SSL/TLS Notes

TLS (née SSL) is a big part of the modern computer landscape, but there are no up-to-date reference materials. The few books written 10 years ago are woefully out of date.

Someone needs to write a new book or books. Some big areas to focus on are:

• updated history
• certificates
• cryptographic algorithms
• best practices for security
• working at scale

I think that interviewing all of the actors in the TLS world would be an awesome step.

More importantly, should the overall name be SSL, or TLS? Probably SSL, since that’s very widespread at this point.

TLS

Wikipedia - Transport Layer Security

RFC5246 - The Transport Layer Security (TLS) Protocol Version 1.2

RFC6176 - Prohibiting Secure Sockets Layer (SSL) Version 2.0

OWASP - Transport Layer Protection Cheat Sheet

RFC5746 - Transport Layer Security (TLS) Renegotiation Indication Extension

SHA-256 Compatibility

SSL/TLS Deployment Best Practices

Certificates

Survival guides - TLS/SSL and SSL (X.509) Certificates

Microsoft - Benefits of Multiple-Level Certification Hierarchies

Stack Overflow - How does an SSL certificate chain bundle works?

stackoverflow - OpenSSL Ignore Self-signed certificate error. Notes on how to verify certifications in OpenSSL

Certificate authorities

Wikipedia - Intermediate certificate authorities

What is the SSL Certificate Chain?

Signing certificate with another certificate signed by CA

Using Certificate Chains

github/zakjan - Cert chain resolver

chain.com - How We Keep the Chain API Secure

• see API v2 Documentation

Becoming a X.509 Certificate Authority

WikiHow - How to Be Your Own Certificate Authority

Be your own Certificate Authority

Superuser - How do SSL chains work?

Public Key Pinning

• HPKP - Public Key Pinning Extension for HTTP
• HSTS - Force use of HTTPS
• TACK - Public Key Pinning Extension
• CRL - Certificate Revocation List
• OCSP - Online Certificate Status Protocol

Mozilla - Public Key Pinning

RFC7469 - Public Key Pinning Extension for HTTP

Mozilla - HTTP Strict Transport Security

RFC6797 - HTTP Strict Transport Security (HSTS)

Wikipedia - HTTP Strict Transport Security

ImperialVioet - IPublic key pinning (04 May 2011) - Chrome adding public key pinning. Use public key hashes, not certificate hashes.

Public Key Pinning Extension for HTTP

OWASP - Certificate and Public Key Pinning

Wikipedia - Online Certificate Status Protocol

TACK, for pinning - Moxie Marlinspike

Attack on Google detected via pinning

• Is This MITM Attack to Gmail’s SSL ?
• An update on attempted man-in-the-middle attacks

security.stackexchange - What is certificate pinning?

Websockets and SSL

Can Javascript/Flash verify the SSL connection to prevent “SSL Inspection”?

TLS-SRP

Wikipedia - TLS-SRP

Wikipedia - Secure Remote Password protocol

RFC5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication