SSL Security
Updated on 20180912
Creating SSL Certification
https://letsencrypt.org/https://www.instantssl.com/ssl-certificate-products/free-email-certificate.html
SSL Security Scanner
DigiCert® SSL Installation Diagnostics Tool (https://www.digicert.com/help/)Qualys - SSL Server Test (https://www.ssllabs.com/ssltest/)
SSLScan
IISCrypto (https://www.nartac.com/Products/IISCrypto)
Common SSL Vulnerability
Heartbleed
HTTPS Level Up!
⚠️ SSL Connection will break if SSLStrip in place✔️ HTTP Strict Transport Security (HSTS)
https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
Abuse HSTS Protection: Tracking browser history *
- HTML5 Canvas Fingerprint *
- Embed non-existent images from various HSTS-protected domains over HTTP
Test your browser with browserleaks.com and Sniffly!
✔️ HTTP Public Key Pinning (HPKP) aka. Cert Pinning
https://www.owasp.org/index.php/Certificate_and_Public_Key_PinningAbuse Cert Pinning: Super Cookie
Abuse Cert Pinning: Certificate Cloning
Reference:
https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf
Stealing Certificates with Apostille
SSL Hardening Guides
Acunetix, Recommendations for TLS/SSL Cipher Hardeninghttps://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
How to disable SSLv3
http://disablessl3.com/
SSLLab - SSL and TLS Deployment Best Practices
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices