Bulletproof SSL and TLS
Author: Ivan Ristic
Pages: 530
Publisher: Feisty Duck
ISBN: 1907117040
Introduction
Deploying SSL or TLS in a secure way is a great challenge for system administrators. This book aims to simplify that challenge by offering extensive knowledge and good advice – all in one place.
About the author
Ivan Ristic is a security researcher, engineer, and author, working as the Director of Engineering at Qualys. He is known for his contributions to the web application firewall field and development of ModSecurity, and for his SSL/TLS and PKI research, tools and guides published on SSL Labs.
Inside the book
The main difficulty about writing a book that will encompass everything you need to know about implementing and correctly configuring SSL or TLS cryptographic protocols for secure communication over the Internet is that things are so quick to change. The author himself acknowledged that in the two years that he spent writing this book he constantly had to go back and rewrite chapters he already considered finished.
Nevertheless, this book aims to be the definite guide for correctly deploying TLS on your servers, so that interested parties should not be forced to sift through (often outdated) information that can be found on the Internet. I believe it’s best to buy it in Kindle format, as the author means to keep updating it as long as there is interest, and these updates will be made available often.
The book is roughly divided into four parts. The first 3 chapters provide information about the two secure protocols, a short introduction to cryptography and a longer one to the Internet Public Key Infrastructure (PKI). The next four chapters address historical attacks against PKI and the protocols, protocol implementation issues and problems that arise from the interaction of the various parts of the ever-growing web ecosystem.
The third part encompasses three chapters that address the secure deployment of TLS, including performance optimization and various techniques for strengthening the security of web applications. The final part addresses OpenSSL installation and configuration, and the configuration of TLS on the Apache web server, the Java, Tomcat and Nginx web servers, the Microsoft Windows platform, as well as Internet Information Server.
The author intentionally didn’t provide configuration examples for products other than web servers, as those markets are much more diverse and it would be extremely difficult (read: time consuming) to keep up with all the changes.
Final thoughts
I very much enjoyed the author’s clear and concise writing, and especially the fact that he doesn’t get mired in unnecessary explanations – he knows the audience he’s writing for. He has also researched the subject more extensively than probably anyone – you could read up on his work through the years on his blog – and has become a de-facto expert whose knowledge and insights are greatly valued.
This book will primarily be of great help to system administrators and managers, but the author also addresses issues that can breach the security of web applications, and this information will come in handy to developers.