├── README.md └── tlssec.bib /README.md: -------------------------------------------------------------------------------- 1 | # awesome-tls-security 2 | A collection of (not-so, yet) awesome resources related to TLS, PKI and related stuff. 3 | 4 | There is a bib version also (tlssec.bib) 5 | 6 | # Table of Contents 7 | 8 | [You should read this an skip the rest of the list](https://www.feistyduck.com/books/bulletproof-ssl-and-tls/reviewerKit.html) 9 | 10 | ## Trends 11 | 12 | [Looking Back, Moving Forward (2017)](https://casecurity.org/2017/01/13/2017-looking-back-moving-forward/) 13 | 14 | ## Pervasive Monitoring 15 | [Pervasive Monitoring is an Attack. RFC 7258](https://tools.ietf.org/html/rfc7258) 16 | 17 | [Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement. RFC 7624 (2015)](https://tools.ietf.org/html/rfc7624) 18 | 19 | 20 | ## Certificates / PKIX 21 | 22 | [Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280](https://doi.org/10.17487/rfc5280) 23 | 24 | [Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). RFC 6125](https://doi.org/10.17487/rfc6125) 25 | 26 | [tls - How does OCSP stapling work? - Information Security Stack Exchange. (2013)](https://security.stackexchange.com/questions/29686/how-does-ocsp-stapling-work) 27 | 28 | ## Attacks on TLS 29 | 30 | ### Overview 31 | 32 | [SSL/TLS Vulnerabilities](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/) 33 | 34 | [ATTACKS ON SSL A COMPREHENSIVE STUDY OF BEAST, CRIME, TIME, BREACH, LUCK Y 13 & RC4 BIASES](https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf) 35 | 36 | 37 | ### Recent Attacks 38 | 39 | #### TLS/SSL 40 | 41 | [On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN (SWEET32, 2016)](https://sweet32.info/SWEET32_CCS16.pdf) 42 | 43 | [Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). RFC 7457 (2015)](https://doi.org/10.17487/rfc7457 ) 44 | 45 | [DROWN: Breaking TLS Using SSLv2 (DROWN, 2016)](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/aviram) 46 | 47 | [Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing (2015)](http://www.irongeek.com/i.php?page=security/out-of-character-use-of-punycode-and-homoglyph-attacks-to-obfuscate-urls-for-phishing) 48 | 49 | [All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS (RC4NOMORE, 2015)](https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/vanhoef) 50 | 51 | [Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (LOGJAM, 2015)](https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf) 52 | 53 | [A messy state of the union: Taming the composite state machines of TLS (2015)](http://www.ieee-security.org/TC/SP2015/papers-archived/6949a535.pdf) 54 | 55 | [Bar Mitzvah Attack: Breaking SSL with a 13-year old RC4 Weakness (2015)](https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf) 56 | 57 | [This POODLE bites: exploiting the SSL 3.0 fallback (POODLE, 2014)](https://www.openssl.org/~bodo/ssl-poodle.pdf) 58 | 59 | [Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (Lucky13, 2013](http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) 60 | 61 | [SSL, gone in 30 seconds. Breach attack (BREACH,2013)](http://news.asis.io/sites/default/files/US-13-Prado-SSL-Gone-in-30-seconds-A-BREACH-beyond-CRIME-Slides_0.pdf) 62 | 63 | [On the Security of RC4 in TLS (2013)](https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan) 64 | 65 | [The CRIME Attack (CRIME, 2012)](https://www.ekoparty.org/archive/2012/CRIME_ekoparty2012.pdf) 66 | 67 | [Here come the ⊕ Ninjas (BEAST, 2011)](http://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf) 68 | 69 | ### Software Vulnerabilities 70 | 71 | 72 | [Java’s SSLSocket: How Bad APIs compromise security (2015)](https://deepsec.net/docs/Slides/2014/Java's_SSLSocket_-_How_Bad_APIs_Compromise_Security_-_Georg_Lukas.pdf) 73 | 74 | [A Survey on {HTTPS} Implementation by Android Apps: Issues and Countermeasures](https://www.researchgate.net/publication/309895574_A_Survey_on_HTTPS_Implementation_by_Android_Apps_Issues_and_Countermeasures) 75 | 76 | 77 | ## PKIX 78 | 79 | [Analysis of the HTTPS Certificate Ecosystem (2013)](http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf) 80 | 81 | ### Incidents 82 | 83 | [A complete study of P.K.I. (PKI’s Known Incidents) (2019)](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3425554) 84 | 85 | [Secure» in Chrome Browser Does Not Mean «Safe» (2017)](https://www.wordfence.com/blog/2017/03/chrome-secure/ ) 86 | 87 | [Overview of Symantec CA Issues (2014 (aprox) -2017)](https://wiki.mozilla.org/CA:Symantec_Issues) 88 | 89 | [Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates (Symantec, 2017)](https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs) 90 | 91 | [Incidents involving the CA WoSign (WoSign, 2016)](https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I%5B1-25%5D) 92 | 93 | [Sustaining Digital Certificate Security (Symantec, 2015)](https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html) 94 | 95 | [Improved Digital Certificate Security (Symantec, 2015)](https://security.googleblog.com/2015/09/improved-digital-certificate-security.html) 96 | 97 | [TURKTRUST Unauthorized CA Certificates. (2013)](https://www.entrust.com/turktrust-unauthorized-ca-certificates/) 98 | 99 | [Flame malware collision attack explained (FLAME, 2012)](https://blogs.technet.microsoft.com/srd/2012/06/06/flame-malware-collision-attack-explained/ 100 | ) 101 | 102 | [An update on attempted man-in-the-middle attacks (DIGINOTAR, 2011)](https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html) 103 | 104 | [Detecting Certificate Authority compromises and web browser collusion (COMODO, 2011)](https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion) 105 | 106 | ## SSL Interception 107 | 108 | ### Remarkable works 109 | 110 | [Certified lies: Detecting and defeating government interception attacks against ssl (2011)](http://files.cloudprivacy.net/ssl-mitm.pdf) 111 | 112 | 113 | [How the NSA, and your boss, can intercept and break SSL (2013)](http://www.zdnet.com/article/how-the-nsa-and-your-boss-can-intercept-and-break-ssl/) 114 | 115 | 116 | [The Matter of Heartbleed (2014)](https://jhalderm.com/pub/papers/heartbleed-imc14.pdf) 117 | 118 | [TLS in the wild—An Internet-wide analysis of TLS-based protocols for electronic communication (2015)]() 119 | 120 | [TLS interception considered harmful How Man-in-the-Middle filtering solutions harm the security of HTTPS (2015)](https://events.ccc.de/camp/2015/Fahrplan/events/6833.html) 121 | 122 | [The Risks of SSL Inspection (2015)](https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html) 123 | 124 | [ Killed by Proxy: Analyzing Client-end TLS Interception Software (2016)](https://madiba.encs.concordia.ca/~x_decarn/papers/tls-proxy-ndss2016.pdf) 125 | 126 | [The Security Impact of HTTPS Interception (2017)](https://zakird.com/papers/https_interception.pdf) 127 | 128 | [US-CERT TA17-075A Https interception weakens internet security (2017)](https://www.us-cert.gov/ncas/alerts/TA17-075A) 129 | 130 | [The Security Impact of HTTPS Interception (2017)](https://jhalderm.com/pub/papers/interception-ndss17.pdf) 131 | - [Understanding the prevalence of web traffic interception (2017)](https://blog.cloudflare.com/understanding-the-prevalence-of-web-traffic-interception/) 132 | 133 | [Trust me, I’m a Root CA! 134 | Analyzing SSL Root CAs in modern Browsers and Operating Systems (2019)](https://publications.sba-research.org/publications/SSL.pdf) 135 | 136 | 137 | ### SSL Interception-related Incidents 138 | 139 | [Komodia superfish ssl validation is broken (2015)](https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/) 140 | 141 | [More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll (2015)](https://blog.hboeck.de/archives/874-More-TLS-Man-in-the-Middle-failures-Adguard,-Privdog-again-and-ProtocolFilters.dll.html) 142 | 143 | [Software Privdog worse than Superfish (2015)](https://blog.hboeck.de/archives/865-Software-Privdog-worse-than-Superfish.html) 144 | 145 | [Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections (2015)](https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html) 146 | 147 | [How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS security (2015)](https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.htm) 148 | 149 | ## Tools 150 | ### TLS Audit 151 | 152 | #### Online 153 | 154 | [Qualys SSL Server Test](https://www.ssllabs.com/ssltest/) 155 | 156 | [Qualys SSL Client Test](https://www.ssllabs.com/ssltest/viewMyClient.html) 157 | 158 | #### Local 159 | 160 | [sslyze](https://github.com/iSECPartners/sslyze) 161 | 162 | [Qualys SSL Labs (local version)](https://github.com/ssllabs/ssllabs-scan) 163 | 164 | [testssl.sh](https://testssl.sh/) 165 | 166 | ### Sysadmins 167 | 168 | [Qualys SSL/TLS Deployment Best Practices](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices) 169 | 170 | [Mozilla's Recommendations for TLS Servers](https://wiki.mozilla.org/Security/Server_Side_TLS) 171 | 172 | [IISCrypto: Tune up your Windows Server TLS configuration](https://www.nartac.com/Products/IISCrypto) 173 | 174 | ### MITM 175 | [bettercap - A complete, modular, portable and easily extensible MITM framework’](https://www.bettercap.org/) 176 | 177 | [dns2proxy](https://github.com/LeonardoNve/dns2proxy) 178 | 179 | [MITMf](https://github.com/byt3bl33d3r/MITMf) 180 | 181 | 182 | ## Protocols 183 | ### TLS 1.3 184 | 185 | [RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3 (2018)](https://www.rfc-editor.org/rfc/rfc8446) 186 | 187 | ### UTA (Use TLS in Applications) IETF WG 188 | 189 | [Drafts and RFCs (HTTP and SMTP)](https://datatracker.ietf.org/wg/uta/documents/) 190 | 191 | ### Strict Transport Security (STS) 192 | 193 | [HTTP Strict Transport Security (HSTS). RFC 6797 (2012)](https://doi.org/10.17487/rfc6797) 194 | 195 | [STS Preload List - Google Chrome](https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json) 196 | 197 | [HSTS Preload List Submission.](https://hstspreload.org/) 198 | 199 | [HTTP Strict Transport Security for Apache, NGINX and Lighttpd](https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html) 200 | 201 | 202 | 203 | ### HPKP 204 | 205 | [Public Key Pinning Extension for HTTP. RFC 7469 (2015)](https://doi.org/10.17487/rfc7469) 206 | 207 | [Is HTTP Public Key Pinning Dead? (2016)](https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead) 208 | 209 | ### Certificate Transparency 210 | 211 | [Certificate Transparency](https://www.certificate-transparency.org/) 212 | 213 | [How Certificate Transparency Works - Certificate Transparency](https://www.certificate-transparency.org/how-ct-works) 214 | 215 | [Google Certificate Transparency (CT) to Expand to All Certificates Types (2016)](https://casecurity.org/2016/11/08/google-certificate-transparency-ct-to-expand-to-all-certificates-types/) 216 | 217 | ### CAA 218 | 219 | [DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844](https://doi.org/10.17487/rfc6844) 220 | 221 | [CAA Record Generator](https://sslmate.com/labs/caa/) 222 | 223 | ### DANE and DNSSEC 224 | 225 | [DANE Resources](https://www.huque.com/dane/) 226 | 227 | [The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698](https://doi.org/10.17487/rfc6698) 228 | 229 | [DANE: Taking TLS Authentication to the Next Level Using DNSSEC (2011)](https://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec) 230 | 231 | [Generate TLSA Record](https://www.huque.com/bin/gen_tlsa) 232 | 233 | [DNS security introduction and requirements. RFC 4033](https://tools.ietf.org/html/rfc4033) 234 | -------------------------------------------------------------------------------- /tlssec.bib: -------------------------------------------------------------------------------- 1 | 2 | @inproceedings{aviram_drown:_2016, 3 | address = {Austin, TX}, 4 | title = {{DROWN}: {Breaking} {TLS} {Using} {SSLv}2}, 5 | isbn = {978-1-931971-32-4}, 6 | url = {https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/aviram}, 7 | booktitle = {25th {USENIX} {Security} {Symposium} ({USENIX} {Security} 16)}, 8 | publisher = {USENIX Association}, 9 | author = {Aviram, Nimrod and Schinzel, Sebastian and Somorovsky, Juraj and Heninger, Nadia and Dankel, Maik and Steube, Jens and Valenta, Luke and Adrian, David and Halderman, J. Alex and Dukhovni, Viktor and Käsper, Emilia and Cohney, Shaanan and Engels, Susanne and Paar, Christof and Shavitt, Yuval}, 10 | year = {2016}, 11 | pages = {689--706} 12 | } 13 | 14 | @inproceedings{adrian_imperfect_2015, 15 | title = {Imperfect {Forward} {Secrecy}: {How} {Diffie}-{Hellman} {Fails} in {Practice}}, 16 | booktitle = {22nd {ACM} {Conference} on {Computer} and {Communications} {Security}}, 17 | author = {Adrian, David and Bhargavan, Karthikeyan and Durumeric, Zakir and Gaudry, Pierrick and Green, Matthew and Halderman, J. Alex and Heninger, Nadia and Springall, Drew and Thomé, Emmanuel and Valenta, Luke and VanderSloot, Benjamin and Wustrow, Eric and Zanella-Béguelin, Santiago and Zimmermann, Paul}, 18 | month = oct, 19 | year = {2015} 20 | } 21 | 22 | @inproceedings{vanhoef_all_2015, 23 | address = {Washington, D.C.}, 24 | title = {All {Your} {Biases} {Belong} to {Us}: {Breaking} {RC}4 in {WPA}-{TKIP} and {TLS}}, 25 | isbn = {978-1-931971-23-2}, 26 | url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/vanhoef}, 27 | booktitle = {24th {USENIX} {Security} {Symposium} ({USENIX} {Security} 15)}, 28 | publisher = {USENIX Association}, 29 | author = {Vanhoef, Mathy and Piessens, Frank}, 30 | year = {2015}, 31 | pages = {97--112} 32 | } 33 | 34 | @inproceedings{bhargavan_practical_2016, 35 | address = {New York, NY, USA}, 36 | series = {{CCS} '16}, 37 | title = {On the {Practical} ({In}-){Security} of 64-bit {Block} {Ciphers}: {Collision} {Attacks} on {HTTP} over {TLS} and {OpenVPN}}, 38 | isbn = {978-1-4503-4139-4}, 39 | url = {http://doi.acm.org/10.1145/2976749.2978423}, 40 | doi = {10.1145/2976749.2978423}, 41 | booktitle = {Proceedings of the 2016 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}}, 42 | publisher = {ACM}, 43 | author = {Bhargavan, Karthikeyan and Leurent, Gaëtan}, 44 | year = {2016}, 45 | keywords = {CBC, collision attack, HTTPs, OpenVPN, TLS}, 46 | pages = {456--467} 47 | } 48 | 49 | @article{moller_this_2014, 50 | title = {This {POODLE} bites: exploiting the {SSL} 3.0 fallback}, 51 | journal = {Security Advisory}, 52 | author = {Möller, Bodo and Duong, Thai and Kotowicz, Krzysztof}, 53 | year = {2014} 54 | } 55 | 56 | @inproceedings{durumeric_matter_2014, 57 | address = {New York, NY, USA}, 58 | series = {{IMC} '14}, 59 | title = {The {Matter} of {Heartbleed}}, 60 | isbn = {978-1-4503-3213-2}, 61 | url = {http://doi.acm.org/10.1145/2663716.2663755}, 62 | doi = {10.1145/2663716.2663755}, 63 | booktitle = {Proceedings of the 2014 {Conference} on {Internet} {Measurement} {Conference}}, 64 | publisher = {ACM}, 65 | author = {Durumeric, Zakir and Kasten, James and Adrian, David and Halderman, J. Alex and Bailey, Michael and Li, Frank and Weaver, Nicolas and Amann, Johanna and Beekman, Jethro and Payer, Mathias and Paxson, Vern}, 66 | year = {2014}, 67 | keywords = {heartbleed, internet-wide scanning, openssl, Security}, 68 | pages = {475--488} 69 | } 70 | 71 | @inproceedings{fardan_lucky_2013, 72 | title = {Lucky {Thirteen}: {Breaking} the {TLS} and {DTLS} {Record} {Protocols}}, 73 | doi = {10.1109/SP.2013.42}, 74 | abstract = {The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto secure protocol of choice for Internet and mobile applications. DTLS is a variant of TLS that is growing in importance. In this paper, we present distinguishing and plaintext recovery attacks against TLS and DTLS. The attacks are based on a delicate timing analysis of decryption processing in the two protocols. We include experimental results demonstrating the feasibility of the attacks in realistic network environments for several different implementations of TLS and DTLS, including the leading OpenSSL implementations. We provide countermeasures for the attacks. Finally, we discuss the wider implications of our attacks for the cryptographic design used by TLS and DTLS.}, 75 | booktitle = {2013 {IEEE} {Symposium} on {Security} and {Privacy}}, 76 | author = {Fardan, N. J. Al and Paterson, K. G.}, 77 | month = may, 78 | year = {2013}, 79 | keywords = {CBC-mode encryption, Ciphers, computer network security, cryptographic design, cryptographic protocols, data confidentiality, data integrity, decryption, de facto secure protocol, DTLS, DTLS record protocols, Encryption, Internet, Media Access Protocol, mobile applications, Mobile computing, OpenSSL implementations, plaintext recovery, plaintext recovery attacks, Timing, timing analysis, timing attack, TLS, transport layer security protocol}, 80 | pages = {526--540} 81 | } 82 | 83 | @inproceedings{alfardan_security_2013, 84 | address = {Berkeley, CA, USA}, 85 | series = {{SEC}'13}, 86 | title = {On the {Security} of {RC}4 in {TLS}}, 87 | isbn = {978-1-931971-03-4}, 88 | url = {http://dl.acm.org/citation.cfm?id=2534766.2534793}, 89 | booktitle = {Proceedings of the 22Nd {USENIX} {Conference} on {Security}}, 90 | publisher = {USENIX Association}, 91 | author = {AlFardan, Nadhem J. and Bernstein, Daniel J. and Paterson, Kenneth G. and Poettering, Bertram and Schuldt, Jacob C. N.}, 92 | year = {2013}, 93 | pages = {305--320} 94 | } 95 | 96 | @inproceedings{alfardan_security_2013-1, 97 | address = {Washington, D.C.}, 98 | title = {On the {Security} of {RC}4 in {TLS}}, 99 | isbn = {978-1-931971-03-4}, 100 | url = {https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan}, 101 | booktitle = {Presented as part of the 22nd {USENIX} {Security} {Symposium} ({USENIX} {Security} 13)}, 102 | publisher = {USENIX}, 103 | author = {AlFardan, Nadhem and Bernstein, Daniel J. and Paterson, Kenneth G. and Poettering, Bertram and Schuldt, Jacob C. N.}, 104 | year = {2013}, 105 | pages = {305--320} 106 | } 107 | 108 | @book{way_transport_2010, 109 | series = {Request for {Comments}}, 110 | title = {Transport {Layer} {Security} ({TLS}) {Renegotiation} {Indication} {Extension}}, 111 | url = {https://rfc-editor.org/rfc/rfc5746.txt}, 112 | abstract = {Secure Socket Layer (SSL) and Transport Layer Security (TLS) renegotiation are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client. The server treats the client\&\#39;s initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data. This specification defines a TLS extension to cryptographically tie renegotiations to the TLS connections they are being performed over, thus preventing this attack. [STANDARDS-TRACK]}, 113 | number = {5746}, 114 | publisher = {RFC Editor}, 115 | author = {Way, One and Ray, Marsh and Dispensa, Steve and Rescorla, Eric}, 116 | month = feb, 117 | year = {2010}, 118 | note = {Published: RFC 5746 119 | DOI: 10.17487/rfc5746} 120 | } 121 | 122 | @inproceedings{huang_analyzing_2014, 123 | address = {Washington, DC, USA}, 124 | series = {{SP} '14}, 125 | title = {Analyzing {Forged} {SSL} {Certificates} in the {Wild}}, 126 | isbn = {978-1-4799-4686-0}, 127 | url = {http://dx.doi.org/10.1109/SP.2014.13}, 128 | doi = {10.1109/SP.2014.13}, 129 | booktitle = {Proceedings of the 2014 {IEEE} {Symposium} on {Security} and {Privacy}}, 130 | publisher = {IEEE Computer Society}, 131 | author = {Huang, Lin Shung and Rice, Alex and Ellingsen, Erling and Jackson, Collin}, 132 | year = {2014}, 133 | keywords = {certificates, man-in-the-middle attack, SSL}, 134 | pages = {83--97} 135 | } 136 | 137 | @inproceedings{de_carnavalet_killed_2016, 138 | title = {Killed by {Proxy}: {Analyzing} {Client}-end {TLS} {Interception} {Software}}, 139 | booktitle = {Network and {Distributed} {System} {Security} {Symposium} ({NDSS} 2016), {San} {Diego}, {CA}, {USA}}, 140 | author = {de Carnavalet, Xavier de Carné and Mannan, Mohammad}, 141 | year = {2016} 142 | } 143 | 144 | @misc{valsorda_komodia_2015, 145 | title = {Komodia superfish ssl validation is broken}, 146 | url = {https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/}, 147 | journal = {Flippo.io}, 148 | author = {Valsorda, Filippo}, 149 | month = feb, 150 | year = {2015} 151 | } 152 | 153 | @misc{bock_superfish_2015, 154 | title = {Superfish 2.0: {Dangerous} {Certificate} on {Dell} {Laptops} breaks encrypted {HTTPS} {Connections}}, 155 | url = {https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html}, 156 | journal = {Hanno'sblog}, 157 | author = {Böck, Hanno}, 158 | year = {2015} 159 | } 160 | 161 | @misc{bock_more_2015, 162 | title = {More {TLS} {Man}-in-the-{Middle} failures - {Adguard}, {Privdog} again and {ProtocolFilters}.dll}, 163 | url = {https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html}, 164 | journal = {Hanno'sblog}, 165 | author = {Böck, Hanno}, 166 | year = {2015} 167 | } 168 | 169 | @misc{bock_how_2015, 170 | title = {How {Kaspersky} makes you vulnerable to the {FREAK} attack and other ways {Antivirus} software lowers your {HTTPS} security}, 171 | url = {https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html}, 172 | journal = {Hanno'sblog}, 173 | author = {Böck, Hanno}, 174 | year = {2015} 175 | } 176 | 177 | @inproceedings{bock_tls_nodate, 178 | address = {Mildenberg, Alemania}, 179 | title = {{TLS} interception considered harmful {How} {Man}-in-the-{Middle} filtering solutions harm the security of {HTTPS}}, 180 | url = {https://events.ccc.de/camp/2015/Fahrplan/events/6833.html}, 181 | abstract = {With the more widespread use of encrypted HTTPS connections many software vendors intercept these connections by installing a certificate into the user's browser. This is widely done by Antivirus applications, parental filter software or ad injection software. This can go horribly wrong, as the examples of Superfish and Privdog have shown. But even if implemented properly these solutions almost always decrease the security of HTTPS. 182 | 183 | In February a software called Superfish was detected preinstalled on Lenovo laptops that would intercept HTTPS connections by installing a certificate into the user's browser. This certificate was shared amongst different installations and therefore an extraction of the certificate allowed creating rogue certificates that would be accepted by many Lenovo laptops. Shortly after Superfish many other software products with the same or similar vulnerabilities were found. The speaker of this talk discovered that the software Privdog, advertised by the certificate authority Comodo, had an even worse vulnerability. 184 | 185 | Superfish and Privdog were extreme examples, but the technology of intercepting HTTPS connections by installing X.509 root certificates into the browser is widespread. These solutions are often part of software that is supposed to bring more security to the user - like Antivirus applications - but they lower the user's security. For example Kaspersky Antivirus users were still affected by the FREAK vulnerability months after the issue was found and fixed. 186 | 187 | The talk will first give an introduction into some problems in the TLS protocol that were found in recent years (BEAST, CRIME, FREAK, CA failures) and show some technologies that were invented to prevent common problems of TLS (e. g. HPKP). After that the speaker will give some examples of TLS interception software and how it endangers the security of the user.}, 188 | author = {Böck, Hanno} 189 | } 190 | 191 | @misc{noauthor_tls_nodate, 192 | title = {{TLS} interception considered harmful - video and slides - {Hanno}'s blog}, 193 | url = {https://blog.hboeck.de/archives/875-TLS-interception-considered-harmful-video-and-slides.html}, 194 | urldate = {2017-03-23}, 195 | file = {TLS interception considered harmful - video and slides - Hanno's blog:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\G9H3U6XC\\875-TLS-interception-considered-harmful-video-and-slides.html:text/html} 196 | } 197 | 198 | @misc{noauthor_https_nodate, 199 | title = {{HTTPS} {Interception} {Weakens} {TLS} {Security} {\textbar} {US}-{CERT}}, 200 | url = {https://www.us-cert.gov/ncas/alerts/TA17-075A}, 201 | urldate = {2017-03-23}, 202 | file = {HTTPS Interception Weakens TLS Security | US-CERT:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\SVZVWK3E\\TA17-075A.html:text/html} 203 | } 204 | 205 | @misc{noauthor_risks_nodate, 206 | title = {The {Risks} of {SSL} {Inspection}}, 207 | url = {https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html}, 208 | urldate = {2017-03-23}, 209 | file = {The Risks of SSL Inspection:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\4V8SS72A\\the-risks-of-ssl-inspection.html:text/html} 210 | } 211 | 212 | @misc{bock_software_2015, 213 | title = {Software {Privdog} worse than {Superfish} - {Hanno}'s blog}, 214 | url = {https://blog.hboeck.de/archives/865-Software-Privdog-worse-than-Superfish.html}, 215 | urldate = {2017-03-23}, 216 | author = {Böck, Hanno}, 217 | year = {2015}, 218 | file = {Software Privdog worse than Superfish - Hanno's blog:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\H5CAZFEH\\865-Software-Privdog-worse-than-Superfish.html:text/html} 219 | } 220 | 221 | @misc{noauthor_diginotar_nodate, 222 | title = {{DigiNotar} reports security incident}, 223 | url = {https://www.vasco.com/about-vasco/press/2011/news_diginotar_reports_security_incident.html}, 224 | abstract = {OAKBROOK TERRACE, Illinois and ZURICH, Switzerland – August 30, 2011 – VASCO Data Security International, Inc. (Nasdaq: VDSI; www.vasco.com) today comments on DigiNotar’}, 225 | urldate = {2017-03-23}, 226 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\FICDDNKA\\news_diginotar_reports_security_incident.html:text/html} 227 | } 228 | 229 | @misc{noauthor_comodo_2011, 230 | title = {Comodo {Report} of {Incident} - {Comodo} detected and thwarted an intrusion on 26-{MAR}-2011}, 231 | url = {https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html?key5sk1=b0cc105de9f45d9bba702a25da2b97fb4861b7b9}, 232 | urldate = {2017-03-23}, 233 | year = {2011}, 234 | file = {Comodo Report of Incident - Comodo detected and thwarted an intrusion on 26-MAR-2011:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\3IUG2UDJ\\Comodo-Fraud-Incident-2011-03-23.html:text/html} 235 | } 236 | 237 | @misc{noauthor_turktrust_2013, 238 | title = {{TURKTRUST} {Unauthorized} {CA} {Certificates}}, 239 | url = {https://www.entrust.com/turktrust-unauthorized-ca-certificates/}, 240 | abstract = {Although unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.}, 241 | urldate = {2017-03-23}, 242 | journal = {Entrust, Inc.}, 243 | month = jan, 244 | year = {2013}, 245 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\MKZQ6VDV\\turktrust-unauthorized-ca-certificates.html:text/html} 246 | } 247 | 248 | @misc{noauthor_syrian_2011, 249 | title = {A {Syrian} {Man}-{In}-{The}-{Middle} {Attack} against {Facebook}}, 250 | url = {https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook}, 251 | abstract = {UPDATE: If you are in Syria and your browser shows you this certificate warning on Facebook, it is not safe to login to Facebook. You may wish to use Tor to connect to Facebook, or use proxies outside of Syria. UPDATE II: We have received reports that some Syrian ISPs are blocking Tor. If Tor is not working for you, you may try to connect through another ISP.}, 252 | urldate = {2017-03-23}, 253 | journal = {Electronic Frontier Foundation}, 254 | month = may, 255 | year = {2011}, 256 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\2ZP8W63Q\\syrian-man-middle-against-facebook.html:text/html} 257 | } 258 | 259 | @article{wei_survey_2016, 260 | title = {A {Survey} on \{{HTTPS}\} {Implementation} by {Android} {Apps}: {Issues} and {Countermeasures}}, 261 | issn = {2210-8327}, 262 | url = {http://www.sciencedirect.com/science/article/pii/S2210832716300722}, 263 | doi = {http://dx.doi.org/10.1016/j.aci.2016.10.001}, 264 | abstract = {Abstract As more and more sensitive data is transferred from mobile applications across unsecured channels, it seems imperative that transport layer encryption should be used in any non-trivial instance. Yet, research indicates that many Android developers do not use \{HTTPS\} or violate rules which protect user data from man-in-the-middle attacks. This paper seeks to find a root cause of the disparities between theoretical \{HTTPS\} usage and in-the-wild implementation of the protocol by looking into Android applications, online resources, and papers published by \{HTTPS\} and Android security researchers. From these resources, we extract a set of barrier categories that exist in the path of proper \{TLS\} use. These barriers not only include improper developer practices, but also server misconfiguration, lacking documentation, flaws in libraries, the fundamentally complex \{TLS\} \{PKI\} system, and a lack of consumer understanding of the importance of HTTPS. Following this discussion, we compile a set of potential solutions and patches to better secure Android \{HTTPS\} and the TLS/SSL protocol in general. We conclude our survey with gaps in current understanding of the environment and suggestions for further research.}, 265 | journal = {Applied Computing and Informatics}, 266 | author = {Wei, Xuetao and Wolf, Michael}, 267 | year = {2016}, 268 | keywords = {Mobile development}, 269 | pages = {--} 270 | } 271 | 272 | @book{evans_public_2015, 273 | series = {Request for {Comments}}, 274 | title = {Public {Key} {Pinning} {Extension} for {HTTP}}, 275 | url = {https://rfc-editor.org/rfc/rfc7469.txt}, 276 | abstract = {This document defines a new HTTP header that allows web host operators to instruct user agents to remember (\"pin\") the hosts\&\#39; cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities.}, 277 | number = {7469}, 278 | publisher = {RFC Editor}, 279 | author = {Evans, Chris and Palmer, Chris and Sleevi, Ryan}, 280 | month = apr, 281 | year = {2015}, 282 | note = {Published: RFC 7469 283 | DOI: 10.17487/rfc7469} 284 | } 285 | 286 | @inproceedings{durumeric_neither_2015, 287 | address = {New York, NY, USA}, 288 | series = {{IMC} '15}, 289 | title = {Neither {Snow} {Nor} {Rain} {Nor} {MITM}...: {An} {Empirical} {Analysis} of {Email} {Delivery} {Security}}, 290 | isbn = {978-1-4503-3848-6}, 291 | url = {http://doi.acm.org/10.1145/2815675.2815695}, 292 | doi = {10.1145/2815675.2815695}, 293 | booktitle = {Proceedings of the 2015 {Internet} {Measurement} {Conference}}, 294 | publisher = {ACM}, 295 | author = {Durumeric, Zakir and Adrian, David and Mirian, Ariana and Kasten, James and Bursztein, Elie and Lidzborski, Nicolas and Thomas, Kurt and Eranti, Vijay and Bailey, Michael and Halderman, J. Alex}, 296 | year = {2015}, 297 | keywords = {dkim, dmarc, email, mail, smtp, spf, starttls, TLS}, 298 | pages = {27--39} 299 | } 300 | 301 | @misc{mayer_impact_2017, 302 | title = {The impact on network security through encrypted protocols – {TLS} 1.3}, 303 | url = {http://blogs.cisco.com/security/the-impact-on-network-security-through-encrypted-protocols-tls-1-3}, 304 | urldate = {2017-03-24}, 305 | journal = {blogs@Cisco - Cisco Blogs}, 306 | author = {Mayer, Tobias}, 307 | year = {2017}, 308 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\XF9KHKTZ\\the-impact-on-network-security-through-encrypted-protocols-tls-1-3.html:text/html} 309 | } 310 | 311 | @misc{noauthor_imperialviolet_2015, 312 | title = {{ImperialViolet} - {AEADs}: getting better at symmetric cryptography}, 313 | url = {https://www.imperialviolet.org/2015/05/16/aeads.html}, 314 | urldate = {2017-03-24}, 315 | year = {2015}, 316 | file = {ImperialViolet - AEADs\: getting better at symmetric cryptography:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\CWEBNGKF\\aeads.html:text/html} 317 | } 318 | 319 | @book{sheffer_summarizing_2015, 320 | series = {Request for {Comments}}, 321 | title = {Summarizing {Known} {Attacks} on {Transport} {Layer} {Security} ({TLS}) and {Datagram} {TLS} ({DTLS})}, 322 | url = {https://rfc-editor.org/rfc/rfc7457.txt}, 323 | abstract = {Over the last few years, there have been several serious attacks on Transport Layer Security (TLS), including attacks on its most commonly used ciphers and modes of operation. This document summarizes these attacks, with the goal of motivating generic and protocol-specific recommendations on the usage of TLS and Datagram TLS (DTLS).}, 324 | number = {7457}, 325 | publisher = {RFC Editor}, 326 | author = {Sheffer, Yaron and Holz, Ralph and Saint-Andre, Peter}, 327 | month = feb, 328 | year = {2015}, 329 | note = {Published: RFC 7457 330 | DOI: 10.17487/rfc7457} 331 | } 332 | 333 | @misc{noauthor_certificate_2017, 334 | title = {Certificate {Transparency}}, 335 | url = {https://www.certificate-transparency.org/}, 336 | abstract = {This site describes the Certificate Transparency effort being spearheaded by Ben Laurie, Adam Langley and Stephen McHenry. The effort is designed to significantly increase the security of the Public Key Infrastructure used by web sites and services.}, 337 | urldate = {2017-03-24}, 338 | year = {2017}, 339 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\E6KUMK3B\\www.certificate-transparency.org.html:text/html} 340 | } 341 | 342 | @misc{adkins_update_2011, 343 | title = {An update on attempted man-in-the-middle attacks}, 344 | url = {https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html}, 345 | abstract = {Posted by Heather Adkins, Information Security Manager 346 | 347 | Today we received reports of attempted SSL man-in-the-middle (MITM) attacks again...}, 348 | urldate = {2017-03-24}, 349 | journal = {Google Online Security Blog}, 350 | author = {Adkins, Heather}, 351 | year = {2011}, 352 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\X6DMSB5Q\\update-on-attempted-man-in-middle.html:text/html} 353 | } 354 | 355 | @book{hodges_http_2012, 356 | series = {Request for {Comments}}, 357 | title = {{HTTP} {Strict} {Transport} {Security} ({HSTS})}, 358 | url = {https://rfc-editor.org/rfc/rfc6797.txt}, 359 | abstract = {This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example. [STANDARDS-TRACK]}, 360 | number = {6797}, 361 | publisher = {RFC Editor}, 362 | author = {Hodges, Jeff and Jackson, Collin and Barth, Adam}, 363 | month = nov, 364 | year = {2012}, 365 | note = {Published: RFC 6797 366 | DOI: 10.17487/rfc6797} 367 | } 368 | 369 | @misc{noauthor_sts_2017, 370 | title = {{STS} {Preload} {List} - {Google} {Chrome}}, 371 | url = {https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json}, 372 | urldate = {2017-03-24}, 373 | year = {2017}, 374 | file = {transport_security_state_static.json - Code Search:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\ZKNPDFBS\\transport_security_state_static.html:text/html} 375 | } 376 | 377 | @misc{noauthor_firefox_2017, 378 | title = {Firefox {STS} {Preload} {List}}, 379 | url = {https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc}, 380 | urldate = {2017-03-24}, 381 | year = {2017}, 382 | file = {nsSTSPreloadList.inc - DXR:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\S5VMSUSF\\nsSTSPreloadList.html:text/html} 383 | } 384 | 385 | @misc{sleevi_sustaining_2015, 386 | title = {Sustaining {Digital} {Certificate} {Security}}, 387 | url = {https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html}, 388 | abstract = {Posted by Ryan Sleevi, Software Engineer This post updates our previous notification of a misissued certificate for google.com Followin...}, 389 | urldate = {2017-03-27}, 390 | journal = {Google Online Security Blog}, 391 | author = {Sleevi, Ryan}, 392 | year = {2015}, 393 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\FQ4T3IM6\\sustaining-digital-certificate-security.html:text/html} 394 | } 395 | 396 | @misc{somogyi_improved_2015, 397 | title = {Improved {Digital} {Certificate} {Security}}, 398 | url = {https://security.googleblog.com/2015/09/improved-digital-certificate-security.html}, 399 | abstract = {Posted by Stephan Somogyi, Security \& Privacy PM, and Adam Eijdenberg, Certificate Transparency PM On September 14, around 19:20 GMT, Syma...}, 400 | urldate = {2017-03-27}, 401 | journal = {Google Online Security Blog}, 402 | author = {Somogyi, Stephan and Eijdenberg, Adam}, 403 | year = {2015}, 404 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\MKFFZ474\\improved-digital-certificate-security.html:text/html} 405 | } 406 | 407 | @misc{sleevi_intent_2017, 408 | title = {Intent to {Deprecate} and {Remove}: {Trust} in existing {Symantec}-issued {Certificates} - {Grupos} de {Google}}, 409 | url = {https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs}, 410 | urldate = {2017-03-27}, 411 | journal = {Google Groups}, 412 | author = {Sleevi, Ryan}, 413 | year = {2017}, 414 | file = {Intent to Deprecate and Remove\: Trust in existing Symantec-issued Certificates - Grupos de Google:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\FRCQ4ZAF\\forum.html:text/html} 415 | } 416 | 417 | @book{hallam-baker_dns_2013, 418 | series = {Request for {Comments}}, 419 | title = {{DNS} {Certification} {Authority} {Authorization} ({CAA}) {Resource} {Record}}, 420 | url = {https://rfc-editor.org/rfc/rfc6844.txt}, 421 | abstract = {The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by certificate issuers. [STANDARDS-TRACK]}, 422 | number = {6844}, 423 | publisher = {RFC Editor}, 424 | author = {Hallam-Baker, Phillip and Stradling, Rob}, 425 | month = jan, 426 | year = {2013}, 427 | note = {Published: RFC 6844 428 | DOI: 10.17487/rfc6844} 429 | } 430 | 431 | @misc{morton_2017_2017, 432 | title = {2017 – {Looking} {Back}, {Moving} {Forward}}, 433 | url = {https://casecurity.org/2017/01/13/2017-looking-back-moving-forward/}, 434 | abstract = {Looking Back at 2016 Fortunately, 2016 was not a year full of SSL/TLS vulnerabilities. Although some researchers did prove old cryptography algorithms should be put out to pasture. The year showed …}, 435 | urldate = {2017-03-28}, 436 | journal = {CA Security Council}, 437 | author = {Morton, Bruce}, 438 | year = {2017}, 439 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\8CF22RP3\\2017-looking-back-moving-forward.html:text/html} 440 | } 441 | 442 | @misc{noauthor_caa_2017, 443 | title = {{CAA} {Record} {Generator}}, 444 | url = {https://sslmate.com/labs/caa/}, 445 | urldate = {2017-03-28}, 446 | year = {2017}, 447 | file = {CAA Record Generator:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\3CX5B8WU\\caa.html:text/html} 448 | } 449 | 450 | @misc{noauthor_what_2013, 451 | title = {What {Is} {Certificate} {Transparency} and {How} {Does} {It} {Propose} to {Address} {Certificate} {Mis}-{Issuance}?}, 452 | url = {https://casecurity.org/2013/09/09/what-is-certificate-transparency-and-how-does-it-propose-to-establish-certificate-validity/}, 453 | abstract = {As originally architected by Netscape and others in the mid-1990s, the certificate issuance process envisioned that the CA would present the certificate and its contents to the named subject who wo…}, 454 | urldate = {2017-03-28}, 455 | journal = {CA Security Council}, 456 | month = sep, 457 | year = {2013}, 458 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\WTUW4WQ4\\what-is-certificate-transparency-and-how-does-it-propose-to-establish-certificate-validity.html:text/html} 459 | } 460 | 461 | @misc{noauthor_how_nodate, 462 | title = {How {Certificate} {Transparency} {Works} - {Certificate} {Transparency}}, 463 | url = {https://www.certificate-transparency.org/how-ct-works}, 464 | abstract = {This site describes the Certificate Transparency effort being spearheaded by Ben Laurie, Adam Langley and Stephen McHenry. The effort is designed to significantly increase the security of the Public Key Infrastructure used by web sites and services.}, 465 | urldate = {2017-03-28}, 466 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\DXHIKP86\\how-ct-works.html:text/html} 467 | } 468 | 469 | @misc{rowley_google_2016, 470 | title = {Google {Certificate} {Transparency} ({CT}) to {Expand} to {All} {Certificates} {Types}}, 471 | url = {https://casecurity.org/2016/11/08/google-certificate-transparency-ct-to-expand-to-all-certificates-types/}, 472 | abstract = {The policy change goes into effect October 2017 A recent Google announcement stated that all publicly trusted SSL/TLS certificates issued in October 2017 or later will be expected to comply with Ch…}, 473 | urldate = {2017-03-28}, 474 | journal = {CA Security Council}, 475 | author = {Rowley, Jeremy}, 476 | month = nov, 477 | year = {2016}, 478 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\BZ29TB6M\\google-certificate-transparency-ct-to-expand-to-all-certificates-types.html:text/html} 479 | } 480 | 481 | @misc{noauthor_tls_nodate-1, 482 | title = {tls - {How} does {OCSP} stapling work? - {Information} {Security} {Stack} {Exchange}}, 483 | shorttitle = {tls - {How} does {OCSP} stapling work?}, 484 | url = {https://security.stackexchange.com/questions/29686/how-does-ocsp-stapling-work}, 485 | urldate = {2017-03-28}, 486 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\IDF9D4UP\\how-does-ocsp-stapling-work.html:text/html} 487 | } 488 | 489 | @misc{barnes_dane:_2011, 490 | title = {{DANE}: {Taking} {TLS} {Authentication} to the {Next} {Level} {Using} {DNSSEC} {\textbar} {Internet} {Society}}, 491 | url = {https://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec}, 492 | urldate = {2017-03-28}, 493 | journal = {IETF Journal}, 494 | author = {Barnes, Richard L.}, 495 | year = {2011}, 496 | file = {DANE\: Taking TLS Authentication to the Next Level Using DNSSEC | Internet Society:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\RRWR4IQR\\dane-taking-tls-authentication-next-level-using-dnssec.html:text/html} 497 | } 498 | 499 | @misc{noauthor_dane_nodate, 500 | title = {{DANE} {TLS} {Test} {Sites}}, 501 | url = {https://www.huque.com/dane/testsite/}, 502 | urldate = {2017-03-28}, 503 | file = {DANE TLS Test Sites:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\PNCV8GJ8\\testsite.html:text/html} 504 | } 505 | 506 | @book{schlyter_dns-based_2012, 507 | series = {Request for {Comments}}, 508 | title = {The {DNS}-{Based} {Authentication} of {Named} {Entities} ({DANE}) {Transport} {Layer} {Security} ({TLS}) {Protocol}: {TLSA}}, 509 | url = {https://rfc-editor.org/rfc/rfc6698.txt}, 510 | abstract = {Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain\&\#39;s TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. [STANDARDS-TRACK]}, 511 | number = {6698}, 512 | publisher = {RFC Editor}, 513 | author = {Schlyter, Jakob and Hoffman, Paul E.}, 514 | month = aug, 515 | year = {2012}, 516 | note = {Published: RFC 6698 517 | DOI: 10.17487/rfc6698} 518 | } 519 | 520 | @misc{noauthor_how_2015, 521 | title = {How {DANE} {Strengthens} {Security} for {TLS}, {S}/{MIME} and {Other} {Applications}}, 522 | url = {https://blog.verisign.com/security/how-dane-strengthens-security-for-tls-smime-and-other-applications/}, 523 | abstract = {The DNS offers ways to significantly strengthen the security of internet applications via a new protocol called DNS-based Authentication of Named Entities.}, 524 | urldate = {2017-03-28}, 525 | journal = {Verisign Blog}, 526 | month = nov, 527 | year = {2015}, 528 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\PARP76AI\\how-dane-strengthens-security-for-tls-smime-and-other-applications.html:text/html} 529 | } 530 | 531 | @article{dong_detection_2016, 532 | title = {Detection of {Rogue} {Certificates} from {Trusted} {Certificate} {Authorities} {Using} {Deep} {Neural} {Networks}}, 533 | volume = {19}, 534 | issn = {2471-2566}, 535 | url = {http://doi.acm.org/10.1145/2975591}, 536 | doi = {10.1145/2975591}, 537 | number = {2}, 538 | journal = {ACM Trans. Priv. Secur.}, 539 | author = {Dong, Zheng and Kane, Kevin and Camp, L. Jean}, 540 | month = sep, 541 | year = {2016}, 542 | keywords = {certificates, Machine learning}, 543 | pages = {5:1--5:31} 544 | } 545 | 546 | @misc{noauthor_generate_nodate, 547 | title = {Generate {TLSA} {Record}}, 548 | url = {https://www.huque.com/bin/gen_tlsa}, 549 | urldate = {2017-03-28}, 550 | file = {Generate TLSA Record:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\TKEJ5RP6\\gen_tlsa.html:text/html} 551 | } 552 | 553 | @misc{huque_dane_2017, 554 | title = {{DANE} {Resources}}, 555 | url = {https://www.huque.com/dane/}, 556 | urldate = {2017-03-28}, 557 | author = {Huque, Simon}, 558 | year = {2017}, 559 | file = {DANE Resources:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\QJJ8X9WU\\dane.html:text/html} 560 | } 561 | 562 | @misc{noauthor_hsts_2017, 563 | title = {{HSTS} {Preload} {List} {Submission}}, 564 | url = {https://hstspreload.org/}, 565 | urldate = {2017-03-28}, 566 | year = {2017}, 567 | file = {HSTS Preload List Submission:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\NXSU8BAG\\hstspreload.org.html:text/html} 568 | } 569 | 570 | @misc{vaughan-nichols_how_nodate, 571 | type = {2013}, 572 | title = {How the {NSA}, and your boss, can intercept and break {SSL}}, 573 | url = {http://www.zdnet.com/article/how-the-nsa-and-your-boss-can-intercept-and-break-ssl/}, 574 | abstract = {Most people believe that SSL is the gold-standard of Internet security. It is good, but SSL communications can be intercepted and broken. Here's how.}, 575 | urldate = {2017-03-28}, 576 | journal = {ZDNet}, 577 | author = {Vaughan-Nichols, Steven J.}, 578 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\J6ZW2WHG\\how-the-nsa-and-your-boss-can-intercept-and-break-ssl.html:text/html} 579 | } 580 | 581 | @misc{noauthor_secure_2017, 582 | title = {'{Secure}' in {Chrome} {Browser} {Does} {Not} {Mean} '{Safe}'}, 583 | url = {https://www.wordfence.com/blog/2017/03/chrome-secure/}, 584 | abstract = {Google’s Chrome web browser is used by over 50\% of users on the web. When you visit a website that is using SSL, otherwise known as HTTPS or TLS, you see a green message in your browser location bar that says “Secure”. “Secure” in Chrome browser does not mean “Safe”. In this post I will explain …}, 585 | urldate = {2017-03-28}, 586 | journal = {Wordfence}, 587 | month = mar, 588 | year = {2017}, 589 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\RQGA9F64\\chrome-secure.html:text/html} 590 | } 591 | 592 | @misc{van_elst_http_2017, 593 | title = {{HTTP} {Strict} {Transport} {Security} for {Apache}, {NGINX} and {Lighttpd} - {Raymii}.org}, 594 | url = {https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html}, 595 | urldate = {2017-03-28}, 596 | author = {van Elst, Remy}, 597 | year = {2017}, 598 | file = {HTTP Strict Transport Security for Apache, NGINX and Lighttpd - Raymii.org:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\94F7UKZ7\\HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html:text/html} 599 | } 600 | 601 | @book{cooper_internet_2008, 602 | series = {Request for {Comments}}, 603 | title = {Internet {X}.509 {Public} {Key} {Infrastructure} {Certificate} and {Certificate} {Revocation} {List} ({CRL}) {Profile}}, 604 | url = {https://rfc-editor.org/rfc/rfc5280.txt}, 605 | abstract = {This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]}, 606 | number = {5280}, 607 | publisher = {RFC Editor}, 608 | author = {Cooper, Dave}, 609 | month = may, 610 | year = {2008}, 611 | note = {Published: RFC 5280 612 | DOI: 10.17487/rfc5280} 613 | } 614 | 615 | @book{saint-andre_representation_2011, 616 | series = {Request for {Comments}}, 617 | title = {Representation and {Verification} of {Domain}-{Based} {Application} {Service} {Identity} within {Internet} {Public} {Key} {Infrastructure} {Using} {X}.509 ({PKIX}) {Certificates} in the {Context} of {Transport} {Layer} {Security} ({TLS})}, 618 | url = {https://rfc-editor.org/rfc/rfc6125.txt}, 619 | abstract = {Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). This document specifies procedures for representing and verifying the identity of application services in such interactions. [STANDARDS-TRACK]}, 620 | number = {6125}, 621 | publisher = {RFC Editor}, 622 | author = {Saint-Andre, Peter and Hodges, Jeff}, 623 | month = mar, 624 | year = {2011}, 625 | note = {Published: RFC 6125 626 | DOI: 10.17487/rfc6125} 627 | } 628 | 629 | @article{lukas_javas_2015, 630 | title = {Java’s {SSLSocket}}, 631 | volume = {9}, 632 | issn = {2192-4260}, 633 | url = {http://www.sicherheitsforschung-magdeburg.de/publikationen/journal.html}, 634 | number = {1}, 635 | urldate = {2015-03-20}, 636 | author = {Lukas, Georg}, 637 | year = {2015}, 638 | keywords = {hacking, MISev, Security, security research selfarticle, sicherheit}, 639 | pages = {506--513} 640 | } 641 | 642 | @misc{noauthor_is_2016, 643 | title = {Is {HTTP} {Public} {Key} {Pinning} {Dead}?}, 644 | url = {https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead}, 645 | abstract = {HTTP Public Key Pinning (HPKP, RFC 7469)—a standard that was intended to bring public key pinning to the masses—might be dead.}, 646 | urldate = {2017-03-28}, 647 | journal = {Network Security Blog {\textbar} Qualys, Inc.}, 648 | month = sep, 649 | year = {2016}, 650 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\8S489AFB\\is-http-public-key-pinning-dead.html:text/html} 651 | } 652 | 653 | @misc{noauthor_detecting_2011, 654 | title = {Detecting {Certificate} {Authority} compromises and web browser collusion {\textbar} {The} {Tor} {Blog}}, 655 | url = {https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion}, 656 | urldate = {2017-03-29}, 657 | year = {2011}, 658 | file = {Detecting Certificate Authority compromises and web browser collusion | The Tor Blog:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\TCGUGHDZ\\detecting-certificate-authority-compromises-and-web-browser-collusion.html:text/html} 659 | } 660 | 661 | @misc{lokhande_ssl_2017, 662 | title = {{SSL} and {TLS} {Deployment} {Best} {Practices}}, 663 | url = {https://github.com/ssllabs/research}, 664 | abstract = {Contribute to research development by creating an account on GitHub.}, 665 | urldate = {2017-03-29}, 666 | journal = {GitHub}, 667 | author = {Lokhande, Bushkhan}, 668 | year = {2017}, 669 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\TCPBIKV6\\SSL-and-TLS-Deployment-Best-Practices.html:text/html} 670 | } 671 | 672 | @misc{profile_flame_nodate, 673 | title = {Flame malware collision attack explained}, 674 | url = {https://blogs.technet.microsoft.com/srd/2012/06/06/flame-malware-collision-attack-explained/}, 675 | abstract = {Since our last MSRC blog post, we’ve received questions on the nature of the cryptographic attack we saw in the complex, targeted malware known as Flame. This blog summarizes what our research revealed and why we made the decision to release Security Advisory 2718704 on Sunday night PDT. In short, by default the attacker’s certificate would...}, 676 | urldate = {2017-03-29}, 677 | journal = {Security Research \& Defense}, 678 | author = {Profile, 267 Points 2 2 2 Recent Achievements Blog Party Starter Blog Conversation Starter New Blog Rater View}, 679 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\3UPCN7UB\\flame-malware-collision-attack-explained.html:text/html} 680 | } 681 | 682 | @misc{sotirov_md5_2008, 683 | title = {{MD}5 considered harmful today}, 684 | url = {http://www.win.tue.nl/hashclash/rogue-ca/}, 685 | urldate = {2017-03-29}, 686 | author = {Sotirov, Alexander and Stevens, Marc and Appelbaum, Jacob and Lenstra, Arjen and Molnar, David and Dag Arne, Osvik and de Weger, Benne}, 687 | year = {2008}, 688 | file = {MD5 considered harmful today:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\RDTHF8GG\\rogue-ca.html:text/html} 689 | } 690 | 691 | @misc{noauthor_understanding_2015, 692 | title = {Understanding {HTTP} {Strict} {Transport} {Security} ({HSTS}) and preloading it into the browser}, 693 | url = {https://www.troyhunt.com/understanding-http-strict-transport/}, 694 | abstract = {During my travels over recent weeks I\&\#x2019;ve been doing a quick demo that works like this: First, I open up the dev tools in Chrome and select the network tab. Second, I load up americanexpress.com and show the network requests: I point out how the first one}, 695 | urldate = {2017-03-29}, 696 | journal = {Troy Hunt}, 697 | month = jun, 698 | year = {2015}, 699 | file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\GPRS75EV\\understanding-http-strict-transport.html:text/html} 700 | } 701 | 702 | @misc{noauthor_using_nodate, 703 | title = {Using {TLS} in {Applications} (uta) - {IETF} {WG}}, 704 | url = {https://datatracker.ietf.org/wg/uta/documents/}, 705 | urldate = {2017-03-29}, 706 | file = {Using TLS in Applications (uta) - Documents:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\PEQUHWNF\\documents.html:text/html} 707 | } 708 | 709 | @book{melnikov_updated_2016, 710 | series = {Request for {Comments}}, 711 | title = {Updated {Transport} {Layer} {Security} ({TLS}) {Server} {Identity} {Check} {Procedure} for {Email}-{Related} {Protocols}}, 712 | url = {https://rfc-editor.org/rfc/rfc7817.txt}, 713 | abstract = {This document describes the Transport Layer Security (TLS) server identity verification procedure for SMTP Submission, IMAP, POP, and ManageSieve clients. It replaces Section 2.4 (Server Identity Check) of RFC 2595 and updates Section 4.1 (Processing After the STARTTLS Command) of RFC 3207, Section 11.1 (STARTTLS Security Considerations) of RFC 3501, and Section 2.2.1 (Server Identity Check) of RFC 5804.}, 714 | number = {7817}, 715 | publisher = {RFC Editor}, 716 | author = {Melnikov, Alexey}, 717 | month = mar, 718 | year = {2016}, 719 | note = {Published: RFC 7817 720 | DOI: 10.17487/rfc7817} 721 | } 722 | 723 | @book{alkemade_use_2015, 724 | series = {Request for {Comments}}, 725 | title = {Use of {Transport} {Layer} {Security} ({TLS}) in the {Extensible} {Messaging} and {Presence} {Protocol} ({XMPP})}, 726 | url = {https://rfc-editor.org/rfc/rfc7590.txt}, 727 | abstract = {This document provides recommendations for the use of Transport Layer Security (TLS) in the Extensible Messaging and Presence Protocol (XMPP). This document updates RFC 6120.}, 728 | number = {7590}, 729 | publisher = {RFC Editor}, 730 | author = {Alkemade, T. and Saint-Andre, Peter}, 731 | month = jun, 732 | year = {2015}, 733 | note = {Published: RFC 7590 734 | DOI: 10.17487/rfc7590} 735 | } 736 | 737 | @techreport{fenton_smtp_2017, 738 | type = {Internet-{Draft}}, 739 | title = {{SMTP} {Require} {TLS} {Option}}, 740 | url = {https://datatracker.ietf.org/doc/html/draft-fenton-smtp-require-tls-03}, 741 | abstract = {The SMTP STARTTLS option, used in negotiating transport-level encryption of SMTP connections, is not as useful from a security standpoint as it might be because of its opportunistic nature; message delivery is prioritized over security. This document describes a complementary SMTP service extension, REQUIRETLS. If the REQUIRETLS option is used when sending a message, it asserts a request on the part of the message sender to override the default negotiation of TLS, either by requiring that TLS be negotiated when the message is relayed, or by requesting that policy mechanisms such as SMTP STS and DANE be ignored when relaying a high priority message.}, 742 | number = {draft-fenton-smtp-require-tls-03}, 743 | institution = {Internet Engineering Task Force}, 744 | author = {Fenton, Jim}, 745 | month = feb, 746 | year = {2017}, 747 | annote = {Work in Progress} 748 | } 749 | 750 | @techreport{moore_mail_2017, 751 | type = {Internet-{Draft}}, 752 | title = {Mail {User} {Agent} {Strict} {Transport} {Security} ({MUA}-{STS})}, 753 | url = {https://datatracker.ietf.org/doc/html/draft-ietf-uta-email-deep-06}, 754 | abstract = {This specification defines a set of requirements and facilities designed to improve email confidentiality between a mail user agent (MUA) and a mail submission or mail access server. This provides mechanisms intended to increase use of already deployed Transport Layer Security (TLS) technology and provides a model for a mail user agent\&\#39;s confidentiality assurance. This enables mail service providers to advertise strict transport security (STS) policies that request MUAs increase confidentiality assurance.}, 755 | number = {draft-ietf-uta-email-deep-06}, 756 | institution = {Internet Engineering Task Force}, 757 | author = {Moore, Keith and Newman, Chris}, 758 | month = mar, 759 | year = {2017}, 760 | annote = {Work in Progress} 761 | } 762 | 763 | @inproceedings{durumeric_analysis_2013, 764 | address = {New York, NY, USA}, 765 | series = {{IMC} '13}, 766 | title = {Analysis of the {HTTPS} {Certificate} {Ecosystem}}, 767 | isbn = {978-1-4503-1953-9}, 768 | url = {http://doi.acm.org/10.1145/2504730.2504755}, 769 | doi = {10.1145/2504730.2504755}, 770 | booktitle = {Proceedings of the 2013 {Conference} on {Internet} {Measurement} {Conference}}, 771 | publisher = {ACM}, 772 | author = {Durumeric, Zakir and Kasten, James and Bailey, Michael and Halderman, J. Alex}, 773 | year = {2013}, 774 | keywords = {certificates, HTTPs, internet-wide scanning, Measurement, public-key infrastructure, Security, SSL, TLS, x.509}, 775 | pages = {291--304} 776 | } 777 | 778 | @misc{noauthor_incidents_nodate, 779 | title = {Incidents involving the {CA} {WoSign} - {Grupos} de {Google}}, 780 | url = {https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I%5B1-25%5D}, 781 | urldate = {2017-03-29}, 782 | file = {Incidents involving the CA WoSign - Grupos de Google:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\9RSXS8W8\\forum.html:text/html} 783 | } 784 | --------------------------------------------------------------------------------