Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network.
The authentication relied on Certificate Authorities (CA) and a public key infrastructure using X.509 certificates. The server register with a CA and sign its public key with the key of CA for a fee. The client, after receiving the public key from server, verifies it with the CA.
File:Ssl handshake with two way authentication with certificates.png - Wikimedia Commons
OpenSSL is a toolkit for the TLS and SSL.
see
Open SSL
- ImperialViolet - Overclocking SSL
- ImperialViolet - Public key pinning
- Survival Guide - TLS/SSL and SSL (X.509) Certificates (CA-signed and Self-Signed)
- Is TLS Fast Yet?
- BetterCrypto⋅org
- Rolling out Public Key Pinning with HPKP Reporting – Google Web Updates
- The SSL/TLS Handshake: an Overview – SSL Information and FAQ
- SSL: it’s hard to do right | The Recompiler
- How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer | Ars Technica
- Critics slam SSL authority for minting certificate for impersonating sites | Ars Technica
- How to obtain and install an SSL/TLS certificate, for free | Ars Technica
- Web served, part 2: Securing things with SSL/TLS | Ars Technica
HSTS
- HTTP Strict Transport Security - Wikiwand: always use HTTPS
- HSTS Preload List Submission
SSL checkers
Perfect Forward Secrecy (PFS)
Issues
CA
As it turns out, CA may not be trust-worthy after all. There are many instances of CA issuing fraudulent certificates (willingly or being hacked).
- How the Comodo certificate fraud calls CA trust into question | Ars Technica
- Google warns of unauthorized TLS certificates trusted by almost all OSes[Updated] | Ars Technica Google Chrome will banish Chinese certificate authority for breach of trust | Ars Technica
- Another fraudulent certificate raises the same old questions about certificate authorities | Ars Technica
Heartbleed (2014)
- Heartbleed Bug
- Heartbleed – Andrew Kennedy
- Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style | Ars Technica
- Coder in a World of Code: My Heart Bleeds for OpenSSL
Renegotiation Gap (2009)
Let’s Encrypt
- Let’s Encrypt
- How It Works
- Technology
- The CA’s Role in Fighting Phishing and Malware - Let’s Encrypt - Free SSL/TLS Certificates
- Rate Limits for Let’s Encrypt - Documentation - Let’s Encrypt Community Support
- Let’s Encrypt Demo - YouTube
- Generate free SSL certificates with Docker and LetsEncrypt | Tit Petrič
- How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04 | DigitalOcean
- Let’s Encrypt with HAProxy
- Let’s Encrypt on Raspberry Pi
- adventures in haproxy: tcp, tls, https, ssh, openvpn
- LetsEncrypt on Nginx
- How to configure Nginx with free Let’s Encrypt SSL certificate on Debian or Ubuntu Linux
Clients
- letsencrypt
- Certbot
- acmetool
- diafygi/acme-tiny: A tiny script to issue and renew TLS certs from Let’s Encrypt
- Neilpang/le: Simplest shell script for LetsEncrypt free Certificate client
- xenolf/lego: Let’s Encrypt client and ACME library written in Go Used in Caddy
- Daplie/node-letsencrypt: letsencrypt for node.js
- DylanPiercey/auto-sni: Free, automated HTTPS for NodeJS made easy.
Heroku
- Announcing Heroku Free SSL Beta and Flexible Dyno Hours | Heroku
- Let’s Encrypt and Heroku [Solved] - Server - Let’s Encrypt Community Support
- Let’s Encrypt with a Rails app on Heroku // Collective Idea | Crafting web and mobile software based in Holland, Michigan
- Use Let’s Encrypt TLS certificate on Heroku – Sikachu’s Blog – Medium
- SSL Endpoint | Heroku Dev Center
- Set up CloudFlare’s free SSL on Heroku
Standards
- RFC 2986 - PKCS #10: Certification Request Syntax Specification Version 1.7
- RFC 3447 - Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1
- RFC 5958 - Asymmetric Key Packages
- RFC 6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0
- RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
- RFC 7292 - PKCS #12: Personal Information Exchange Syntax v1.1