Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/edelahozuah/awesome-tls-security

A collection of (not-so, yet) awesome resources related to TLS, PKI and related stuff
https://github.com/edelahozuah/awesome-tls-security

List: awesome-tls-security

https pki security ssl tls

Last synced: about 1 month ago
JSON representation

A collection of (not-so, yet) awesome resources related to TLS, PKI and related stuff

Awesome Lists containing this project

README 

        
# awesome-tls-security

A collection of (not-so, yet) awesome resources related to TLS, PKI and related stuff. 



There is a bib version also (tlssec.bib)



# Table of Contents



[You should read this an skip the rest of the list](https://www.feistyduck.com/books/bulletproof-ssl-and-tls/reviewerKit.html)



## Trends



[Looking Back, Moving Forward (2017)](https://casecurity.org/2017/01/13/2017-looking-back-moving-forward/)



## Pervasive Monitoring

[Pervasive Monitoring is an Attack. RFC 7258](https://tools.ietf.org/html/rfc7258)



[Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement. RFC 7624 (2015)](https://tools.ietf.org/html/rfc7624)



## Certificates / PKIX



[Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280](https://doi.org/10.17487/rfc5280)



[Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). RFC 6125](https://doi.org/10.17487/rfc6125)



[tls - How does OCSP stapling work? - Information Security Stack Exchange. (2013)](https://security.stackexchange.com/questions/29686/how-does-ocsp-stapling-work)



## Attacks on TLS



### Overview



[SSL/TLS Vulnerabilities](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)  



[ATTACKS ON SSL A COMPREHENSIVE STUDY OF BEAST, CRIME, TIME, BREACH, LUCK Y 13 & RC4 BIASES](https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf)



### Recent Attacks



#### TLS/SSL



[On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN (SWEET32, 2016)](https://sweet32.info/SWEET32_CCS16.pdf)



[Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). RFC 7457 (2015)](https://doi.org/10.17487/rfc7457 )



[DROWN: Breaking TLS Using SSLv2 (DROWN, 2016)](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/aviram)



[Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing (2015)](http://www.irongeek.com/i.php?page=security/out-of-character-use-of-punycode-and-homoglyph-attacks-to-obfuscate-urls-for-phishing)



[All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS (RC4NOMORE, 2015)](https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/vanhoef)



[Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (LOGJAM, 2015)](https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf)



[A messy state of the union: Taming the composite state machines of TLS (2015)](http://www.ieee-security.org/TC/SP2015/papers-archived/6949a535.pdf)



[Bar Mitzvah Attack: Breaking SSL with a 13-year old RC4 Weakness (2015)](https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf)



[This POODLE bites: exploiting the SSL 3.0 fallback (POODLE, 2014)](https://www.openssl.org/~bodo/ssl-poodle.pdf)



[Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (Lucky13, 2013](http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) 



[SSL, gone in 30 seconds. Breach attack (BREACH,2013)](http://news.asis.io/sites/default/files/US-13-Prado-SSL-Gone-in-30-seconds-A-BREACH-beyond-CRIME-Slides_0.pdf)



[On the Security of RC4 in TLS (2013)](https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan)



[The CRIME Attack (CRIME, 2012)](https://www.ekoparty.org/archive/2012/CRIME_ekoparty2012.pdf)



[Here come the ⊕ Ninjas (BEAST, 2011)](http://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf)



### Software Vulnerabilities



[Java’s SSLSocket: How Bad APIs compromise security (2015)](https://deepsec.net/docs/Slides/2014/Java's_SSLSocket_-_How_Bad_APIs_Compromise_Security_-_Georg_Lukas.pdf)



[A Survey on {HTTPS} Implementation by Android Apps: Issues and Countermeasures](https://www.researchgate.net/publication/309895574_A_Survey_on_HTTPS_Implementation_by_Android_Apps_Issues_and_Countermeasures) 



## PKIX



[Analysis of the HTTPS Certificate Ecosystem (2013)](http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf)



### Incidents



[A complete study of P.K.I. (PKI’s Known Incidents) (2019)](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3425554)



[Secure» in Chrome Browser Does Not Mean «Safe» (2017)](https://www.wordfence.com/blog/2017/03/chrome-secure/ )



[Overview of Symantec CA Issues (2014 (aprox) -2017)](https://wiki.mozilla.org/CA:Symantec_Issues)



[Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates (Symantec, 2017)](https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs)



[Incidents involving the CA WoSign (WoSign, 2016)](https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I%5B1-25%5D)



[Sustaining Digital Certificate Security (Symantec, 2015)](https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html)



[Improved Digital Certificate Security (Symantec, 2015)](https://security.googleblog.com/2015/09/improved-digital-certificate-security.html)



[TURKTRUST Unauthorized CA Certificates. (2013)](https://www.entrust.com/turktrust-unauthorized-ca-certificates/)



[Flame malware collision attack explained (FLAME, 2012)](https://blogs.technet.microsoft.com/srd/2012/06/06/flame-malware-collision-attack-explained/

)



[An update on attempted man-in-the-middle attacks (DIGINOTAR, 2011)](https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html)



[Detecting Certificate Authority compromises and web browser collusion (COMODO, 2011)](https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion)



## SSL Interception



### Remarkable works



[Certified lies: Detecting and defeating government interception attacks against ssl (2011)](http://files.cloudprivacy.net/ssl-mitm.pdf)



[How the NSA, and your boss, can intercept and break SSL (2013)](http://www.zdnet.com/article/how-the-nsa-and-your-boss-can-intercept-and-break-ssl/)



[The Matter of Heartbleed (2014)](https://jhalderm.com/pub/papers/heartbleed-imc14.pdf)



[TLS in the wild—An Internet-wide analysis of TLS-based protocols for electronic communication (2015)]()



[TLS interception considered harmful How Man-in-the-Middle filtering solutions harm the security of HTTPS (2015)](https://events.ccc.de/camp/2015/Fahrplan/events/6833.html) 



[The Risks of SSL Inspection (2015)](https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html) 



[ Killed by Proxy: Analyzing Client-end TLS Interception Software (2016)](https://madiba.encs.concordia.ca/~x_decarn/papers/tls-proxy-ndss2016.pdf)



[The Security Impact of HTTPS Interception (2017)](https://zakird.com/papers/https_interception.pdf)



[US-CERT TA17-075A Https interception weakens internet security (2017)](https://www.us-cert.gov/ncas/alerts/TA17-075A) 



[The Security Impact of HTTPS Interception (2017)](https://jhalderm.com/pub/papers/interception-ndss17.pdf)

 - [Understanding the prevalence of web traffic interception (2017)](https://blog.cloudflare.com/understanding-the-prevalence-of-web-traffic-interception/)

 

 [Trust me, I’m a Root CA!

Analyzing SSL Root CAs in modern Browsers and Operating Systems (2019)](https://publications.sba-research.org/publications/SSL.pdf)



### SSL Interception-related Incidents



[Komodia superfish ssl validation is broken (2015)](https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/)



[More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll (2015)](https://blog.hboeck.de/archives/874-More-TLS-Man-in-the-Middle-failures-Adguard,-Privdog-again-and-ProtocolFilters.dll.html)



[Software Privdog worse than Superfish (2015)](https://blog.hboeck.de/archives/865-Software-Privdog-worse-than-Superfish.html)



[Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections (2015)](https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html)



[How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS security (2015)](https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.htm)



## Tools

### TLS Audit



#### Online



[Qualys SSL Server Test](https://www.ssllabs.com/ssltest/)



[Qualys SSL Client Test](https://www.ssllabs.com/ssltest/viewMyClient.html)



#### Local



[sslyze](https://github.com/iSECPartners/sslyze)



[Qualys SSL Labs (local version)](https://github.com/ssllabs/ssllabs-scan)



[testssl.sh](https://testssl.sh/)



### Sysadmins



[Qualys SSL/TLS Deployment Best Practices](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices)



[Mozilla's Recommendations for TLS Servers](https://wiki.mozilla.org/Security/Server_Side_TLS)



[IISCrypto: Tune up your Windows Server TLS configuration](https://www.nartac.com/Products/IISCrypto)



### MITM

[bettercap - A complete, modular, portable and easily extensible MITM framework’](https://www.bettercap.org/)



[dns2proxy](https://github.com/LeonardoNve/dns2proxy)



[MITMf](https://github.com/byt3bl33d3r/MITMf)



## Protocols

### TLS 1.3



[RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3 (2018)](https://www.rfc-editor.org/rfc/rfc8446)



### UTA (Use TLS in Applications) IETF WG



[Drafts and RFCs (HTTP and SMTP)](https://datatracker.ietf.org/wg/uta/documents/)



### Strict Transport Security (STS)



[HTTP Strict Transport Security (HSTS). RFC 6797 (2012)](https://doi.org/10.17487/rfc6797)



[STS Preload List - Google Chrome](https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json)



[HSTS Preload List Submission.](https://hstspreload.org/)



[HTTP Strict Transport Security for Apache, NGINX and Lighttpd](https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html) 



### HPKP



[Public Key Pinning Extension for HTTP. RFC 7469 (2015)](https://doi.org/10.17487/rfc7469)



[Is HTTP Public Key Pinning Dead? (2016)](https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead)



### Certificate Transparency



[Certificate Transparency](https://www.certificate-transparency.org/) 



[How Certificate Transparency Works - Certificate Transparency](https://www.certificate-transparency.org/how-ct-works)



[Google Certificate Transparency (CT) to Expand to All Certificates Types (2016)](https://casecurity.org/2016/11/08/google-certificate-transparency-ct-to-expand-to-all-certificates-types/)



### CAA



[DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844](https://doi.org/10.17487/rfc6844)



[CAA Record Generator](https://sslmate.com/labs/caa/)



### DANE and DNSSEC



[DANE Resources](https://www.huque.com/dane/)



[The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698](https://doi.org/10.17487/rfc6698)



[DANE: Taking TLS Authentication to the Next Level Using DNSSEC (2011)](https://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec)



[Generate TLSA Record](https://www.huque.com/bin/gen_tlsa)



[DNS security introduction and requirements. RFC 4033](https://tools.ietf.org/html/rfc4033)