I often say that Bulletproof SSL and TLS is a living book, but what does that mean exactly? It's now been one full year since the initial release, so what better time to look back to understand the process. It turns out there is a lot of work producing a living book that covers a turbulent field such as SSL/TLS and PKI. I've broken down the process into five steps:
Ongoing maintenance; I make small updates all the time as I learn new facts that are of potential interest to my readers. For example: new RFCs being released or updated, new software releases that other features or change behaviour. As an illustration, a recent JDK update disabled RC4 by default; when it came out, I updated my Java chapter to add a reference to the update.
There are other small changes that fall into this category, for example fixing typos and errors, and rewriting small parts of the text in response to reader questions. The book should be clear enough so that questions are not necessary.
New content; I add larger chunks of text as necessary. This usually happens when there is a significant new discovery, for example a new protocol vulnerability. For example, POODLE and POODLE TLS, FREAK and Logjam all happened in the year after the first edition, and they’re now all covered in the book.
I don’t write about events immediately after they happen, for two reasons. First, because discoveries usually lead to other discoveries. That’s how collaborative security research works; an army of researchers starts to look at a problem and contributes to the body of knowledge. The second reason is that I prefer to analyse a situation with a clear head and after the dust settles. Immediately after a discovery, things sometimes seem more exciting than they really are.
My process usually begins with a blog post. To write about something clearly requires that you understand it very well; writing a blog post therefore forces me to research the problem in depth. I will then mention the news in the Bulletproof TLS newsletter, my periodic notification service. For urgent matters, an email goes out straight away. Finally, within a month or two, I will have added complete coverage of the discovery to the book.
Quarterly updates; My quarterly updates add structure to the maintenance process. This is where I review the events of the last quarter to make sure that everything that should be covered is covered. Sometimes, new discoveries require not only new content, but book-wide changes. The quarterly update is an opportunity to make the advice in the book consistent.
At the end of each quarter, my copyeditor, Melinda Rankin, goes through the new content and improves the language. Because all changes are made with change-tracking enabled, she knows exactly where the changes are, making it possible to do copyediting incrementally.
Revisions; After a certain time, I will revise the entire book. What this means is that I read every single page and ensure that the text is fresh enough for a fresh printing. This process catches a lot of small things that slipped through, and generally rejuvenates the book. Then we follow with another copyediting phase, and then an additional proofreading cycle.
At the end of a revision, the book is brand new. Because we use print on demand, we release new files to our printer, after which they start to print what is essentially a new edition. We don’t make much noise about this because, even with print on demand, book sellers have a stock that they need to go through. In other words, we don’t know when exactly they will start selling the new version of the book.
We released our first full revision of Bulletproof SSL and TLS this month, which is exactly one year after the first edition came out in August 2014. The updated version has about 30 more pages, and countless small improvements throughout.
Editions; Depending on the amount of new content, at some point we will publish a formal new edition, with a new cover, ISBN number and everything else. With a living book, determining when a proper new edition should be made is tricky. You’re adding content all the time, at what point do you call it a new edition? Having a fresh release date would surely help with sales. On the other hand, we don’t want those who already have the book to buy the new edition if there isn’t enough new content in it.
Given that TLS 1.3 is currently being worked on, the likely outcome for Bulletproof SSL and TLS is that we will publish the second edition after TLS 1.3 is ready and can be used in practice. In the meantime, we’ll just keep updating the first edition.