Home Books Training Newsletter Resources
Sign up Log in
book cover

Bulletproof TLS Guide  

Comprehensive and yet concise guide to practical SSL/TLS and PKI configuration. Includes coverage of TLS server configuration and web application security. Written by Ivan Ristić.


1.5 Validate and Monitor

Configuring TLS, especially for use on web sites, has become increasingly complex in recent years. There are so many options to choose that you're virtually guaranteed to get something wrong when you first try. Moreover, things change—sometimes accidentally, sometimes silently through software upgrades. For that reason, we recommend that you find a reliable configuration assessment tool that you trust. Use it periodically to ensure that you stay secure.

Several modern browser technologies come with reporting facilities, which can give you real-time insight into problems that your users are experiencing. CSP supports reporting and even a report-only mode without policy enforcement. A more recent technology, called Network Error Logging (NEL), provides reporting for a wide variety of network problems, including TLS and PKI.1


1

There is also the Expect-CT HTTP response header, which was designed to support early opt-in into CT before this technology became de facto required. With Expect-CT reporting, it’s possible to get a full certificate chain that’s not CT compliant. Although this feature is very useful, it is most likely that Expect-CT will be deprecated, now that pre-CT public certificates have all expired.

< Prev
^ Table of Contents
THE FINEST IN TLS
AND PKI EDUCATION
@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Bulletproof TLS Newsletter
  • SSL/TLS and PKI History
  • Archived Books

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us