I’ve just released the May update of Bulletproof SSL and TLS. This
batch brings 78 pages and three chapters to the book:
- Chapter 8, Deployment, is the map for the entire book and
provides step by step instructions on how to deploy secure and
well-performing TLS servers and web applications.
- Chapter 9, Performance, focuses on the speed of TLS, providing more
detail as well as additional performance improvement techniques for
those who want to squeeze every bit of speed out of their servers.
- Chapter 10, HSTS, CSP, and Pinning, covers some advanced topics
that strengthen web applications, as well as pinning, which is a
way of reducing the large attack surface imposed by our current PKI
In addition, improvements were made to existing chapters:
- Chapter 7, Protocol Attacks, has been completely revised in
response to the excellent technical reviews I received.
- Heartbleed is now fully documented, with the main coverage in
Chapter 6 and detailed testing instructions in Chapter 11.
Overall, book is currently at 420 pages. Previous chapters include:
- Chapter 4, Attacks against PKI, deals with attacks on
trust. It covers all the major CA compromises as well as some other ways to
subvert TLS authentication on the Internet.
- Chapter 5, HTTP and Browser Issues, is all about the
relationship between HTTP and SSL, the problems arising from the organic
growth of the Web, and the messy interactions between different pieces of
the web ecosystem.
- Chapter 6, Implementation Flaws, deals with issues arising
from design and programming mistakes related to random number generation,
certificate validation, and other key TLS and PKI functionality.
Additionally, it discusses voluntary protocol downgrade and truncation
- Chapter 7, Protocol Attacks, is the longest chapter in the
book at 60 pages. It covers all major protocol flaws discovered in recent years: Insecure Renegotiation,
BEAST, CRIME, Lucky 13, RC4, TIME and BREACH, Triple Handshake, and the Bullrun program.
- Chapter 10, OpenSSL Cookbook, describes the most frequently used OpenSSL functionality, largely
focusing on installation, configuration, and key and certificate management. This is the most polished chapter,
given that it had been released as a standalone short book in May
2013, and then updated in
- Chapter 11, Testing with OpenSSL, continues with OpenSSL and explains how to use its command-line tools to test server configuration. Even though it is often much easier to use an automated tool for testing (e.g., the SSL Labs Server Test), OpenSSL remains the de facto standard for troubleshooting.
- Chapter 12, Configuring Apache, discusses the SSL configuration of Apache httpd.
- Chapter 13, Configuring Java and Tomcat, covers the current versions of Java and Tomcat, and gives a glimpse of what’s coming in Java 8. (Java 8 coverage will improve soon after Oracle makes the final release candidate available.)
- Chapter 14, Configuring Microsoft Windows and IIS, discusses the Microsoft Windows platform and the Internet Information Server.
- Chapter 15, Configuring Nginx, discusses the Nginx web server, covering the features in the stable and development version equally.
The book is now almost complete. The remaining chapters, which will be
released in the next batch in June, will provide the necessary
background in cryptography, SSL and TLS protocols, and PKI.
If you already have access to the book, here’s the direct link to access
the new content:
If you don’t have access yet, Bulletproof SSL and TLS is available now
for early access and preorder, at a 20% discount: