in the mid-nineties at Netscape. By the end of the 1990s, Netscape handed SSL over to the IETF, who renamed it TLS and have been the stewards of the protocol ever since. Many people still refer to web encryption as SSL, even though the vast majority of services have switched over to supporting TLS only. The term SSL continues to have popular appeal and Cloudflare has kept the term alive through product names like Keyless SSL and Universal SSL.

In the IETF, protocols are called RFCs. TLS 1.0 was RFC 2246, TLS 1.1 was RFC 4346, and TLS 1.2 was RFC 5246. Today, TLS 1.3 was published as RFC 8446. RFCs are generally published in order, keeping 46 as part of the RFC number is a nice touch.

TLS 1.2 wears parachute pants and shoulder pads

MC Hammer, like SSL, was popular in the 90s

Over the last few years, TLS has seen its fair share of problems. First of all, there have been problems with the code that implements TLS, including Heartbleed, BERserk, goto fail;, and more. These issues are not fundamental to the protocol and mostly resulted from a lack of testing. Tools like TLS Attacker and Project Wycheproof have helped improve the robustness of TLS implementation, but the more challenging problems faced by TLS have had to do with the protocol itself.

TLS was designed by engineers using tools from mathematicians. Many of the early design decisions from the days of SSL were made using heuristics and an incomplete understanding of how to design robust security protocols. That said, this isn’t the fault of the protocol designers (Paul Kocher, Phil Karlton, Alan Freier, Tim Dierks, Christopher Allen and others), as the entire industry was still learning how to do this properly. When TLS was designed, formal papers on the design of secure authentication protocols like Hugo Krawczyk’s landmark SIGMA paper were still years away. TLS was 90s crypto: It meant well and seemed cool at the time, but the modern cryptographer’s design palette has moved on.

Many of the design flaws were discovered using formal verification. Academics attempted to prove certain security properties of TLS, but instead found counter-examples that were turned into real vulnerabilities. These weaknesses range from the purely theoretical (SLOTH and CurveSwap), to feasible for highly resourced attackers (WeakDH, LogJam, FREAK, SWEET32), to practical and dangerous (POODLE, ROBOT).

TLS 1.2 is slow

Encryption has always been important online, but historically it was only used for things like logging in or sending credit card information, leaving most other data exposed. There has been a major trend in the last few years towards using HTTPS for all traffic on the Internet. This has the positive effect of protecting more of what we do online from eavesdroppers and injection attacks, but has the downside that new connections get a bit slower.

For a browser and web server to agree on a key, they need to exchange cryptographic data. The exchange, called the “handshake” in TLS, has remained largely unchanged since TLS was standardized in 1999. The handshake requires two additional round-trips between the browser and the server before encrypted data can be sent (or one when resuming a previous connection). The additional cost of the TLS handshake for HTTPS results in a noticeable hit to latency compared to an HTTP alone. This additional delay can negatively impact performance-focused applications.

Defining TLS 1.3

Unsatisfied with the outdated design of TLS 1.2 and two-round-trip overhead, the IETF set about defining a new version of TLS. In August 2013, Eric Rescorla laid out a wishlist of features for the new protocol: https://www.ietf.org/proceedings/87/slides/slides-87-tls-5.pdf

After some debate, it was decided that this new version of TLS was to be called TLS 1.3. The main issues that drove the design of TLS 1.3 were mostly the same as those presented five years ago:

reducing handshake latency

encrypting more of the handshake

improving resiliency to cross-protocol attacks

removing legacy features

The specification was shaped by volunteers through an open design process, and after four years of diligent work and vigorous debate, TLS 1.3 is now in its final form: RFC 8446. As adoption increases, the new protocol will make the internet both faster and more secure.

In this blog post I will focus on the two main advantages TLS 1.3 has over previous versions: security and performance.

Trimming the hedges

Creative Commons Attribution-Share Alike 3.0

In the last two decades, we as a society have learned a lot about how to write secure cryptographic protocols. The parade of cleverly-named attacks from POODLE to Lucky13 to SLOTH to LogJam showed that even TLS 1.2 contains antiquated ideas from the early days of cryptographic design. One of the design goals of TLS 1.3 was to correct previous mistakes by removing potentially dangerous design elements.

Fixing key exchange

TLS is a so-called “hybrid” cryptosystem. This means it uses both symmetric key cryptography (encryption and decryption keys are the same) and public key cryptography (encryption and decryption keys are different). Hybrid schemes are the predominant form of encryption used on the Internet and are used in SSH, IPsec, Signal, WireGuard and other protocols. In hybrid cryptosystems, public key cryptography is used to establish a shared secret between both parties, and the shared secret is used to create symmetric keys that can be used to encrypt the data exchanged.

As a rule of thumb, public key crypto is slow and expensive (microseconds to milliseconds per operation) and symmetric key crypto is fast and cheap (nanoseconds per operation). Hybrid encryption schemes let you send a lot of encrypted data with very little overhead by only doing the expensive part once. Much of the work in TLS 1.3 has been about improving the part of the handshake, where public keys are used to establish symmetric keys.

RSA key exchange

The public key portion of TLS is about establishing a shared secret. There are two main ways of doing this with public key cryptography. The simpler way is with public-key encryption: one party encrypts the shared secret with the other party’s public key and sends it along. The other party then uses its private key to decrypt the shared secret and ... voila! They both share the same secret. This technique was discovered in 1977 by Rivest, Shamir and Adelman and is called RSA key exchange. In TLS’s RSA key exchange, the shared secret is decided by the client, who then encrypts it to the server’s public key (extracted from the certificate) and sends it to the server.

The other form of key exchange available in TLS is based on another form of public-key cryptography, invented by Diffie and Hellman in 1976, so-called Diffie-Hellman key agreement. In Diffie-Hellman, the client and server both start by creating a public-private key pair. They then send the public portion of their key share to the other party. When each party receives the public key share of the other, they combine it with their own private key and end up with the same value: the pre-master secret. The server then uses a digital signature to ensure the exchange hasn’t been tampered with. This key exchange is called “ephemeral” if the client and server both choose a new key pair for every exchange.

Both modes result in the client and server having a shared secret, but RSA mode has a serious downside: it’s not forward secret. That means that if someone records the encrypted conversation and then gets ahold of the RSA private key of the server, they can decrypt the conversation. This even applies if the conversation was recorded and the key is obtained some time well into the future. In a world where national governments are recording encrypted conversations and using exploits like Heartbleed to steal private keys, this is a realistic threat.

RSA key exchange has been problematic for some time, and not just because it’s not forward-secret. It’s also notoriously difficult to do correctly. In 1998, Daniel Bleichenbacher discovered a vulnerability in the way RSA encryption was done in SSL and created what’s called the “million-message attack,” which allows an attacker to perform an RSA private key operation with a server’s private key by sending a million or so well-crafted messages and looking for differences in the error codes returned. The attack has been refined over the years and in some cases only requires thousands of messages, making it feasible to do from a laptop. It was recently discovered that major websites (including facebook.com) were also vulnerable to a variant of Bleichenbacher’s attack called the ROBOT attack as recently as 2017.

To reduce the risks caused by non-forward secret connections and million-message attacks, RSA encryption was removed from TLS 1.3, leaving ephemeral Diffie-Hellman as the only key exchange mechanism. Removing RSA key exchange brings other advantages, as we will discuss in the performance section below.

Diffie-Hellman named groups

When it comes to cryptography, giving too many options leads to the wrong option being chosen. This principle is most evident when it comes to choosing Diffie-Hellman parameters. In previous versions of TLS, the choice of the Diffie-Hellman parameters was up to the participants. This resulted in some implementations choosing incorrectly, resulting in vulnerable implementations being deployed. TLS 1.3 takes this choice away.

Diffie-Hellman is a powerful tool, but not all Diffie-Hellman parameters are “safe” to use. The security of Diffie-Hellman depends on the difficulty of a specific mathematical problem called the discrete logarithm problem. If you can solve the discrete logarithm problem for a set of parameters, you can extract the private key and break the security of the protocol. Generally speaking, the bigger the numbers used, the harder it is to solve the discrete logarithm problem. So if you choose small DH parameters, you’re in trouble.

The LogJam and WeakDH attacks of 2015 showed that many TLS servers could be tricked into using small numbers for Diffie-Hellman, allowing an attacker to break the security of the protocol and decrypt conversations.

Diffie-Hellman also requires the parameters to have certain other mathematical properties. In 2016, Antonio Sanso found an issue in OpenSSL where parameters were chosen that lacked the right mathematical properties, resulting in another vulnerability.

TLS 1.3 takes the opinionated route, restricting the Diffie-Hellman parameters to ones that are known to be secure. However, it still leaves several options; permitting only one option makes it difficult to update TLS in case these parameters are found to be insecure some time in the future.

Fixing ciphers

The other half of a hybrid crypto scheme is the actual encryption of data. This is done by combining an authentication code and a symmetric cipher for which each party knows the key. As I’ll describe, there are many ways to encrypt data, most of which are wrong.

CBC mode ciphers

In the last section we described TLS as a hybrid encryption scheme, with a public key part and a symmetric key part. The public key part is not the only one that has caused trouble over the years. The symmetric key portion has also had its fair share of issues. In any secure communication scheme, you need both encryption (to keep things private) and integrity (to make sure people don’t modify, add, or delete pieces of the conversation). Symmetric key encryption is used to provide both encryption and integrity, but in TLS 1.2 and earlier, these two pieces were combined in the wrong way, leading to security vulnerabilities.

An algorithm that performs symmetric encryption and decryption is called a symmetric cipher. Symmetric ciphers usually come in two main forms: block ciphers and stream ciphers.

A stream cipher takes a fixed-size key and uses it to create a stream of pseudo-random data of arbitrary length, called a key stream. To encrypt with a stream cipher, you take your message and combine it with the key stream by XORing each bit of the key stream with the corresponding bit of your message.. To decrypt, you take the encrypted message and XOR it with the key stream. Examples of pure stream ciphers are RC4 and ChaCha20. Stream ciphers are popular because they’re simple to implement and fast in software.

A block cipher is different than a stream cipher because it only encrypts fixed-sized messages. If you want to encrypt a message that is shorter or longer than the block size, you have to do a bit of work. For shorter messages, you have to add some extra data to the end of the message. For longer messages, you can either split your message up into blocks the cipher can encrypt and then use a block cipher mode to combine the pieces together somehow. Alternatively, you can turn your block cipher into a stream cipher by encrypting a sequence of counters with a block cipher and using that as the stream. This is called “counter mode”. One popular way of encrypting arbitrary length data with a block cipher is a mode called cipher block chaining (CBC).

In order to prevent people from tampering with data, encryption is not enough. Data also needs to be integrity-protected. For CBC-mode ciphers, this is done using something called a message-authentication code (MAC), which is like a fancy checksum with a key. Cryptographically strong MACs have the property that finding a MAC value that matches an input is practically impossible unless you know the secret key. There are two ways to combine MACs and CBC-mode ciphers. Either you encrypt first and then MAC the ciphertext, or you MAC the plaintext first and then encrypt the whole thing. In TLS, they chose the latter, MAC-then-Encrypt, which turned out to be the wrong choice.

You can blame this choice for BEAST, as well as a slew of padding oracle vulnerabilities such as Lucky 13 and Lucky Microseconds. Read my previous post on the subject for a comprehensive explanation of these flaws. The interaction between CBC mode and padding was also the cause of the widely publicized POODLE vulnerability in SSLv3 and some implementations of TLS.

RC4 is a classic stream cipher designed by Ron Rivest (the “R” of RSA) that was broadly supported since the early days of TLS. In 2013, it was found to have measurable biases that could be leveraged to allow attackers to decrypt messages.

AEAD Mode

In TLS 1.3, all the troublesome ciphers and cipher modes have been removed. You can no longer use CBC-mode ciphers or insecure stream ciphers such as RC4. The only type of symmetric crypto allowed in TLS 1.3 is a new construction called AEAD (authenticated encryption with additional data), which combines encryption and integrity into one seamless operation.

Fixing digital signatures

Another important part of TLS is authentication. In every connection, the server authenticates itself to the client using a digital certificate, which has a public key. In RSA-encryption mode, the server proves its ownership of the private key by decrypting the pre-master secret and computing a MAC over the transcript of the conversation. In Diffie-Hellman mode, the server proves ownership of the private key using a digital signature. If you’ve been following this blog post so far, it should be easy to guess that this was done incorrectly too.

PKCS#1v1.5

Daniel Bleichenbacher has made a living identifying problems with RSA in TLS. In 2006, he devised a pen-and-paper attack against RSA signatures as used in TLS. It was later discovered that major TLS implemenations including those of NSS and OpenSSL were vulnerable to this attack. This issue again had to do with how difficult it is to implement padding correctly, in this case, the PKCS#1 v1.5 padding used in RSA signatures. In TLS 1.3, PKCS#1 v1.5 is removed in favor of the newer design RSA-PSS.

Signing the entire transcript

We described earlier how the server uses a digital signature to prove that the key exchange hasn’t been tampered with. In TLS 1.2 and earlier, the server’s signature only covers part of the handshake. The other parts of the handshake, specifically the parts that are used to negotiate which symmetric cipher to use, are not signed by the private key. Instead, a symmetric MAC is used to ensure that the handshake was not tampered with. This oversight resulted in a number of high-profile vulnerabilities (FREAK, LogJam, etc.). In TLS 1.3 these are prevented because the server signs the entire handshake transcript.

The FREAK, LogJam and CurveSwap attacks took advantage of two things:

the fact that intentionally weak ciphers from the 1990s (called export ciphers) were still supported in many browsers and servers, and

the fact that the part of the handshake used to negotiate which cipher was used was not digitally signed.

The “man-in-the-middle” attacker can swap out the supported ciphers (or supported groups, or supported curves) from the client with an easily crackable choice that the server supports. They then break the key and forge two finished messages to make both parties think they’ve agreed on a transcript.

These attacks are called downgrade attacks, and they allow attackers to force two participants to use the weakest cipher supported by both parties, even if more secure ciphers are supported. In this style of attack, the perpetrator sits in the middle of the handshake and changes the list of supported ciphers advertised from the client to the server to only include weak export ciphers. The server then chooses one of the weak ciphers, and the attacker figures out the key with a brute-force attack, allowing the attacker to forge the MACs on the handshake. In TLS 1.3, this type of downgrade attack is impossible because the server now signs the entire handshake, including the cipher negotiation.

Better living through simplification

TLS 1.3 is a much more elegant and secure protocol with the removal of the insecure features listed above. This hedge-trimming allowed the protocol to be simplified in ways that make it easier to understand, and faster.

No more take-out menu

In previous versions of TLS, the main negotiation mechanism was the ciphersuite. A ciphersuite encompassed almost everything that could be negotiated about a connection:

type of certificates supported

hash function used for deriving keys (e.g., SHA1, SHA256, ...)

MAC function (e.g., HMAC with SHA1, SHA256, …)

key exchange algorithm (e.g., RSA, ECDHE, …)

cipher (e.g., AES, RC4, ...)

cipher mode, if applicable (e.g., CBC)

Ciphersuites in previous versions of TLS had grown into monstrously large alphabet soups. Examples of commonly used cipher suites are: DHE-RC4-MD5 or ECDHE-ECDSA-AES-GCM-SHA256. Each ciphersuite was represented by a code point in a table maintained by an organization called the Internet Assigned Numbers Authority (IANA). Every time a new cipher was introduced, a new set of combinations needed to be added to the list. This resulted in a combinatorial explosion of code points representing every valid choice of these parameters. It had become a bit of a mess.

TLS 1.2

TLS 1.3

TLS 1.3 removes many of these legacy features, allowing for a clean split between three orthogonal negotiations:

Cipher + HKDF Hash

Key Exchange

Signature Algorithm

This simplified cipher suite negotiation and radically reduced set of negotiation parameters opens up a new possibility. This possibility enables the TLS 1.3 handshake latency to drop from two round-trips to only one round-trip, providing the performance boost that will ensure that TLS 1.3 will be popular and widely adopted.

Performance

When establishing a new connection to a server that you haven’t seen before, it takes two round-trips before data can be sent on the connection. This is not particularly noticeable in locations where the server and client are geographically close to each other, but it can make a big difference on mobile networks where latency can be as high as 200ms, an amount that is noticeable for humans.

1-RTT mode

TLS 1.3 now has a radically simpler cipher negotiation model and a reduced set of key agreement options (no RSA, no user-defined DH parameters). This means that every connection will use a DH-based key agreement and the parameters supported by the server are likely easy to guess (ECDHE with X25519 or P-256). Because of this limited set of choices, the client can simply choose to send DH key shares in the first message instead of waiting until the server has confirmed which key shares it is willing to support. That way, the server can learn the shared secret and send encrypted data one round trip earlier. Chrome’s implementation of TLS 1.3, for example, sends an X25519 keyshare in the first message to the server.

In the rare situation that the server does not support one of the key shares sent by the client, the server can send a new message, the HelloRetryRequest, to let the client know which groups it supports. Because the list has been trimmed down so much, this is not expected to be a common occurrence.

0-RTT resumption

A further optimization was inspired by the QUIC protocol. It lets clients send encrypted data in their first message to the server, resulting in no additional latency cost compared to unencrypted HTTP. This is a big deal, and once TLS 1.3 is widely deployed, the encrypted web is sure to feel much snappier than before.

In TLS 1.2, there are two ways to resume a connection, session ids and session tickets. In TLS 1.3 these are combined to form a new mode called PSK (pre-shared key) resumption. The idea is that after a session is established, the client and server can derive a shared secret called the “resumption master secret”. This can either be stored on the server with an id (session id style) or encrypted by a key known only to the server (session ticket style). This session ticket is sent to the client and redeemed when resuming a connection.

For resumed connections, both parties share a resumption master secret so key exchange is not necessary except for providing forward secrecy. The next time the client connects to the server, it can take the secret from the previous session and use it to encrypt application data to send to the server, along with the session ticket. Something as amazing as sending encrypted data on the first flight does come with its downfalls.

Replayability

There is no interactivity in 0-RTT data. It’s sent by the client, and consumed by the server without any interactions. This is great for performance, but comes at a cost: replayability. If an attacker captures a 0-RTT packet that was sent to server, they can replay it and there’s a chance that the server will accept it as valid. This can have interesting negative consequences.

An example of dangerous replayed data is anything that changes state on the server. If you increment a counter, perform a database transaction, or do anything that has a permanent effect, it’s risky to put it in 0-RTT data.

As a client, you can try to protect against this by only putting “safe” requests into the 0-RTT data. In this context, “safe” means that the request won’t change server state. In HTTP, different methods are supposed to have different semantics. HTTP GET requests are supposed to be safe, so a browser can usually protect HTTPS servers against replay attacks by only sending GET requests in 0-RTT. Since most page loads start with a GET of “/” this results in faster page load time.

Problems start to happen when data sent in 0-RTT are used for state-changing requests. To help prevent against this failure case, TLS 1.3 also includes the time elapsed value in the session ticket. If this diverges too much, the client is either approaching the speed of light, or the value has been replayed. In either case, it’s prudent for the server to reject the 0-RTT data.

For more details about 0-RTT, and the improvements to session resumption in TLS 1.3, check out this previous blog post.

Deployability

TLS 1.3 was a radical departure from TLS 1.2 and earlier, but in order to be deployed widely, it has to be backwards compatible with existing software. One of the reasons TLS 1.3 has taken so long to go from draft to final publication was the fact that some existing software (namely middleboxes) wasn’t playing nicely with the new changes. Even minor changes to the TLS 1.3 protocol that were visible on the wire (such as eliminating the redundant ChangeCipherSpec message, bumping the version from 0x0303 to 0x0304) ended up causing connection issues for some people.

Despite the fact that future flexibility was built into the TLS spec, some implementations made incorrect assumptions about how to handle future TLS versions. The phenomenon responsible for this change is called ossification and I explore it more fully in the context of TLS in my previous post about why TLS 1.3 isn’t deployed yet. To accommodate these changes, TLS 1.3 was modified to look a lot like TLS 1.2 session resumption (at least on the wire). This resulted in a much more functional, but less aesthetically pleasing protocol. This is the price you pay for upgrading one of the most widely deployed protocols online.

Conclusions

TLS 1.3 is a modern security protocol built with modern tools like formal analysis that retains its backwards compatibility. It has been tested widely and iterated upon using real world deployment data. It’s a cleaner, faster, and more secure protocol ready to become the de facto two-party encryption protocol online. TLS 1.3 is enabled by default for all Cloudflare customers.

Publishing TLS 1.3 is a huge accomplishment. It is one the best recent examples of how it is possible to take 20 years of deployed legacy code and change it on the fly, resulting in a better internet for everyone. TLS 1.3 has been debated and analyzed for the last three years and it’s now ready for prime time. Welcome, RFC 8446.

Action dated 24 September 1977. Hellman of Hammer Force cover, artist unknown. The pose is reminiscent of a splash page featuring Karl Schafft, everyone's favourite member of the Abwehr, by Francisco Fuentes Manuel that had appeared in Warlord in February that year.

Both are similar to an Airfix WWll German Paratroops figure that had first been released in 1976. The figure is in a running pose with his left leg raised off the base and holding a MP40. He's the main figure on the box art, which I think is by William Stallion, below (but facing the opposite direction) and fifth from the right on the row of figures at the bottom. It's possible both drawings were based on the Airfix figure as I'm sure artists then did base a lot of drawings on model kits and the like.

Treasury of British Comics.

What If… 2000AD had merged with Battle Action?

2000AD merges with Battle Action? Wait, what!? Check out this amazing upcoming imaginary merger of two of Britain's biggest comics!

It’s a clash of the ages – what if two of Britain’s most famous comics – 2000AD and Battle Action – had merged at the height of their popularity in the 1980s? 2000AD wraparound cover by Henry Flint In a brand new “what if?” crossover featuring some of Britain’s biggest comic book talents this September, 2000AD and the Judge Dredd Megazine find the answer to the question: what would 2000AD have…

View On WordPress

Battle Action cover dated 31 December 1977 with a cover by Carlos Ezquerra.

Good cover at first glance but the main character is holding the Sten gun magazine in a very odd manner. Not sure if this figure is meant to be The Sarge or not. He has been drawn with a pipe but that character rarely, if ever, used a Sten. I wonder if this may have been an unused D-Day Dawson cover that has had a pipe drawn in later?

Inside - The Early Adventures of Hellman of Hammer Force with art by Jim Watson.

Treasury of British Comics.

Power of the Panzers!

Battle Action dated 7 January 1978. A powerful Hellman of Hammer Force cover by Ian Kennedy.

Treasury of British Comics.

Action cover dated 13 August 1977. Hellman of Hammer Force cover, artist unknown (Mike Dorey maybe?). Treasury of British Comics.

A 1976 ad for Action No. 2 which came with a free Hook Jaw iron on transfer! Bet there's not too many of those left.

Treasury of British Comics.

Battle Action No. 175, cover dated 8 July 1978 saw the end of the road for Major Kurt Hellman and his Hammer Force with art by Mike Dorey.

In 1979 the character effectively continued in the pages of the new Tornado comic. In the story 'Wagner's Walk' the Hellman character was renamed Major Kurt Wagner and his trusty sidekicks Max and Dekker reappear as Karl and Gruber.

In the first issue of Tornado the pair are still disguised as Generals (as above) and in a later issue Gruber is even referred to as Dekker in a panel.

I don't know why they chose to rename the characters other than to perhaps give the strip a new start with Tornado. It would have been nice just to have seen the strip continue as Hellman.

Another strip in Tornado underwent a name change before its first issue was published. The Victor Drago strip (also with art by Mike Dorey) was originally to be published under the Sexton Blake name. I understand the decision to change the name in that case was down to a rights issue over who actually owned the character (which wouldn't have been the case with Hellman).

Treasury of British Comics.

Battle Action cover dated 25 March 1978. Major Eazy cover art by Carlos Ezquerra.

Inside Hellman, Big Max and Dekker check out their new ride before taking it for a spin. The Tiger II, Tiger B, Konigstiger and Royal Tiger were some of the names it was known by with King Tiger being the name the Allies mainly referred to it as. Art by Mike Dorey.

Treasury of British Comics.

A full page ad from 1979 for Tornado No. 1. There seem to have been a few last-minute name changes for this title. Fitting in a way as Heroes was to be the original title for the comic before they changed it to Tornado.

'Wagner's Walk' was originally to be a continuation of the 'Hellman of Hammer Force' story from Battle Action. It picks up right where Hellman had left off with the lead character now a prisoner of war. In one issue Wagner's sidekick Gruber is also mistakenly named as Dekker (who had been one of Hellman's men).

Victor Drago was originally meant to be a Sexton Blake strip but the publisher didn't have the rights to use the name at the time.

The ad shows the strip 'E.S.P. Smith'. This was later changed to The Mind of Wolfie Smith for the first issue. I thought this was strange at the time as 'Wolfie Smith' was still quite closely associated with the John Sullivan sitcom Citizen Smith that was still showing at the time.

Good comic with lots of great stories and art. It didn't last long though and merged with 2000 AD. It's undated but the first issue should have been cover dated 24 March 1979.

Treasury of British Comics.

Hellman logos from Action and Battle Action.

Kurt Hellman, German Panzer Commander.

Treasury of British Comics.