ITSEC Newsletter 2025-09-04

IPv6 is still far from being implemented everywhere, but most modern operating systems have IPv6 enabled by default. In corporate networks, this often leads to hidden vulnerabilities: even if only IPv4 is used, Windows systems prefer IPv6 by default and periodically request IPv6 settings.
Attackers can exploit the trust-based nature of IPv6 protocols to launch attacks within a local network. Spoofing attacks are particularly dangerous, where an attacker impersonates a legitimate network node or inserts fake packets for the purpose of MITM or DNS spoofing within a local network.

The idea was: Wrap an existing implementation of FROST (RFC 9591) with a command line tool (and provide a corresponding HTTP Server to fulfill the coordinator role). Then you can give it to DevSecOps folks and say, “Now you need 3 out of 5 keys to be turned in order for a valid Ed25519 signature to be emitted.” Unfortunately, while writing integration tests for the tool, I ran into concurrency issues: The keygen ceremony worked fine, but signing would either never start or would get into an invalid state for arcane reasons. After wrestling with this for 40 or so hours (with very little sleep), and being ignored by the maintainers of the FROST library I was building upon, I decided that this was a stupid problem to have. So I decided to roll my own FROST implementation.