There are a lot of lists about cryptography and security. This is my personal list, focused on documents that are relevant to my work on the Chrome security UX team.
It simultaneously lets me document the kinds of things one needs to know to work in my area, and gives me an easy way to find references I may need in the future (either for myself, or to give to others).
Expect it to be incomplete at all times.
- Securing the Web (editor: Mark Nottingham, 2015)
- HTML Design Principles (editors: van Kesteren, Stachowiak, 2007)
- 3.2. Priority of Constituencies: "consider users over authors over implementors over specifiers over theoretical purity."
- Browser Security Handbook (Michal Zalewski, 2008)
- April King's Crypto Explainer (a fairly complete summary focused on browser crypto)
The "origin" is a (scheme, host, port)
tuple, e.g. (https, www.google.com, 443)
. It is the most important concept for site isolation on the web.
- RFC 6454: The Origin Concept (Adam Barth, 2011)
- Same-origin policy at Wikipedia
- Suborigin proposal: Chromium page and blog post (Joel Weinberger, 2014)
HTTP Strict Transport Security is a mechanism for a server to tell a browser "only connect to me over HTTPS in the future". It can be sent via the Strict-Transport-Security
header and/or be built into browsers for specific sites.
- RFC 6797: HTTP Strict Transport Security (Hodges, Jackson, and Barth, 2012)
- HSTS at Wikipedia
- chromium.org/hsts: Chromium info, link to preload list and submission page.
- Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning (Michael Kranch and Joseph Bonneau, 2015)
- Bulletproof SSL and TLS book (Ivan Ristić, 2014)
- Why Eve and Mallory (Also) Love Webmasters: A Study on the Root Causes of SSL Misconfigurations (Fahl, Acar, Perl, Smith, 2014)
- Here’s My Cert, So Trust Me, Maybe?: Understanding TLS Errors on the Web (Akhawe, Amann, Vallentin, Sommer, 2013)
- Improving SSL Warnings: Comprehension and Adherence (Felt, Ainslie, Reeder, Consolvo, Thyagaraja, Bettes, Harris, Grimes, 2015)
- Killed by Proxy: Analyzing Client-end TLS Interception Software (de Carné de Carnavaletm Mannan, 2016)
See the Usable security reading list by adrifelt@.