4 January 2017
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
We’re looking back at an eventful year in the TLS space. The most notable development in 2016 was that we are finally seeing the web adopting HTTPS as the new default.
Countless web pages and organizations have switched their default to the secure transport protocol in the past year: Wordpress.org, The Guardian, Wired, SourceForge, Blogspot and many more. According to Mozilla’s telemetry data TLS-encrypted traffic surpassed 50 percent in October. There’s still a huge chunk of the web that is not encrypted and it’ll probably take many more years until we can disable HTTP.
We’ve also seen some notable new attacks: SLOTH, Sweet32 and DROWN reminded us that old, insecure algorithms still pose a threat. The Nonce Reuse attack points out how fatal implementation flaws can be. And the rediscovered HEIST/TIME attack highlights an unsolved problem with encryption and compression.
Certificate authorities continue to be a concern when it comes to the security of TLS. The case of WoSign and StartCom is a reminder of that. However, thanks to Certificate Transparency - which will be required for all new certificates starting October 2017 - the abuse of certificates can be detected much better these days.
We already have a very good idea what the dominant topic in 2017 will be: TLS 1.3 is around the corner and will provide better security and better performance for encrypted connections.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.