Home

Awesome

awesome-tls-security

A collection of (not-so, yet) awesome resources related to TLS, PKI and related stuff.

There is a bib version also (tlssec.bib)

Table of Contents

You should read this an skip the rest of the list

Trends

Looking Back, Moving Forward (2017)

Pervasive Monitoring

Pervasive Monitoring is an Attack. RFC 7258

Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement. RFC 7624 (2015)

Certificates / PKIX

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280

Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). RFC 6125

tls - How does OCSP stapling work? - Information Security Stack Exchange. (2013)

Attacks on TLS

Overview

SSL/TLS Vulnerabilities

ATTACKS ON SSL A COMPREHENSIVE STUDY OF BEAST, CRIME, TIME, BREACH, LUCK Y 13 & RC4 BIASES

Recent Attacks

TLS/SSL

On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN (SWEET32, 2016)

Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). RFC 7457 (2015)

DROWN: Breaking TLS Using SSLv2 (DROWN, 2016)

Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing (2015)

All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS (RC4NOMORE, 2015)

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (LOGJAM, 2015)

A messy state of the union: Taming the composite state machines of TLS (2015)

Bar Mitzvah Attack: Breaking SSL with a 13-year old RC4 Weakness (2015)

This POODLE bites: exploiting the SSL 3.0 fallback (POODLE, 2014)

Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (Lucky13, 2013

SSL, gone in 30 seconds. Breach attack (BREACH,2013)

On the Security of RC4 in TLS (2013)

The CRIME Attack (CRIME, 2012)

Here come the ⊕ Ninjas (BEAST, 2011)

Software Vulnerabilities

Java’s SSLSocket: How Bad APIs compromise security (2015)

A Survey on {HTTPS} Implementation by Android Apps: Issues and Countermeasures

PKIX

Analysis of the HTTPS Certificate Ecosystem (2013)

Incidents

A complete study of P.K.I. (PKI’s Known Incidents) (2019)

Secure» in Chrome Browser Does Not Mean «Safe» (2017)

Overview of Symantec CA Issues (2014 (aprox) -2017)

Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates (Symantec, 2017)

Incidents involving the CA WoSign (WoSign, 2016)

Sustaining Digital Certificate Security (Symantec, 2015)

Improved Digital Certificate Security (Symantec, 2015)

TURKTRUST Unauthorized CA Certificates. (2013)

Flame malware collision attack explained (FLAME, 2012)

An update on attempted man-in-the-middle attacks (DIGINOTAR, 2011)

Detecting Certificate Authority compromises and web browser collusion (COMODO, 2011)

SSL Interception

Remarkable works

Certified lies: Detecting and defeating government interception attacks against ssl (2011)

How the NSA, and your boss, can intercept and break SSL (2013)

The Matter of Heartbleed (2014)

TLS in the wild—An Internet-wide analysis of TLS-based protocols for electronic communication (2015)

TLS interception considered harmful How Man-in-the-Middle filtering solutions harm the security of HTTPS (2015)

The Risks of SSL Inspection (2015)

Killed by Proxy: Analyzing Client-end TLS Interception Software (2016)

The Security Impact of HTTPS Interception (2017)

US-CERT TA17-075A Https interception weakens internet security (2017)

The Security Impact of HTTPS Interception (2017)

Trust me, I’m a Root CA! Analyzing SSL Root CAs in modern Browsers and Operating Systems (2019)

SSL Interception-related Incidents

Komodia superfish ssl validation is broken (2015)

More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll (2015)

Software Privdog worse than Superfish (2015)

Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections (2015)

How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS security (2015)

Tools

TLS Audit

Online

Qualys SSL Server Test

Qualys SSL Client Test

Local

sslyze

Qualys SSL Labs (local version)

testssl.sh

Sysadmins

Qualys SSL/TLS Deployment Best Practices

Mozilla's Recommendations for TLS Servers

IISCrypto: Tune up your Windows Server TLS configuration

MITM

bettercap - A complete, modular, portable and easily extensible MITM framework’

dns2proxy

MITMf

Protocols

TLS 1.3

RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3 (2018)

UTA (Use TLS in Applications) IETF WG

Drafts and RFCs (HTTP and SMTP)

Strict Transport Security (STS)

HTTP Strict Transport Security (HSTS). RFC 6797 (2012)

STS Preload List - Google Chrome

HSTS Preload List Submission.

HTTP Strict Transport Security for Apache, NGINX and Lighttpd

HPKP

Public Key Pinning Extension for HTTP. RFC 7469 (2015)

Is HTTP Public Key Pinning Dead? (2016)

Certificate Transparency

Certificate Transparency

How Certificate Transparency Works - Certificate Transparency

Google Certificate Transparency (CT) to Expand to All Certificates Types (2016)

CAA

DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844

CAA Record Generator

DANE and DNSSEC

DANE Resources

The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698

DANE: Taking TLS Authentication to the Next Level Using DNSSEC (2011)

Generate TLSA Record

DNS security introduction and requirements. RFC 4033