Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

Background: Linux Admin. Disclaimer: I skipped the Microsoft IIS hardening chapter. I read the Amazon reviews of this book before buying it, and I was a bit skeptical. However my skepticism was wrong; this book should be reference material for any sysadmin or developer. It really is that good. I won't bother with the chapter-by-chapter synopsis. All you need to know is if you are interested in SSL/TLS, encryption, relevant hardening techniques and testing/verification (mainly via OpenSSL), etc., then this book is for you. The author runs SSLlabs. If you have ever tested your public site for BEAST,POODLE, etc., chances are you have used his site. Things this book does really well: - Give a comprehensive view of encryption, known weaknesses and attacks, and implementation suggestions and tips. I really can't think of a systems or programming book that nails a relatively niche subtopic in IT as well. - The author does a very good job of giving concrete real-world examples wherever and whenever possible. - While pretty technical, the language used in the book is pretty conversant. There is very little "hard math" if that's a concern. - The author is clearly an expert in SSL/TLS encryption. It is rare to read an introduction to normally rehashed material and say to yourself, 'Wait, it's THAT guy?" - Brings up Linux, OSX and Windows-specific notes. Conceptually the book is platform agnostic though. It is a nice mix between theoretical and practical. Thing that this book falls short on (keep in mind, these are very minor...not enough even to dock it a star): - The content is a bit stale. The original was published in 2014 and the first revision in 2015. Now that it is 2017, updated notes on the topics listed above would be nice, especially regarding suggested cipher suites, etc. However I know this is very hard in technical print media. - The amount of footnotes is staggering. The footnotes are practically all URL-shortened links to reference material. That's far from a bad thing normally, however they probably average out to 1-2 a page. It is not feasible to read them all. This is seriously a great book on SSL/TLS encryption. It should be required for any graduating CS/S college types, any professional sysadmin regardless of their OS, anyone in the IT/IS security world, and any developer that plans on releasing code that will ever touch a network Encryption isn't going away. It is in everyone's interest listed above to get familiar with the details of TLS unless they want to end up with a compromised app or website.

This book is an awesome resource for understanding the theory and practical use of SSL/TLS! Topics include: the SSL/TLS protocol itself (concepts, messages over the wire, encryption methods), certificates (manual creation, acquiring from Certificate Authorities, extracting information), and configuring various web servers (Apache, Nginx, IIS), applications (OpenSSL command-line app), etc. Different web hosting scenarios, like shared hosting, virtual private server, and dedicated hosting, are discussed with respect to certificates and SSL/TLS connection establishment. Also, one extremely nice aspect of this book is the very deep and comprehensive descriptions of all the major exploited flaws in the history of the protocol -- including, importantly, exploits which are likely to plague implementations which are still in the wild. Given that the whole purpose of SSL/TLS is secure communication, it is crucial to understand all of its implementation flaws over its history (SSL 1/2/3, TLS 1.0,1.1,1.2,1.3(draft)). Reading the detailed accounts in the book of the exploits makes it clear how careful one must be with particular aspects of the protocol (e.g., initial handshake, encryption negotiation, ongoing sequence of packets). The fiascos resulting from poor initialization vector choices, negotiation to weak encryption algorithms, block-based encryption mistakes (chaining, padding issues), and hilariously cool information leaks (from compression, encryption output bit value biases, and timing attacks), provide dramatic and convincing proof that not using TLS 1.2 today (and soon TLS 1.3 (incomplete draft in January 2018)) would be foolish. Just look at the table of web-browser vulnerabilities in the Wikipedia article for SSL/TLS! The book's description of some vulnerabilities does not shy away from mentioning some scandalous dynamics (e.g., government payments, corrupt certificate authorities, etc.) which affected, and likely continue to affect, the evolution of SSL/TLS. The details in the book can help gain a clear understanding of the past and potential weaknesses of TLS. The final page of the book rhetorically asks if TLS is actually secure, or if it is "irreparably broken and doomed", and argues persuasively that TLS is a success, but notes that careful attention is required in our "harsh reality of widespread mass surveillance". This excellent book covers seemingly everything about SSL/TLS for theory and actual practice (applications, configurations, command-line tools, certificate ecosystem). [Aside: If you are a software developer with proficiency in "C", and an interest in actual implementation of aspects of SSL/TLS with corresponding theory and discussion, then I recommend the excellent book "Implementing SSL/TLS" by Joshua Davies (which I also purchased from Amazon). That book, and the "Bulletproof SSL and TLS" book reviewed here, are perfect complements to each other.]

Nice book to have.

This is one of the best and most comprehensive tomes on SSL/TLS out there. It explains things to people like me, who don't have a PhD in mathematics or encryption. I'm trying to better understand the why's and how's of the security devices that I configure and build and this book gave me a better foundation than any website or instruction manual I've found thus far.

I am a network engineer who recently started learning security implementations side of the network. I had no previous knowledge regarding security, and this book is a great way to start learning it. I used this book in conjunction with the Understand Cryptography by Christof Paar. I read the first several chapters in this book. (It gives you a great overview of most of the security primitives), then I read through the Understand Cryptography book, then I jumped back to this book and read the rest of the chapters. I feel much more confident regarding my understanding of internet security/cryptography implementation now after reading these two books.

I was hoping that the book included tutorial about usage of the OpenSSL API itself (C-language), but it does not. (Such a thing does not appear to exist.) But it has excellent information in it and taught me a great deal. Plus, buying the book gets you on the author's newsletter (and its archives), which I find especially useful since I don't have time to monitor security blogs like a hawk.

This book is extremely good. One of the most relevant and up-to-date books on the subject. This book has something to offer for everyone. It goes into the matters of how SSL and TLS work, and how to properly configure it on modern web servers. The companion ebook is also very useful. The ebook was updated in a matter of days as new relevant information became available.

Very readable technical breakdown of the history and issues around SSL and TLS. Helped me better understand the various implementations and how to score the risks when assessing systems. The text and footnotes have led me to answers for all of the questions I've had so far. Highly recommended.

By far, the best book I've ever read about SSL and TLS. The book is well written, comprehensive and more importantly, it's up-to-date with the various recent protocols and vulnerabilities. It's also possible to get a companion PDF for free from the official website if you show a proof of order of the paperback copy.

Um livro totalmente indicado para aqueles que querem entender de forma aprofundada como o universo dos certificados digitais funciona. Leitura fácil e, extremamente, bem fundamentada por meio da utilização de uma quantidade infinita de referências. Uma ótima aquisição.

Put you on fast track in mastering SSL/TLS

Excellent in depth view of the topic and comes with access to a regularly updated copy in Ebook format. Author clearly knows his subject and addresses all aspects of SSL/TLS from its history and origins to the latest attacks and secure implementation recommendations. Very highly recommended for anyone working with SSL/TLS or with OpenSSL in general. I would have preferred a hardback copy as the covers tend to warp a lot but it's the content that make this a great read.

Anmerkung: diese Rezension ist keine umfassende, sondern begründet sich i. W. aus dem Nutzen für ein konkrete Aufgabe. Kürzlich bin ich mit der Aufgabe betraut worden, mich möglichst schnell in die Thematik der über X509 Zertifikate abgesicherten Kommunikation zwischen Anwendungen und Webservern einzuarbeiten und konkrete Umsetzungen dazu entwickeln. Mein Vorwissen zu diesem Thema war faktisch Null. Die Serverseite sollte über eine dreistufige Hierarchie (Server-Zertifikat->Subordinate CA->Root CA) abgesichert werden, die Clientseite per Server-CA->Client-Zertifikat. Die Verwendung von Client-Zertifikaten konnte ich relativ schnell mit Hilfe der Apache-Tools, und dem älteren OpenSSL Buch von O'Reilly in den Griff bekommen. Bei dem Thema mehrstufiger CA hatte ich trotz eines entsprechenden Abschnittes in dem O'Reilly Buch das Gefühl zu schwimmen. Auch im Internet und anderen Büchern zum Betrieb von sicheren Webservern konnte ich auf die Schnelle nichts finden, was mir direkt weiterhalf. Erst durch die Informationen im Kapital 11 aufbauend auf Kapitel 8 hatte ich das Gefühl, festen Boden unter die Füße zu bekommen. Das Beispiel für die Erzeugung einer zweistufigen CA Hierarchie konnte ich auf Anhieb für meine Zwecke in Betrieb nehmen. Unverzichtbar war dabei die, auch für einen Anfänger in diesem Bereich wie mich, ausreichend gründliche Beschreibung aller Details, so dass alle Schritte nachvollziehbar sind. In meiner Situation, mit meinem zwischenzeitlich erarbeitetem (Halb-)Wissen, hat sich dieses Buch als fünf Sterne wert erwiesen. Ich werde es auch als primäre Quelle zum weiteren Grundlagenstudium heranziehen.