awesome-tls-security
A collection of (not-so, yet) awesome resources related to TLS, PKI and related stuff.
There is a bib version also (tlssec.bib)
Table of Contents
You should read this an skip the rest of the list
Trends
Looking Back, Moving Forward (2017)
Pervasive Monitoring
Pervasive Monitoring is an Attack. RFC 7258
Certificates / PKIX
tls - How does OCSP stapling work? - Information Security Stack Exchange. (2013)
Attacks on TLS
Overview
ATTACKS ON SSL A COMPREHENSIVE STUDY OF BEAST, CRIME, TIME, BREACH, LUCK Y 13 & RC4 BIASES
Recent Attacks
TLS/SSL
Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). RFC 7457 (2015)
DROWN: Breaking TLS Using SSLv2 (DROWN, 2016)
Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing (2015)
All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS (RC4NOMORE, 2015)
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (LOGJAM, 2015)
A messy state of the union: Taming the composite state machines of TLS (2015)
Bar Mitzvah Attack: Breaking SSL with a 13-year old RC4 Weakness (2015)
This POODLE bites: exploiting the SSL 3.0 fallback (POODLE, 2014)
Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (Lucky13, 2013
SSL, gone in 30 seconds. Breach attack (BREACH,2013)
On the Security of RC4 in TLS (2013)
The CRIME Attack (CRIME, 2012)
Here come the ⊕ Ninjas (BEAST, 2011)
Software Vulnerabilities
Java’s SSLSocket: How Bad APIs compromise security (2015)
A Survey on {HTTPS} Implementation by Android Apps: Issues and Countermeasures
PKIX
Analysis of the HTTPS Certificate Ecosystem (2013)
Incidents
Secure» in Chrome Browser Does Not Mean «Safe» (2017)
Overview of Symantec CA Issues (2014 (aprox) -2017)
Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates (Symantec, 2017)
Incidents involving the CA WoSign (WoSign, 2016)
Sustaining Digital Certificate Security (Symantec, 2015)
Improved Digital Certificate Security (Symantec, 2015)
TURKTRUST Unauthorized CA Certificates. (2013)
Flame malware collision attack explained (FLAME, 2012)
An update on attempted man-in-the-middle attacks (DIGINOTAR, 2011)
Detecting Certificate Authority compromises and web browser collusion (COMODO, 2011)
SSL Interception
Remarkable works
Certified lies: Detecting and defeating government interception attacks against ssl (2011)
The Security Impact of HTTPS Interception (2017)
US-CERT TA17-075A Https interception weakens internet security (2017)
Killed by Proxy: Analyzing Client-end TLS Interception Software (2016)
The Risks of SSL Inspection (2015)
TLS in the wild—An Internet-wide analysis of TLS-based protocols for electronic communication (2015)
The Matter of Heartbleed (2014)
How the NSA, and your boss, can intercept and break SSL (2013)
SSL Interception-related Incidents
Komodia superfish ssl validation is broken (2015)
More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll (2015)
Software Privdog worse than Superfish (2015)
Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections (2015)
Tools
TLS Audit
Online
Local
Qualys SSL Labs (local version)
Sysadmins
Qualys SSL/TLS Deployment Best Practices
Mozilla's Recommendations for TLS Servers
IISCrypto: Tune up your Windows Server TLS configuration
MITM
bettercap - A complete, modular, portable and easily extensible MITM framework’
Protocols
UTA (Use TLS in Applications) IETF WG
Drafts and RFCs (HTTP and SMTP)
Strict Transport Security (STS)
HTTP Strict Transport Security (HSTS). RFC 6797 (2012)
STS Preload List - Google Chrome
HTTP Strict Transport Security for Apache, NGINX and Lighttpd
HPKP
Public Key Pinning Extension for HTTP. RFC 7469 (2015)
Is HTTP Public Key Pinning Dead? (2016)
Certificate Transparency
How Certificate Transparency Works - Certificate Transparency
Google Certificate Transparency (CT) to Expand to All Certificates Types (2016)
CAA
DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844
DANE and DNSSEC
DANE: Taking TLS Authentication to the Next Level Using DNSSEC (2011)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent