Spend two days to understand both the theory and practice of SSL/TLS and Internet PKI
Designed by the author of the much acclaimed Bulletproof SSL and TLS, this practical training course will teach you how to deploy secure servers and encrypted web applications and understand both the theory and practice of Internet PKI.
The course is taught in small classes. Also available on-site and as a remote option for in-house teams.
Deploy servers with strong private keys and valid certificates
Deploy TLS configurations with strong encryption and forward secrecy
Understand higher-level attacks against web applications
Use the latest defence technologies, such as HSTS, CSP, and HPKP
Learn about key PKI standards and formats
Understand where practice differs from theory
Analyze certificate lifecycle in detail
Evaluate PKI weaknesses and how they affect you
Deploy robust protection using public key pinning
Learn about what's coming in the future
Course Outline
On day 1, we’ll focus on what you need in your daily work to deliver best security, availability and performance. And you will learn how to get an A+ on SSL Labs! On day 2, we will start with the basics and the theory, then discuss how the PKI is implemented in the real world, and finish with a practical example of a realistic private certification authority.
Day 1: The Best TLS Training in the World
Introduction
The need for network encryption
Understanding encrypted communication
The role of public key infrastructure (PKI)
SSL/TLS and Internet PKI threat model
Keys and certificates
RSA and ECDSA: selecting key algorithm and size
Certificate hostnames and lifetime
Practical work:
Private key generation
Certificate Signing Request (CSR) generation
Self-signed certificates
Obtaining valid certificates from Let’s Encrypt
Sidebar: Revocation
Protocols and cipher suites
Protocol security
Key exchange strength
Forward security
Cipher suite configuration
Practical work:
Secure web server configuration
Server testing using SSL Labs
Sidebar: Server Name indication (SNI)
Sidebar: Performance considerations
HTTPS topics
Man in the middle attacks
Mixed content
Cookie security
CRIME: Information leakage via compression
HTTP Strict Transport Security
Content Security Policy
HTTP Public Key Pinning
Practical work:
Deploying HSTS to deploy robust encryption
Deploying CSP to deal with mixed content
Putting it all together: Getting A+ in SSL Labs
Day 2: Internet PKI in Depth
Introduction
Standards
X.509 certificates
Certificate chains
Name constraints
Trust path building
Validation process
Internet PKI
Certification Authorities
Relying parties
Certificate types (DV, EV, OV)
Certificate lifecycle (validation, issuance, and revocation)
CA/B Forum and its standards
Weaknesses
History of attacks
Revocation
CRL
OCSP
OCSP stapling
CRLsets and OneCRL
Short-lived certificates
Defenses
Certification Authority Authorization (CAA)
Public Key Pinning
Static pinning
HPKP
DNSSEC/DANE
Certificate Transparency
PKI ecosystem monitoring
SSL Pulse
Censys
crt.sh
Project: Building and deploying a realistic private CA
We will also provide you with many additional exercises that you can work on in your own time. You'll be
able to ask us for help via email. And if
you're already familiar with the basics, we'll challenge you with some of the advanced exercises on the
day.
Meet the Trainer
Scott Helme is a security researcher, consultant and international speaker.
He can often be found talking about web security and performance online and
helping organisations better deploy both.
Founder of report-uri.io, a free CSP
report collection service, and securityheaders.io,
a free security analyser, Scott has a tendency to always be involved in
building something new and exciting.
Meet the Author
Ivan Ristić is a security researcher, engineer, and author, known especially for his
contributions to the web application firewall field and development of ModSecurity, an open source web application
firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs web site.
He is the author of three books, Apache
Security, ModSecurity
Handbook, and Bulletproof SSL and
TLS, which he publishes via Feisty Duck, his own platform for continuous writing and
publishing. Ivan is an active participant in the security community and you'll often find
him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. His latest project, Hardenize, is a security posture analysis service that makes security fun again.
London
Venue November 2019:
Impact Hub King's Cross, 34b York Way, Kings Cross, London, N1 9AB
Manchester
Venue:
The Landing, Blue Tower, 6th Floor SpaceSpace room, MediaCityUK Salford Quays M50 2ST
Level:
Intermediate
Duration:
2 days
Extras:
Lunch and refreshments included
Free Book: Bulletproof SSL and TLS
About a month prior to the course we'll send you a digital copy of Bulletproof SSL and TLS, our
comprehensive guide to SSL/TLS and Internet PKI.
You'll get the paper copy on the day. We'll also give you a bunch of exercises and a hardcopy of the slides.
What You Need to Know
Target audience
This course is for system administrators, developers, and IT security professionals, who want to learn how to
protect their systems from eavesdropping and impersonation attacks.
Prerequisites
Basic Linux command line skills: moving about, invoking commands, editing
configuration files.
A laptop with a SSH client, which you will only need to connect to your assigned virtual server.
You should be comfortable using a Unix editor.
We'll provide you with your own virtual server and a sample web application to work on throughout the
course.
In-house Training
This course is also available as an on-site option. Please contact us for more information.
Remote Training
Remote training takes place over four half-days (3.5 hours a day). The training materials and the program are identical to the classroom training. We will provide you with the digital training materials, digital copy of Bulletproof SSL and TLS, and your own virtual server on which you will do the exercises. The training will be delivered via Go To Webinar video conference platform.
In addition to public remote trainings, this option is available for in-house teams. Contact us if you require more information!