Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

by adminSecurity

Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

Ivan Ristic

Language: English

Pages: 530

ISBN: 1907117040

Format: PDF / Kindle (mobi) / ePub


FULLY REVISED IN AUGUST 2015.

Bulletproof SSL and TLS is a complete guide to using SSL and TLS encryption to deploy secure servers and web applications. Written by Ivan Ristic, the author of the popular SSL Labs web site, this book will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks.

In this book, you'll find just the right mix of theory, protocol detail, vulnerability and weakness information, and deployment advice to get your job done:

  • Comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI, with updates to the digital version
  • For IT security professionals, help to understand the risks
  • For system administrators, help to deploy systems securely
  • For developers, help to design and implement secure web applications
  • Practical and concise, with added depth when details are relevant
  • Introduction to cryptography and the latest TLS protocol version
  • Discussion of weaknesses at every level, covering implementation issues, HTTP and browser problems, and protocol vulnerabilities
  • Coverage of the latest attacks, such as BEAST, CRIME, BREACH, Lucky 13, RC4 biases, Triple Handshake Attack, and Heartbleed
  • Thorough deployment advice, including advanced technologies, such as Strict Transport Security, Content Security Policy, and pinning
  • Guide to using OpenSSL to generate keys and certificates and to create and run a private certification authority
  • Guide to using OpenSSL to test servers for vulnerabilities
  • Practical advice for secure server configuration using Apache httpd, IIS, Java, Nginx, Microsoft Windows, and Tomcat

This book is available in paperback and a variety of digital formats without DRM. Digital version of Bulletproof SSL and TLS can be obtained directly from the author, at feistyduck.com.

La sécurité dans la maison (L'artisan de sa maison)

Strategic Failure: How President Obama’s Drone Warfare, Defense Cuts, and Military Amateurism Have Imperiled America

Red Team: How to Succeed By Thinking Like the Enemy

BackTrack - Testing Wireless Network Security

Cryptography and Secure Communication

 

 

 

 

 

 

 

 

 

 

 

 

 

Which require TLS 1.2. In the future, TLS might be extended to authenticate encryption instead of plaintext, in which case CBC suites might become safe again.[387] RC4 Weaknesses RC4, designed by Ron Rivest in 1987, is one of the oldest ciphers still in use and, despite all its many flaws, still one of the most popular. Its popularity comes from the fact that it’s been around for a very long time but also because it’s simple to implement and runs very fast in software and hardware.

Secrecy configuration. In JSSE, all DHE suites are limited to 768 bits, which is insecure; for this reason you can’t have any DHE suites in the configuration, which means no forward secrecy with older clients. Configuration with Java 8 If you are deploying with Java 8, some of the new features will be available to you automatically: Stronger (1,024-bit) DH parameters will be used by default, and you can configure the JVM to increase the strength to 2,048 bits to make it more secure.

Responses every day.[260] A more recent article mentions as many as 14 billion transactions per day in 2014.[261] Correctness If an OCSP responder is available and fast, that does not mean that it is actually responding correctly. Some CAs do not synchronize their OCSP responders with changes in their main database. For example, some time ago I obtained a certificate from a public CA, installed it on my web site, and promptly discovered that all OCSP requests were failing. After contacting.

Tools publicly available, anyone can exploit a vulnerable server in minutes. Some tools are quite advanced and provide full automation of private key discovery. Note If you’d like to learn more about the bug itself and how to test for vulnerable servers, head to the section called “Testing for Heartbleed” in Chapter 12, Testing with OpenSSL. Mitigation Patching is the best way to start to address Heartbleed. If you’re relying on a system-provided version of OpenSSL, your vendor.

Application session. He will be able to perform arbitrary actions on the web site, using the identity of the victim. Under the right conditions, BEAST is easy to execute; however, getting everything aligned (especially today) is difficult. Because the vulnerability exploited by the BEAST attack is in the protocols, at the time of the announcement virtually all SSL and TLS clients were vulnerable. BEAST is a client-only vulnerability. TLS operates two data streams, one sent from the client to the.

Download sample

Download