Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

By Ivan Ristic

FULLY REVISED IN AUGUST 2015.

Bulletproof SSL and TLS is an entire advisor to utilizing SSL and TLS encryption to set up safe servers and net purposes. Written by means of Ivan Ristic, the writer of the preferred SSL Labs website, this publication will educate you every little thing you must comprehend to guard your structures from eavesdropping and impersonation attacks.

In this booklet, you will discover simply the correct mix of thought, protocol aspect, vulnerability and weak spot details, and deployment suggestion to get your task done:

  • Comprehensive assurance of the ever-changing box of SSL/TLS and net PKI, with updates to the electronic version
  • For IT defense execs, aid to appreciate the risks
  • For method directors, aid to set up structures securely
  • For builders, support to layout and enforce safe net applications
  • Practical and concise, with additional intensity whilst information are relevant
  • Introduction to cryptography and the most recent TLS protocol version
  • Discussion of weaknesses at each point, masking implementation matters, HTTP and browser difficulties, and protocol vulnerabilities
  • Coverage of the newest assaults, equivalent to BEAST, CRIME, BREACH, fortunate thirteen, RC4 biases, Triple Handshake assault, and Heartbleed
  • Thorough deployment recommendation, together with complicated applied sciences, corresponding to Strict shipping defense, content material defense coverage, and pinning
  • Guide to utilizing OpenSSL to generate keys and certificate and to create and run a personal certification authority
  • Guide to utilizing OpenSSL to check servers for vulnerabilities
  • Practical recommendation for safe server configuration utilizing Apache httpd, IIS, Java, Nginx, Microsoft home windows, and Tomcat

This ebook comes in paperback and a number of electronic codecs with no DRM. Digital model of Bulletproof SSL and TLS could be got at once from the writer, at feistyduck.com.

Show description

Preview of Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications PDF

Similar Security books

Cyber War: The Next Threat to National Security and What to Do About It

Writer of the number one long island occasions bestseller opposed to All Enemies, former presidential consultant and counter-terrorism professional Richard A. Clarke sounds a well timed and chilling caution approximately America’s vulnerability in a terrifying new overseas conflict—Cyber conflict! each involved American should still learn this startling and explosive publication that provides an insider’s view of White apartment ‘Situation Room’ operations and includes the reader to the frontlines of our cyber safety.

Hacking Exposed: Network Security Secrets and Solutions, Sixth Edition

The world's bestselling desktop protection book--fully multiplied and updated"Right now you carry on your hand essentially the most profitable safeguard books ever written. instead of being a sideline player, leverage the dear insights Hacking uncovered 6 offers to aid your self, your organization, and your kingdom struggle cyber-crime.

Information Security: The Complete Reference, Second Edition

Improve and enforce a good end-to-end safeguard software Today’s advanced global of cellular systems, cloud computing, and ubiquitous info entry places new safeguard calls for on each IT specialist. details safeguard: the total Reference, moment version (previously titled community safety: the entire Reference) is the single accomplished e-book that gives vendor-neutral information on all facets of knowledge safety, with a watch towards the evolving hazard panorama.

Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition

State-of-the-art options for locating and solving serious defense flaws improve your community and steer clear of electronic disaster with confirmed recommendations from a crew of defense specialists. thoroughly up-to-date and that includes 12 new chapters, grey Hat Hacking: the moral Hacker's instruction manual, Fourth variation explains the enemy’s present guns, abilities, and strategies and gives field-tested treatments, case stories, and ready-to-deploy checking out labs.

Extra info for Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

Show sample text content

Simply because there's no documentation, you should depend upon mining mailing lists, computer virus experiences, and resource code to appreciate what's occurring. for instance, there's anecdotal proof that intermediate certificate aren't checked. for a very long time, it wasn’t transparent that CRLs are usually not utilized by many browsers. aid for brand spanking new good points, equivalent to OCSP stapling, is gradual to reach. the subject is basically a black field. checking out gives you a few solutions, yet merely at some extent in time; there aren't any promises that the following model will proceed to act within the related demeanour. outdoors the browser global, command-line instruments nonetheless fight with certificates validation, not to mention revocation. and since such a lot libraries don't use revocation exams by means of default, builders more often than not don’t trouble both. the final end is that revocation doesn't paintings as designed, for one cause or one other. This turned painfully transparent in the course of 2011, after a number of CAs have been compromised. In every one case, the one technique to reliably revoke fraudulent certificate used to be to exploit blacklisting, yet no longer through CRL or OCSP. as an alternative, all proprietors resorted to issuing patch releases, which contained hardcoded information regarding the fraudulent certificate. Chrome and Microsoft outfitted designated mechanisms so they can push new blacklisted certificate to their clients with out forcing software program improve. different browsers or are making plans to stick to. Key concerns with Revocation-Checking criteria At a excessive point, there are a few layout flaws in either CRL and OCSP that restrict their usefulness. There are 3 major difficulties: Disconnect among certificate and queries CRL and OCSP seek advice from certificate utilizing their serial numbers, that are simply arbitrary numbers assigned by means of CAs. this can be unlucky, simply because it’s very unlikely to be thoroughly sure that the certificates you have got is identical one the CA is touching on. This truth may be exploited in the course of a CA compromise by way of making a cast certificates that reuses a serial variety of an current and legitimate certificates. Blacklisting rather than whitelisting CRL is, by means of definition, a blacklist, and can't be the rest. OCSP suffered from coming after CRLs and was once most likely designed in a fashion that’s effortless to exploit on most sensible of the present CRL infrastructure. within the early days, OCSP responders operated principally by means of feeding from the knowledge to be had in CRLs. That was once a overlooked chance to alter from blacklisting to whitelisting to give the chance to envision certificates is legitimate, not only that it has no longer been revoked. the focal point on blacklisting used to be amplified through the perform to regard the “good” OCSP reaction prestige as “not revoked,” even if the server really had no wisdom of the serial quantity in query. As of August 2013, the CA/Browser discussion board forbids this custom. It seems like a small distinction, yet this layout flaw got here up as a true challenge through the DigiNotar incident. simply because this CA have been thoroughly compromised, there has been no checklist of what fraudulent certificate were issued.

Download PDF sample

Rated 4.95 of 5 – based on 48 votes