Bulletproof SSL and TLS cover

Understanding and deploying SSL/TLS and PKI to secure servers and web applications, by Ivan Ristić

For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI. Written by Ivan Ristić, a security researcher and author of SSL Labs, this book will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. The second edition is currently in preview, with most chapters updated. Your purchase now will include the final version when it becomes available.

Buy Ebook   £39 £24
Amazon rating

What's In The Book

Table of Contents

Part I: SSL/TLS and PKI
1. SSL, TLS, and Cryptography 2. TLS 1.3 3. TLS 1.2 4. Public Key Infrastructure
Part II: Problems and Attacks
5. Attacks against PKI 6. HTTP and Browser Issues 7. Implementation Issues 8. Protocol Attacks
Part III: Deployment and Development
9. Performance 10. HSTS, CSP, and Pinning 11. TLS Configuration Guide
Part IV: OpenSSL Command-Line
11. Working with OpenSSL 12. Testing TLS servers with OpenSSL
Last Update: May 2021
First Edition: August 2014
Digital formats: PDF, EPUB (no DRM) Print Length: 480 pages

Welcome to the preview of the second edition of Bulletproof SSL and TLS. As I write this, it’s November 2020 and roughly seven years since we released the preview of the first edition. In terms of longevity of the content, I am happy to say that things have worked out approximately how I hoped they would.

The first edition came out in 2014, but immediately in 2015 we released another version to keep up with the developments, and then a full revision followed in 2017. In 2018, the long-awaited TLS 1.3 protocol came out, making a big impact on the ecosystem. As a result, I started to plan the second edition, which needed to be a major rewrite. The trick was to begin writing when the support for this new protocol is stable across a range of technologies, so that the book is not obsolete the moment it comes out. And here we are.

What's Changed

For the second edition, the key parts of the book have been newly-written or rewritten. There is obviously one entirely new chapter to cover TLS 1.3. The two OpenSSL chapters have seen so many changes that little text remains unchanged. I have also replaced the deployment chapter from the first edition with a brand new configuration chapter that is better structured and touches on everything you need to know to setup everything just right.

The chapters dealing with the Apache web server, Java, Microsoft technologies, and Nginx have been removed. I took this decision in order to keep the book at a somewhat reasonable size and focus on the core of the book that can be efficiently maintained in perpetuity.

Part I: SSL/TLS and PKI

The first part, chapters 1 through 4, lays out the foundations with a discussion of cryptography, SSL, TLS, and PKI.

Chapter 1, SSL, TLS, and Cryptography, begins with an introduction to SSL and TLS and discusses where these secure protocols fit in the Internet infrastructure. The remainder of the chapter provides an introduction to cryptography and discusses the classic threat model of the active network attacker.

Chapter 2, TLS 1.3, focuses on the most recent TLS protocol revision. At the time of writing, TLS 1.3 is well supported by both clients and servers, and widely used. This is the chapter you should read to understand how things work today.

Chapter 3, TLS 1.2, discusses previous major revision, TLS 1.2, which is still very relevant and needed in practice. Understanding this protocol is also very useful to understand what improvements were made in TLS 1.3 and why. Information about earlier protocol revisions is provided where appropriate. An overview of the protocol evolution from SSL 3 onwards is included at the end for reference.

Chapter 4, Public Key Infrastructure, is an introduction to Internet PKI, which is the predominant trust model used on the Internet today. The focus is on the standards and organizations as well as governance, ecosystem weaknesses and possible future im provements.

Part II: Problems and Attacks

The second part, chapters 5 through 8, details the various problems with trust infrastructure, our security protocols, and their implementations in libraries and programs.

Chapter 5, Attacks against PKI, deals with attacks on the trust ecosystem. It covers all the major CA compromises, detailing the weaknesses, attacks, and consequences. This chapter gives a thorough historical perspective on the security of the PKI ecosystem, which is important for understanding its evolution.

Chapter 6, HTTP and Browser Issues, is all about the relationship between HTTP and TLS, the problems arising from the organic growth of the Web, and the messy interactions between different pieces of the web ecosystem.

Chapter 7, Implementation Issues, deals with issues arising from design and programming mistakes related to random number generation, certificate validation, and other key TLS and PKI functionality. In addition, it discusses voluntary protocol downgrade and truncation attacks, as well as high-profile issues, such as Heartbleed, FREAK, and Logjam.

Chapter 8, Protocol Attacks, is the longest chapter in the book. It covers all the major protocol flaws discovered in recent years: insecure renegotiation, BEAST, CRIME, Lucky 13, POODLE and POODLE TLS, RC4, TIME and BREACH, and Triple Handshake Attack. A brief discussion of Bullrun and its impact on the security of TLS is also included.

Part III: Deployment and Development

The third part, chapters 9 through 11, provides comprehensive advice about deploying TLS in a secure and efficient fashion.

Chapter 9, Performance, focuses on the speed of TLS, going into great detail about various performance improvement techniques for those who want to squeeze every bit of speed out of their servers.

Chapter 10, HSTS, CSP, and Pinning, covers some advanced topics that strengthen web applications, such as HTTP Strict Transport Security and Content Security Policy. It also covers pinning, which is an effective way of reducing the large attack surface imposed by our current PKI model.

Chapter 11, TLS Configuration Guide, is the map for the entire book and provides step-by-step instructions on how to deploy secure and well-performing TLS servers and web applications.

Part IV: OpenSSL Command-Line

The fourth and final part consists of chapters 12 and 13, which focus on OpenSSL, the de facto standard for everyday TLS and PKI work on the command line.

Chapter 12, OpenSSL, describes the most frequently used OpenSSL functionality, with a focus on installation, configuration, and key and certificate management. The last section in this chapter provides instructions on how to construct and manage a private certification authority.

Chapter 13, Testing with OpenSSL, continues with OpenSSL and explains how to use its command-line tools to test server configuration. Even though it’s often much easier to use an automated tool for testing, OpenSSL remains the tool you turn to when you want to be sure about what’s going on.

Testimonials

The most comprehensive book about deploying TLS in the real world!

Nasko Oskov, Chrome Security developer and former SChannel developer

Meticulously researched.

Eric Lawrence, Fiddler author and former Internet Explorer Program Manager

The most to the point and up to date book about SSL/TLS I've read.

Jakob Schlyter, IT security advisor and DANE co-author

Ivan wrote a real page turner that can be used as both a point of reference and read from cover to cover with ease. Every page reveals more about what I don't know and anyone experienced in the industry will appreciate the feeling as you can't fix what you don't know is broken.”

Anonymous, via Amazon.com

This book has something to offer for everyone. The ebook was updated in a matter of days as new relevant information became available.

Kevin Jones, via Amazon.com

What's not to love? It's a very comprehensive guide. I constantly forget the details of SSL/TLS and frequently must refer to this book.

Spencer Williams, via Amazon.com

Not only is the book technically on-spot, Ivan has made the book accessible and easy to follow.

Chris Kissel, via Amazon.com

Hands down the best book on TLS I've found. A must read for those wanting to understand how Internet security works.

Walrus, via Amazon.com

Page 40 of 500 odd, already more than paid for itself.

CryptoStev, via Twitter

Comprehensive, thorough, and an engaging book—a rare combination, especially for a field that is mired in jargon and subtle but critical technical insights. Imagine sitting down with an expert for a (long) cup of coffee, and getting an end-to-end story on SSL/TLS.

Ilya Grigorik, author of High Performance Browser Networking

Tremendous guide on how to correctly deploy TLS by one of the top experts in the field.

Ben Rothke, via Amazon.com

This book is outstanding. Without it, one would have to navigate through a large quantity of unrelated documentation from different companies and spend significant effort in piecing it together.

Wolt, via Amazon.com

Great read. Great reference. Should be in your library.

Dave, via Amazon.co.uk

A book totally suitable for those who want to understand in depth how the universe of digital certificates works. Easy and extremely well-grounded reading through the use of an infinite number of references. A great acquisition.

Antonio Cosme, via Amazon Brazil

Helped me better understand the various implementations and how to score the risks when assessing systems. The text and footnotes have led me to answers for all of the questions I've had so far. Highly recommended.

Bryan Egan, via Amazon.com

You have to simply LOVE the fact that @ivanristic keeps updating his book.

Martin Schmiedecker, via Twitter

The best TLS book out there, should carry a $200 price tag and that would still be a bargain.

Amin Khoshnoodr, via Twitter

By far, the best book I've ever read about SSL and TLS.

Simone Carletti, via Amazon Italy

About the Author

Ivan Ristic

Ivan Ristić writes computer security books and builds security products. His book Bulletproof SSL and TLS, the result of more than a decade of research and study, is widely recognised as the de-facto SSL/TLS and PKI reference manual. His work on SSL Labs made hundreds of thousands of web sites more secure. Before that, he created ModSecurity, a leading open source web application firewall.

More recently, Ivan founded Hardenize, a platform for continuous security monitoring that provides free assessments to everyone. He's a member of Let's Encrypt's technical advisory board.