Here is a list of good writeups, by a couple awesome security experts, Troy Hunt & Scott Helme, about https, SSL, HSTS, encryption, DV, EV, OV, and anything related to that matter.
Life is about to get a whole lot harder for websites without HTTPS – Troy Hunt
It’s taken us a while, but finally we’re getting to a “secure by default” web!
What Every Developer Must Know about HTTPS – Troy Hunt
So that’s what I’ve created and I’m enormously happy to now see it up live on Pluralsight. If you’ve not tried them before, you can get into it for less than $1 a day and gain immediate access to thousands of courses, including some very good content on HTTPS
I wanna go fast: HTTPS’ massive speed advantage – Troy Hunt
This is all simply a test of “what’s the fastest we can go over HTTP versus what’s the fastest we can go over HTTPS”. I don’t want fair, I want fast. If you wanna go fast, serve content over HTTPS using HTTP/2.
A Journey to Get an EV – Troy Hunt
It’s a 14-page long journey Troy took to get a green EV for Have I been Pwned. Does it worth the effort?
This whole EV cert thing is hard to measure in terms of value; I have no idea how many more people will put their email address into HIBP or how much more media or good will or donations it will get. No idea at all.
But what I do know is that it adds transparency and legitimacy to a realm that as I mentioned earlier, tends to be inhabited by a lot of shady characters and that’s gotta count for something.
On the Value of EV Certs, Commercial CAs, Phishing and Let’s Encrypt – Troy Hunt
The bottom line is that as of today, the effectiveness of EV certs is entirely dependent on people recognising what they mean and actually adapting their behaviour accordingly. It’s hard to argue with that.
Are EV certificates worth the paper they’re written on? – Scott Helme
I’m not opposed to the idea or the value of EV certificates but right now they just seem like a nice revenue stream for CAs. The technical and user issues outlined above need to be addressed before EV can have real value. The amount of information and mis-information surrounding them really doesn’t help and there’s also some pretty wild claims from CAs about what EV can do.
Debunking the fallacy that paid certificates are better than free ones – Scott Helme
When you look at a certificate the only thing we really care about is whether or not the browser is going to accept it, we care if the certificate is valid. To be valid there are various technical criteria outlined above regarding it’s format, the fields it contains and the data inside them that must be met. There’s also criteria around how it was issued that the CA must adhere to and all of this plays a part in the ultimate determination made by the browser about the certificate itself. Whether or not anyone handed over some hard-earned cash to purchase the certificate simply does not matter one bit. The browser doesn’t even have knowledge of whether that happened and there’d be no way and no need for it to do so. There’s absolutely no difference between a free certificate and one that you had to shell out some cash for.
Do SSL warranties protect you? – Scott Helme
All in all, the idea of a warranty on a certificate just seems like some marketing fluff for the CA to add to their sales page. The chances of this being useful are close to non-existent and there doesn’t appear to be a viable way for a consumer to prove the certificate was the cause anyway.
Certificate Transparency, an introduction – Scott Helme
Certificate Transparency is an open framework for monitoring and auditing the certificates issued by Certificate Authorities in near real-time. By requiring a CA to log all certificates they generate, site owners can quickly identify mis-issued certificates and it becomes much easier to detect a rogue CA.
HSTS – The missing link in Transport Layer Security – Scott Helme
HSTS allows for a more effective implementation of TLS by ensuring all communication takes place over a secure transport layer on the client side. Most notably HSTS mitigates variants of man in the middle (MiTM) attacks where TLS can be stripped out of communications with a server, leaving a user vulnerable to further risk.
Understanding HTTP Strict Transport Security and preloading it into the browser – Troy Hunt
As HTTPS becomes more ubiquitous across the web, this feature should really start to gain traction and hopefully initiatives like Let’s Encrypt will help expedite that (note also that this is now being reported as “Arriving September 2015”). It’s good times for those wanting to further protect their web assets and not so good for those wanting to intercept other people’s traffic.
The 6-Step “Happy Path” to HTTPS – Troy Hunt
- Get a free cert
- Add a 301 “Permanent Redirect”
- Add HSTS
- Change Insecure Scheme References
- Add the upgrade-insecure-recquests CSP
- Monitor CSP reports
5 ways to implement HTTPS in an insufficient manner – Troy Hunt
it doesn’t matter how many pages you’re loading securely or how many padlock icons or vendor certifications you drop on the site, once you start sending auth cookies around insecurely, you’re toast. It’s completely pointless to secure those personal details in transit but then let the auth cookie which can load them back up float around in the clear. That is a very insufficient use of HTTPS indeed.
5 ways to tackle an insufficient HTTPS implementation – Troy Hunt
The simpe way of doing this is for HTTPS everywhere
SSL is not about encryption – Troy Hunt
It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process.
Cheat Sheets – Scott Helme
Here is why your static website needs HTTPS – Troy Hunt
So that’s precisely what I’ve done – intercepted my own traffic passed over an insecure connection and put together a string of demos in a 24-minute video explaining why HTTPS is necessary on a static website. Here’s the video and there’s references and code samples for all the demos used immediately after that:
Some other useful resources
Have you been pwned – Troy Hunt
Report Uri – Scott Helme
Security Headers – Scott Helme – check your headers for things like HSTS and HPKP
The infamous SSL Labs – to check your config