Difference between revisions of "TLS / SSL"

General

See also HTTP#SSL

• Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. They use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

In the TCP/IP model view, TLS and SSL encrypt the data of network connections at a lower sublayer of its application layer. In OSI model equivalences, TLS/SSL is initialized at layer 5 (the session layer) then works at layer 6 (the presentation layer): first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

• AboutSSL.org - Explore SSL Types, Brands, Reviews, Comparison and More.

• https://istlsfastyet.com/

• YouTube: DEFCON 19: SSL And The Future Of Authenticity - Moxie Marlinspike, 2011

Specs

some rfcs..

• http://tools.ietf.org/html/rfc2712 - Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
• http://tools.ietf.org/html/rfc4279 - Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
• http://tools.ietf.org/html/rfc5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• http://tools.ietf.org/html/rfc6091 - Using OpenPGP Keys for Transport Layer Security (TLS) Authentication
• http://tools.ietf.org/html/rfc6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)

• The Illustrated TLS Connection: Every Byte Explained - In this demonstration a client has connected to a server, negotiated a TLS 1.2 session, sent "ping", received "pong", and then terminated the session. [1]

• http://www.ecnmag.com/articles/2015/01/ssl-tls-handshake [2]

• https://briansmith.org/browser-ciphersuites-01.html [3]

• http://op-co.de/blog/posts/android_ssl_downgrade/

• https://news.ycombinator.com/item?id=6733806

ESNI

• Encrypted SNI Comes to Firefox Nightly | Mozilla Security Blog - [4]

Encrypted Client Hello (ECH)

• Say (an encrypted) hello to a more private internet

• Understand Encrypted Client Hello (ECH) | Firefox Help

• Good-bye ESNI, hello ECH!

• YouTube: Encrypted Client Hello A New Attempt At Web Privacy

Guides

• http://erik.io/blog/2013/06/08/a-basic-guide-to-when-and-how-to-deploy-https/

• https://wiki.mozilla.org/Security/Server_Side_TLS
• https://www.ssllabs.com/projects/best-practices/
• SSL/TLS Deployment Best Practices - tutorial whitepaper
• https://sites.google.com/site/x509certificateusage/

• OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection - Touching on HTTPS, SSL and TLS

• https://daniel.molkentin.net/2014/04/21/fighting-cargo-cult-the-incomplete-ssltls-bookmark-collection/ [5]

• DEFCON 19: SSL And The Future Of Authenticity - Moxie Marlinspike
• https://rx4g.com/2013/09/09/web-server-authentication-is-still-broken/
• https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html [6]
• http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services

• http://www.mysqlperformanceblog.com/2013/10/10/mysql-ssl-performance-overhead/

HTTPS

• http://tools.ietf.org/html/rfc2818 - HTTP Over TLS
• WP: HTTPS

• https://www.tbray.org/ongoing/When/201x/2012/12/02/HTTPS - basic intro
• Living with HTTPS (19 Jul 2012)

• http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
• Improved HTTPS Performance with Early SSL Termination

• WP: HTTP_Strict_Transport_Security - force HTTPS
• https://www.scantosecure.com/blog/fencing-your-ssl-errors-with-hsts
• http://blog.nvisium.com/2014/04/is-your-site-hsts-enabled.html [7]

• http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/ [8]

• http://notary.icsi.berkeley.edu/
  • http://notary.icsi.berkeley.edu/trust-tree/

• https://www.eff.org/https-everywhere
  • https://www.eff.org/deeplinks/2012/12/end-year-blog-post-2012-https-rise

See HTTP#SSL

• https://news.ycombinator.com/item?id=10988948

PFS

• WP: Perfect_forward_secrecy

• http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

• http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-forward-secrecy-for-nginx-or-stud/

• https://news.ycombinator.com/item?id=5955866

CRL

• https://isc.sans.edu/crls.html

DANE

• https://datatracker.ietf.org/wg/dane/charter/

HPKP

• WP: HTTP_Public_Key_Pinning

• http://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html [9]

Software

• WP: Comparison_of_TLS_implementations

Gnutils

• http://www.gnutls.org/
  • WP: Gnutls

OpenSSL

• http://www.openssl.org/
  • WP: OpenSSL

openssl ciphers -v

openssl verify -CAfile /etc/nginx/ca.pem certs/client.crt

NSS

• WP: Network_Security_Services

tlspool

• http://www.tlspool.org/ - TLS daemon with PKCS #11 backend
  • https://github.com/arpa2/tlspool

mbedtls

• https://github.com/ARMmbed/mbedtls
  • WP: Mbed_TLS

BoringSSL

• boringssl - a fork of OpenSSL that is designed to meet Google's needs.Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability. Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

• https://www.imperialviolet.org/2015/10/17/boringssl.html [10]

Tools

• SSL Server Test - This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.

• Why No Padlock? - This web based tool will check a secure (https://) URL for the following items: Valid SSL Certificate (checks expiration date, properly installed intermediate certificate, URL matches the certificate domain, and displays the SSL Issuing company. All image, css, and javascript calls on the page are done so securely. Checks each linked css file to make sure any image calls are also secure. Outputs any insecure calls, along with the file (referrer) that made the insecure call. Verifies all third party SSL calls also have a valid and properly installed SSL certificate.

• sslScanner - Scan SSL based TCP services, ips, ports and network ranges to obtain certificate expiry data. Get automated alerts about certificates expiring

• SSL Converter - convert SSL certificates to and from different formats such as pem, der, p7b, and pfx
• Certificate Depot - Create your self-signed SSL certificate instantly and for free.

• https://gist.github.com/bretwalker/5420652

Analysis

• https://ssldecoder.org/

• https://certificatemonitor.org/

• https://ma.ttias.be/certdiff/

Certificates

• WP: X.509

• SSL Certificate Types and Purposes

• https://www.globalsign.com/ssl-information-center/types-of-ssl-certificate.html

• http://blogs.msdn.com/b/kaushal/archive/2010/11/05/ssl-certificates.aspx

• http://wiki.cacert.org/Glossary/Validation

• WP: Server_Name_Indication - SNI allows more than one domain per ip address, not supported by older IE and Android 2

• WP: Online_Certificate_Status_Protocol

• https://crt.sh/

Certificate signing request

• WP: Certificate_signing_request - .csr - Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

• https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO6506&searchid=1270237704682

Key formats

• .pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on.
• .key This is a PEM formatted file containing just the private-key of a specific certificate. In Apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.
• .pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

• SF: What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
• DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them

SAN

• WP: Subject_Alternative_Name - allows multiple domains, but not like a wildcard

Wildcard

• WP: Wildcard_certificate

Domain Validation

• WP: Domain-validated_certificate - DV, is an X.509 digital certificate typically used for Transport Layer Security (TLS) where the domain name of the applicant has been validated by proving some control over a DNS domain.

Organisational Validation

involving better/slower background checks for the Organisation Name field

Extended Validation

• WP: Extended_Validation_Certificate - provides a green address bar, bit of a rip-off though

Self-signed

Vulnerable to MITM as cracker can generate their own, OK if you control both ends.

• How to Create A Self Signed Certificate - sslshopper.com
• How to create a self-signed SSL Certificate which can be used for testing purposes or internal usage

Local certificates

• https://github.com/FiloSottile/mkcert - A simple zero-config tool to make locally trusted development certificates with any names you'd like.

• https://github.com/devilbox/cert-gen - Generate CA and self-signed SSL certificates usable in your browser for local development.

CAs

• WP: Certificate_authority

• https://www.eff.org/observatory
• http://www.certificate-transparency.org/

• WP: Comparison_of_SSL_certificates_for_web_servers

• https://www.eff.org/sovereign-keys
  • https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-key-design.txt;hb=master

Software

• https://github.com/OpenVPN/easy-rsa - a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including sub-CAs and certificate revocation lists (CRL).

Services

Lets Encrypt / ACME

• https://letsencrypt.org/ [11]

• https://gethttpsforfree.com/

• https://github.com/letsencrypt/acme-spec
  • https://www.ietf.org/mailman/listinfo/acme

• https://letsencrypt.readthedocs.org/en/latest/using.html

• https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394

• https://github.com/letsencrypt/letsencrypt

• https://github.com/Neilpang/acme.sh

• https://github.com/lukas2511/dehydrated - a client for signing certificates with an ACME-server (e.g. Let's Encrypt) implemented as a relatively simple (zsh-compatible) bash-script. This client supports both ACME v1 and the new ACME v2 including support for wildcard certificates!

• https://gist.github.com/renchap/c093702f06df69ba5cac#file-readme-md - nginx [12]

./letsencrypt-auto certonly -d example.com -d www.example.com --agree-tos --renew-by-default -a webroot --webroot-path=/tmp/letsencrypt-auto

• https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622

• https://community.letsencrypt.org/t/how-to-get-an-a-rating-on-qualys-ssl-labs-with-nginx-without-breaking-loads-of-browsers/4582

• https://news.ycombinator.com/item?id=11399476

Comodo

• http://www.comodo.com/ - security history a bit of a joke
• https://cheapsslsecurity.com/ - SSL Certificate at a low price*
  • http://ssl.comodo.com/wildcard-ssl-certificates.php - from £224.95

• HN discussion: $50 comodo wildcard SSLs (while they last)

• http://www.cheapssls.com/
• https://www.gogetssl.com/
• https://www.positivessl.com/
• https://www.cheapsslshop.com/wildcard-ssl-certificates

• https://letsencrypt.org//2016/06/23/defending-our-brand.html - bullies [13] [14]

VeriSign

• http://www.verisign.com/ - owned by Symantec

• http://www.geotrust.com/

• http://www.rapidssl.com/buy-ssl/ssl-certificate/index.html
• http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/index.html
• https://www.rapidsslonline.com/

GlobalSign

• WP: GlobalSign - owned by GMO CLOUD K.K. in Japan

• https://www.ssl2buy.com/alphassl-wildcard.php
• http://www.vpsnodebox.com/ssl-certificates - AlphaSSL - GlobalSign certificate.
  • http://lowendtalk.com/discussion/4495/regular-and-wildcard-alphassl-certificates-for-everyone-for-cheap

• http://www.garrisonhost.com/ssl.htm

StartCom

• https://startssl.com
  • WP: StartCom - based in Israel, provides StartSSL certs. hostile customer service.

• https://konklone.com/post/switch-to-https-now-for-free [15]

Free certs, one cert per domain, 1 year. One only pays for acions that require human intervention, i.e., validation.

• How to renew an expired personal certificate

• https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html [16]

• https://www.computest.nl/blog/startencrypt-considered-harmful-today/ [17]

Cacert.org

• http://www.cacert.org/
  • WP: CAcert.org
  • http://wiki.cacert.org/

Community group providing certs. Web of trust based assurance point system. Not carried by major browsers, just Linux distros.

Other

• http://lolroot.ca/ - lol

• SSLMate - Buy SSL certs from the command line.

• CertSimple - The fastest way to prove your company's identity online. EV Certificates are £149 a year. Multiple servers from £249 a year for 3 server names.

• https://getssl.me/

Future

• http://www.certificate-transparency.org/comparison

• TACK, a proposal for a dynamically activated public key pinning framework that provides a layer of indirection away from Certificate Authorities, but is fully backwards compatible with existing CA certificates, and doesn't require sites to modify their existing certificate chains.

• http://blather.michaelwlucas.com/archives/1591

• http://perspectives-project.org/
• http://convergence.io/
  • WP: Convergence_(SSL)

• https://news.ycombinator.com/item?id=6869705

• https://news.ycombinator.com/item?id=10795404

• Introducing Zero Round Trip Time Resumption (0-RTT)

• What Application Developers Need To Know About TLS Early Data (0RTT) | Trail of Bits Blog

• https://ldapwiki.com/wiki/0-RTT%20Handshakes

Signed HTTP Exchanges / SGX

• Signed HTTP Exchanges - Chrome Developers - a subset of the emerging technology called Web Packages, which enables publishers to safely make their content portable, i.e. available for redistribution by other parties, while still keeping the content’s integrity and attribution. Portable content has many benefits, from enabling faster content delivery to facilitating content sharing between users, and simpler offline experiences. So, how do Signed HTTP Exchanges work? This technology allows a publisher to sign a single HTTP exchange (i.e., a request/response pair), in the way that the signed exchange can be served from any caching server. When the browser loads this Signed Exchange, it can safely show the publisher’s URL in the address bar because the signature in the exchange is sufficient proof that the content originally came from the publisher’s origin.

• Signed Exchanges (SXGs)

Other

• WP: Datagram_Transport_Layer_Security

• https://news.ycombinator.com/item?id=13589664

• Insecure Design - BygoneSSL - what can happen when a SSL certificate can outlive one of its domains' ownerships into the next.

• Signing HTTP Messages - a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over content within an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer, and where the message may be transformed (e.g., by intermediaries) before reaching the verifier.