Limit search to available items
Book Cover
Book
Author Ristic, Ivan, author

Title Bulletproof SSL and TLS / Ivan Ristić
Published London : Feisty duck, 2014
London : Feisty Duck, 2014

Copies

Location Call no. Vol. Availability
 MELB  005.8 Ris/Bss  AVAILABLE
Description xxii, 506 pages : illustrations (black and white) ; 24 cm
Contents Contents note continued: Backend Certificate and Hostname Validation -- HTTP Strict Transport Security -- Content Security Policy -- Protocol Downgrade Protection -- Latency and Connection Management -- TCP Optimization -- Connection Persistence -- SPDY, HTTP/2, and Beyond -- Content Delivery Networks -- TLS Protocol Optimization -- Key Exchange -- Certificates -- Revocation Checking -- Session Resumption -- Transport Overhead -- Symmetric Encryption -- TLS Record Buffering Latency -- Interoperability -- Hardware Acceleration -- Denial of Service Attacks -- Key Exchange and Encryption CPU Costs -- Client-Initiated Renegotiation -- Optimized TLS Denial of Service Attacks -- HTTP Strict Transport Security -- Configuring HSTS -- Ensuring Hostname Coverage -- Cookie Security -- Attack Vectors -- Browser Support -- Robust Deployment Checklist -- Privacy Implications -- Content Security Policy -- Preventing Mixed Content Issues -- Policy Testing -- Reporting -- Browser Support --
Contents note continued: Blacklisting Trusted Certificates -- Disabling the Auto-Update of Root Certificates -- Configuration -- Schannel Configuration -- Cipher Suite Configuration -- Key and Signature Restrictions -- Configuring Renegotiation -- Configuring Session Caching -- Monitoring Session Caching -- FIPS 140-2 -- Third-Party Utilities -- Securing ASP.NET Web Applications -- Enforcing SSL Usage -- Securing Cookies -- Securing Session Cookies and Forms Authentication -- Deploying HTTP Strict Transport Security -- Internet Information Server -- Managing Keys and Certificates -- Installing Nginz with Static OpenSSL -- Enabling TLS -- Configuring TLS Protocol -- Configuring Keys and Certificates -- Configuring Multiple Keys -- Wildcard and Multisite Certificates -- Virtual Secure Hosting -- Reserving Default Sites for Error Messages -- Forward Secrecy -- OCSP Stapling -- Configuring OCSP Stapling -- Using a Custom OCSP Responder -- Manual Configuration of OCSP Responses --
Contents note continued: Certificate Revocation Lists -- Online Certificate Status Protocol -- Certificate Validation Flaws -- Library and Platform Validation Failures -- Application Validation Failures -- Hostname Validation Issues -- Random Number Generation -- Netscape Navigator (1994) -- Debian (2006) -- Insufficient Entropy on Embedded Devices -- Heartbleed -- Impact -- Mitigation -- FREAK -- Export Cryptography -- Attack -- Impact and Mitigation -- Logjam -- Active Attack against Insecure DHE Key Exchange -- Precomputation Attack against Insecure DHE Key Exchange -- State-Level Threats against Weak DH Key Exchange -- Impact -- Mitigation -- Protocol Downgrade Attacks -- Rollback Protection in SSL 3 -- Interoperability Problems -- Voluntary Protocol Downgrade -- Rollback Protection in TLS 1.0 and Better -- Attacking Voluntary Protocol Downgrade -- Modern Rollback Defenses -- Truncation Attacks -- Truncation Attack History -- Cookie Cutting -- Deployment Weaknesses --
Contents note continued: Configuring Ephemeral DH Key Exchange -- Configuring Ephemeral ECDH Key Exchange -- TLS Session Management -- Standalone Session Cache -- Standalone Session Tickets -- Distributed Session Cache -- Distributed Session Tickets -- Disabling Session Tickets -- Client Authentication -- Mitigating Protocol Issues -- Insecure Renegotiation -- BEAST -- CRIME -- Deploying HTTP Strict Transport Security -- Tuning TLS Buffers -- Logging
Contents note continued: Connecting to SSL Services -- Testing Protocols that Upgrade to SSL -- Using Different Handshake Formats -- Extracting Remote Certificates -- Testing Protocol Support -- Testing Cipher Suite Support -- Testing Servers that Require SNI -- Testing Session Reuse -- Checking OCSP Revocation -- Testing OCSP Stapling -- Checking CRL Revocation -- Testing Renegotiation -- Testing for the BEAST Vulnerability -- Testing for Heartbleed -- Determining the Strength of Diffie-Hellman Parameters -- Installing Apache with Static OpenSSL -- Enabling TLS -- Configuring TLS Protocol -- Configuring Keys and Certificates -- Configuring Multiple Keys -- Wildcard and Multisite Certificates -- Virtual Secure Hosting -- Reserving Default Sites for Error Messages -- Forward Secrecy -- OCSP Stapling -- Configuring OCSP Stapling -- Handling Errors -- Using a Custom OCSP Responder -- Configuring Ephemeral DH Key Exchange -- TLS Session Management -- Standalone Session Cache --
Contents note continued: Man-in-the-Middle Attacks -- ComodoHacker Claims Responsibility -- DigiCert Sdn. Bhd. -- Flame -- Flame against Windows Update -- Flame against Windows Terminal Services -- Flame against MD5 -- TURKTRUST -- ANSSI -- National Informatics Centre of India -- Widespread SSL Interception -- Gogo -- Superfish and Friends -- CNNIC -- Sidejacking -- Cookie Stealing -- Cookie Manipulation -- Understanding HTTP Cookies -- Cookie Manipulation Attacks -- Impact -- Mitigation -- SSL Stripping -- MITM Certificates -- Certificate Warnings -- Why So Many Invalid Certificates? -- Effectiveness of Certificate Warnings -- Click-Through Warnings versus Exceptions -- Mitigation -- Security Indicators -- Mixed Content -- Root Causes -- Impact -- Browser Treatment -- Prevalence of Mixed Content -- Mitigation -- Extended Validation Certificates -- Certificate Revocation -- Inadequate Client-Side Support -- Key Issues with Revocation-Checking Standards --
Contents note continued: Next Protocol Negotiation -- Secure Renegotiation -- Server Name Indication -- Session Tickets -- Signature Algorithms -- OCSP Stapling -- Protocol Limitations -- Differences between Protocol Versions -- SSL 3 -- TLS 1.0 -- TLS 1.1 -- TLS 1.2 -- Internet PKI -- Standards -- Certificates -- Certificate Fields -- Certificate Extensions -- Certificate Chains -- Relying Parties -- Certification Authorities -- Certificate Lifecycle -- Revocation -- Weaknesses -- Root Key Compromise -- Ecosystem Measurements -- Improvements -- VeriSign Microsoft Code-Signing Certificate -- Thawte login.live.com -- StartCom Breach (2008) -- CertStar (Comodo) Mozilla Certificate -- RapidSSL Rogue CA Certificate -- Chosen-Prefix Collision Attack -- Construction of Colliding Certificates -- Predicting the Prefix -- What Happened Next -- Comodo Resellers Breaches -- StartCom Breach (2011) -- DigiNotar -- Public Discovery -- Fall of a Certification Authority --
Contents note continued: Pinning -- What to Pin? -- Where to Pin? -- Should You Use Pinning? -- Pinning in Native Applications -- Chrome Public Key Pinning -- Microsoft Enhanced Mitigation Experience Toolkit -- Public Key Pinning Extension for HTTP -- DANE -- Trust Assertions for Certificate Keys (TACK) -- Certification Authority Authorization -- Getting Started -- Determine OpenSSL Version and Configuration -- Building OpenSSL -- Examine Available Commands -- Building a Trust Store -- Key and Certificate Management -- Key Generation -- Creating Certificate Signing Requests -- Creating CSRs from Existing Certificates -- Unattended CSR Generation -- Signing Your Own Certificates -- Creating Certificates Valid for Multiple Hostnames -- Examining Certificates -- Key and Certificate Conversion -- Configuration -- Cipher Suite Selection -- Performance -- Creating a Private Certification Authority -- Features and Limitations -- Creating a Root CA -- Creating a Subordinate CA --
Contents note continued: Standalone Session Tickets -- Distributed Session Caching -- Distributed Session Tickets -- Disabling Session Tickets -- Client Authentication -- Mitigating Protocol Issues -- Insecure Renegotiation -- BEAST -- CRIME -- Deploying HTTP Strict Transport Security -- Monitoring Session Cache Status -- Logging Negotiated TLS Parameters -- Advanced Logging with mod_sslhaf -- Java Cryptography Components -- Strong and Unlimited Encryption -- Provider Configuration -- Features Overview -- Protocol Vulnerabilities -- Interoperability Issues -- Tuning via Properties -- Common Error Messages -- Securing Java Web Applications -- Common Keystore Operations -- Tomcat -- Configuring TLS Handling -- JSSE Configuration -- APR and OpenSSL Configuration -- Schannel -- Features Overview -- Protocol Vulnerabilities -- Interoperability Issues -- Microsoft Root Certificate Program -- Managing System Trust Stores -- Importing a Trusted Certificate --
Contents note continued: The Attack -- Impact -- Prerequisites -- Mitigation -- POODLE -- Practical Attack -- Impact -- Mitigation -- Bullrun -- Dual Elliptic Curve Deterministic Random Bit Generator -- Key -- Key Algorithm -- Key Size -- Key Management -- Certificate -- Certificate Type -- Certificate Hostnames -- Certificate Sharing -- Signature Algorithm -- Certificate Chain -- Revocation -- Choosing the Right Certificate Authority -- Protocol Configuration -- Cipher Suite Configuration -- Server Cipher Suite Preference -- Cipher Strength -- Forward Secrecy -- Performance -- Interoperability -- Server Configuration and Architecture -- Shared Environments -- Virtual Secure Hosting -- Session Caching -- Complex Architectures -- Issue Mitigation -- Renegotiation -- BEAST (HTTP) -- CRIME (HTTP) -- Lucky 13 -- RC4 -- TIME and BREACH (HTTP) -- Triple Handshake Attack -- Heartbleed -- Pinning -- HTTP -- Making Full Use of Encryption -- Cookie Security --
Contents note continued: Virtual Host Confusion -- TLS Session Cache Sharing -- Insecure Renegotiation -- Why Was Renegotiation Insecure? -- Triggering the Weakness -- Attacks against HTTP -- Attacks against Other Protocols -- Insecure Renegotiation Issues Introduced by Architecture -- Impact -- Mitigation -- Discovery and Remediation Timeline -- BEAST -- How the Attack Works -- Client-Side Mitigation -- Server-Side Mitigation -- History -- Impact -- Compression Side Channel Attacks -- How the Compression Oracle Works -- History of Attacks -- CRIME -- Mitigation of Attacks against TLS and SPDY -- Mitigation of Attacks against HTTP Compression -- Lucky 13 -- What Is a Padding Oracle? -- Attacks against TLS -- Impact -- Mitigation -- RC4 Weaknesses -- Key Scheduling Weaknesses -- Early Single-Byte Biases -- Biases across the First 256 Bytes -- Double-Byte Biases -- Subsequent Improved Attacks -- Mitigation: RC4 versus BEAST, Lucky 13, and POODLE -- Triple Handshake Attack --
Machine generated contents note: Scope and Audience -- SSL versus TLS -- SSL Labs -- Online Resources -- Feedback -- About the Author -- Acknowledgments -- Transport Layer Security -- Networking Layers -- Protocol History -- Cryptography -- Building Blocks -- Protocols -- Attacking Cryptography -- Measuring Strength -- Man-in-the-Middle Attack -- Record Protocol -- Handshake Protocol -- Full Handshake -- Client Authentication -- Session Resumption -- Key Exchange -- RSA Key Exchange -- Diffie-Hellman Key Exchange -- Elliptic Curve Diffie-Hellman Key Exchange -- Authentication -- Encryption -- Stream Encryption -- Block Encryption -- Authenticated Encryption -- Renegotiation -- Application Data Protocol -- Alert Protocol -- Connection Closure -- Cryptographic Operations -- Pseudorandom Function -- Master Secret -- Key Generation -- Cipher Suites -- Extensions -- Application Layer Protocol Negotiation -- Certificate Transparency -- Elliptic Curve Capabilities -- Heartbeat --
Notes Includes index
Subject Public key infrastructure (Computer security)
Web servers -- Security measures.
ISBN 9781907117046 (paperback)