Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network.
Server Name Indication - Wikiwand used to host multiple sites on the same IP
The authentication relied on Certificate Authorities (CA) and a public key infrastructure using X.509 certificates.
The server register with a CA and sign its public key with the key of CA for a fee. The client, after receiving the public key from server, verifies it with the CA.
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today | Heroku
Exploring HTTPS With Python – Real Python
What are SSL/TLS Certificates? Why do we Need them? and How do they Work? - YouTube
Transport Layer Security (TLS) - Computerphile - YouTube
TLS Handshake Explained - Computerphile - YouTube
Transport Layer Security, TLS 1.2 and 1.3 (Explained by Example) - YouTube
The SSL/TLS Handshake: an Overview – SSL Information and FAQ
File:Ssl handshake with two way authentication with certificates.png - Wikimedia Commons
TLS 1.3 » ADMIN Magazine
Wireshark - YouTube TLS/QUIC decryption with Wireshark and SSL key logs
Decrypt SSL with Wireshark - HTTPS Decryption: Step-by-Step Guide
HTTPS Decryption with Wireshark // Website TLS Decryption - YouTube
Decrypting TLS, HTTP/2 and QUIC with Wireshark - YouTube
pan-unit42/wireshark-tutorial-decrypting-HTTPS-traffic
HTTPS: an awesome, secure tale (pt 1) | by Omer Goldberg | Bits and Pieces
ESNI: A Privacy-Protecting Upgrade to HTTPS | Electronic Frontier Foundation
Server Name Indication - Wikiwand multi-tenant on the same IP
Toolkits:
HTTPS Is Easy!
Is TLS Fast Yet?
ImperialViolet - Overclocking SSL HTTPS is fast since 2010
ImperialViolet - Public key pinning
Survival Guide - TLS/SSL and SSL (X.509) Certificates (CA-signed and Self-Signed)
Rolling out Public Key Pinning with HPKP Reporting — Google Web Updates
SSL: it’s hard to do right | The Recompiler
Nick Craver - HTTPS on Stack Overflow: The End of a Long Road
How the NSA (may have) put a backdoor in RSA’s cryptography: A technical primer | Ars Technica
Critics slam SSL authority for minting certificate for impersonating sites | Ars Technica
Web served, part 2: Securing things with SSL/TLS | Ars Technica
BetterCryptoâ‹…org
Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd
Generate Mozilla Security Recommended Web Server Configuration Files
Deploying HTTPS: The Green Lock and Beyond (Chrome Dev Summit 2015) - YouTube
Mythbusting HTTPS: Squashing security’s urban legends - Google I/O 2016 - YouTube
HSTS
HTTP Strict Transport Security - Wikiwand: always use HTTPS
HSTS Preload List Submission
Mutual TLS/mTLS
A Kubernetes engineer's guide to mTLS
Mutual TLS | The Backend Engineering Show - YouTube
The Cloudflare mTLS vulnerability - A Deep Dive Analysis - YouTube
Revocation
Online Certificate Status Protocol vs Certificate Revocation Lists
Certificate revocation list - Wikiwand CRL
RFC 6960 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
Online Certificate Status Protocol - Wikiwand alternative to CRL, less data, response of status of a particular cert signed by CA
Chrome does certificate revocation better | ZDNET
Chrome don't use OSCP
SSL checkers
Best SSL Testing Tools for your Website - Grace Themes
Online Tool to Test SSL, TLS and Latest Vulnerability - Geekflare
/bin/bash based SSL/TLS tester: testssl.sh offline tool
crt.sh | Certificate Search
Qualys SSL Labs
Free SSL Checker Tool - Check SSL Certificate
SSL Certificate Checker - Diagnostic Tool | DigiCert.com
SSL Security Test | Scan Web and Email Server SSL TLS STARTTLS Encryption
SSL Checker
trimstray/htrace.sh: My simple Swiss Army knife for http/https troubleshooting and profiling.
Welcome to pyca/cryptography — Cryptography documentation
sslyze | Kali Linux Tools
nabla-c0d3/sslyze: Fast and powerful SSL/TLS scanning library.
Man-in-the-Middle (MITM)
Monsters in the Middleboxes: Introducing Two New Tools for Detecting HTTPS Interception
mitmproxy - an interactive HTTPS proxy
mitmproxy - Introduction
mitmproxy/mitmproxy: An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
How to Man in the Middle HTTPS Using mitmproxy - Earthly Blog
PolarProxy TLS proxy decrypt up to 10 GB of data or 10 000 TLS sessions per day
Intercept, debug & mock HTTP with HTTP Toolkit
HTTP Toolkit
Fiddler Everywhere | Debugging Proxy for Mac, Linux, Windows forward TLS proxy, paid
Charles Web Debugging Proxy • HTTP Monitor / HTTP Proxy / HTTPS & SSL Proxy / Reverse Proxy forward TLS proxy, paid
HTTPS/TLS Proxy | NetworkAcademy.io
What is a TLS Proxy? Definition & FAQs | Avi Networks
Rebex TLS Proxy (free) - Rebex.NET
Perfect Forward Secrecy (PFS)
SSL Enabling Forward Secrecy | DigiCert.com
Issues
How to Change Certificate Without Downtime - DZone DevOps
CA
As it turns out, CA may not be trust-worthy after all. There are many instances of CA issuing fraudulent certificates (willingly or being hacked).
https 技术鉴赏 - YouTube
How CT Works : Certificate Transparency the issuance of cert is accompanied by a SCT record on blockchain
RFC 9162: Certificate Transparency Version 2.0
certificate-transparency/docs/SCTValidation.md at master · google/certificate-transparency · GitHub
How CT Works : Certificate Transparency
Engineering deep dive: Encoding of SCTs in certificates - Let's Encrypt
What is Certificate Transparency? - SSL Certificates - Namecheap.com
How the Comodo certificate fraud calls CA trust into question | Ars Technica
Google warns of unauthorized TLS certificates trusted by almost all OSes [Updated] | Ars Technica
Google Chrome will banish Chinese certificate authority for breach of trust | Ars Technica
Trust issues: Know the limits of SSL certificates | InfoWorld
Free public certificate authorities: Nice idea, big flaw | InfoWorld
http://arstechnica.com/search/?ie=UTF-8&q=+Certificate+Authorities
Heartbleed (2014)
see
web-security.md#heartbleed
Renegotiation Gap (2009)
Truth in SOA: Really Understanding the SSL/TLS Vulnerability (Part 1)
Localhost certs
FiloSottile/mkcert: A simple zero-config tool to make locally-trusted development certificates with any names you'd like. add local CA to system
Why and How to Use HTTPS in Your Local Development Environment
Free SSL/TLS Certs
Standards
RFC 2986 - PKCS #10: Certification Request Syntax Specification Version 1.7
RFC 3447 - Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1
RFC 5958 - Asymmetric Key Packages
RFC 6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0
RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
RFC 7292 - PKCS #12: Personal Information Exchange Syntax v1.1