1. 首页
  2. 服务器应用
  3. Web服务器
  4. HTTPS权威指南:在服务器和Web应用上部署SSLTLS和PKI (英文版)

HTTPS权威指南:在服务器和Web应用上部署SSLTLS和PKI (英文版)

上传者: 2020-05-25 21:30:14上传 PDF文件 7.2MB 热度 29次
BulletproofSsLandtls byIvanRistic Copyright@2014FeistyDuckLimited.Allrightsreserved Publishedinaugust2014 ISBN:978-1-907117-04-6 FeistyDuckLimited www.feistyduck.com contact@feistyduck.com addresss 6Acanthacourt Montpelierroad Londonw52QP UnitedKingdom Productioneditor:JelenaGiric-Ristic Copyeditor:Melindarankin Allrightsreserved.Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmitted,inanyformor byanymeans,withoutthepriorpermissioninwritingofthepublisher Theauthorandpublisherhavetakencareinpreparationofthisbook,butmakenoexpressedorimpliedwarrantyofanykind andassumenoresponsibilityforerrorsoromissions.Noliabilityisassumedforincidentalorconsequentialdamagesincon nectionwithorarisingoutoftheuseoftheinformationorprogramscontainedherein FeistyduckDigital Bookdistribution vw.feistyduck.com Licensedfortheexclusiveuseof RichardFussenegger Tableofcontents Preface Scopeandaudience Contents XV SSLversustls Onlineresources Feedback Abouttheauth Acknowledgments 1.SSL,TLS,andCryptography TransportLayerSecurity Networkinglayers Protocolhistor Cryptography Buildingblocks Protocols AttackingCryptography 16 Measuringstrength Man-in-the-Middleattack 18 2.Protocol 23 Recordproto 24 Handshakeprotocol 25 Fullhandshake 26 Clientauthentication Sessionresumption 34 KeyExchange RSAKeyexchange 38 Diffie-HellmanKeyexch EllipticCurveDiffie-HellmanKeyExchange 40 Authentication 41 Encryption 42 StreamEncryption Blockencryptio AuthenticatedEncryption 44 Renegotiate ApplicationDataprotocol 47 Alertprotocol Connectionclosure 47 CryptographicOperations 48 Pseudorandomfunction Mastersecret CipherSuite 49 Extensions ApplicationlayerprotocolNegotiation CertificateTransparency EllipticCurvecapabilities Heartbeat NextprotocolNegotiation 56 SecureRenegotiation 57 Servernameindication 57 Tickets Signaturealgorithms OCSPStapling Protocollimitations Differencesbetweenprotocolversions TLS1.0 TLS1.1 TLS1.2 3.Public-KeyInfrastructure 63 InternetpKi Standards Certificate 66 Certificatefields 67 Certificateextensions 68 Certificatechains 71 Relyingpa 72 Certificationauthorities Certificatelifecycle Revocation Weaknesses RootKeycompromise 46690 EcosystemMeasurements Improvements 4.AttacksagainstPKI 87 VerisignmicrosoftCode-SigningCertificate Thawteloginlive.com StartComBreach(2008 CertStar(Comodo)Mozillacertificate RapidsslrogueCAcertificate 88892 Chosen-Prefixcollisionattack ConstructionofCollidingCertificates Predictingtheprefiⅸx WhathappenedNext Comodoresellersbreaches StartComBreach(2011) Diginota PublicDiscovery Fallofacertificationauthority Man-in-the-Middleattacks Comodohackerclaimsresponsibili DigiCertsdn.bhd Flame FlameagainstWindowsUpdate FlameagainstWindowsTerminalServices FlameagainstMD5 TURKTRUST 109 5.Httpandbrowserissues 13 Sidejacking 113 Cookiestealing CookieManipulation UnderstandinghttPCookies Cookiemanipulationattacks 118 npa Mitigation 122 eSLStripping 123 MITMCertificates 125 CertificateWarnings 126 WhySoManyInvalidCertificates? EffectivenessofCertificateWarnings Click-ThroughWarningsversusExceptions Mitigation SecurityIndicators 131 MixedContent Rootcauses 134 Impact Browsertreatment Prevalenceofmixedcontent 668 Mitigation Extendedvalidationcertificates 140 Certificaterevocation 141 Inadequateclient-Sidesupport 141 KeyIssueswithRevocation-CheckingStandards 142 Certificaterevocationlists Onlinecertificatestatusprotocol 146 6.ImplementationIssues.......................... ..151 Certificatevalidationflaws 152 Libraryandplatformvalidationfailures 152 Applicationvalidationfailures HostnamevalidationIssues 156 Randomnumbergeneration 158 netscapeNavigator(1994) 158 Debian(2006 InsufficientEntropyonEmbeddedDevices Heartbleed Impact Mitigation ProtocolDowngradeattacks 165 Rollbackprotectioninssl3 Interoperabilityproblems 67 VoluntaryProtocolDowngrade Rollbackprotectionintls1.0andbetter 171 AttackingVoluntaryProtocolDowngrade 172 Modernrollbackdefenses 172 TruncationAttacks 173 TruncationAttackHistory 175 CookieCutting 175 DeploymentWeaknesses 177 Virtua|Hostconfusⅰon TLSSessionCacheSharing 178 7.Protocolattacks 181 InsecureRenegotiation 181 WhyWasrenegotiationInsecure 182 TriggeringtheWeakness AttacksagainstHttp AttacksagainstotherProtocols 87 nsecureRenegotiationIssuesIntroducedbyarchitecture Impact Mitigation Discoveryandremediationtimeline BEAST 191 Howtheattackworks Client-Sidemitigation 195 Server-SideMitigation History 198 Impact CompressionSidechannelattacks HowtheCompressionOracleWorks 201 HistoryofAttacks 203 CRIME MitigationofAttacksagainstTLSandSPDy 212 MitigationofAttacksagainsthttPCompression 213 PaddingOracleattacks 214 WhatIsapaddingoracle? AttacksagainstTLS 215 Impact 216 Mitigation RC4Weaknesses 218 KeyschedulingWeaknesses 218 EarlySingle-ByteBiases 219 Biasesacrossthefirst256Bytes Double-ByteBiases Mitigation:RC4versusBEASTandLucky13 222 TriplehandshakeAttack Theattack 224 Impact Prerequisites 232 DualEllipticCurveDeterministicRandombitGenerator 232 8.Deployment 235 Ke 35 Keyalgorithm Keysize KeyManagement 237 Certificate CertificateType 238 Certificatehostnames 239 CertificateSharing Signaturealgorithm 240 Certificatechain 240 Revocat Choosingtherightcertificateauthority 241 ProtocolConfiguration 243 CipherSuiteConfiguration 244 Serverciphersuitepreference 244 CipherStrength 244 Forwardsecrecy 244 Performance 245 Interoperability 246 ServerConfigurationandarchitecture 246 Sharedenvironments VirtualSecureHosting 247 Sessioncaching 247 Complexarchitectures 248 IssueMitigation 249 Renegotiation 249 BeasT(Http) 249 CrimE(htTP) 250 Lucky13 250 RC4 250 TiMeandbreach(Http) 251 Triplehandshakeattack 252 Heartbleed 252 Pinning 253 Http MakingFullUseofEncryl Cookiesecurity 254 Backendcertificateandhostnamevalidation 254 HttpStrictTransportSecurity 254 ContentSecurityPolicy 255 ProtocolDowngradeprotection 255 9.PerformanceOptimization............ 257 LatencyandConnectionmanagement 258 TCPOptimization 259 Connectionpersisten 260 Spdy,Http2.0,andbeyond 262 ContentDeliveryNetworks TLSProtocolOptimization 265 KeyExchange 265 Certificates RevocationChecking 271 SessionResumption 272 TransportOverhead 273 SymmetricEncryption 275 TLSRecordBufferingLatency 277 Interoperability 279 Hardwareacceleration 279 Denialofserviceattacks KeyExchangeandencryptioncPucosts 281 Client-InitiatedRenegotiation OptimizedtLsDenialofServiceAttacks 10.HSTS,CSP,andpinning 日日日 HttpStrictTransportSecurity ConfiguringHSTS 286 Ensuringhostnamecoverage Cookiesecurity Attackvectors RobustdeploymentChecklist BrowserSupport 291 PrivacyImplications 293 X
用户评论
chengfeng_gz 资源:5 粉丝:0
+关注
上传资源
免责说明
本站只是提供一个交换下载平台,下载的内容为本站的会员网络搜集上传分享交流使用,有完整的也有可能只有一分部,相关内容的使用请自行研究,主要是提供下载学习交流使用,一般不免费提供其它各种相关服务! 本站内容泄及的知识面非常广,请自行学习掌握,尽量自已动脑动手解决问题,实践是提高本领的途径,下载内容不代表本站的观点或立场!如本站不慎侵犯你的权益请联系我们,我们将马上处理撤下所有相关内容!联系邮箱:server@dude6.com