SSL/TLS
SSL and TLS are cryptographic π protocols used to securely transfer data. They are used to secure many protocols such as HTTP (HTTPS), SMTP (SMTPS), FTP (FTPS)... that were sending data as plaintext π₯.
SSL (1.0, 2.0, and 3.0) is deprecated over the more secure TLS. TLS versions 1.0, and 1.1 are deprecated too, while 1.2 is mostly used for backward-compatability, and 1.3 is the current recommended version.
SSL is often used interchangeably with TLS, even if they are different.
Cryptography π: SSL/TLS use an asymmetric algorithm to exchange a temporary symmetric key that they will use to exchange messages.
SSL/TLS use a certificate allowing a client to ensure the authenticity of the other party. The other party will wrap their public key and some of their information in a Certificate Signing Request (CSR) π.
They will send the CSR to a Certificate Authority (CA) π’, which is a third-party trusted by the client, that will issue the certificate.
There are 3 categories of certificates: EV, OV, and DV.
Tools
Find certificates given a domain
- crt.sh (website)
- ctfr (1.9k β, script, 2020 πͺ¦)
- ct search (include expired certificates)
- censys
- netcraft
Examinate SSL configuration
- SSLLabs (detect TLS/SSL versions enabled, cipherlists...)
- testssl.sh (GitHub) (similar, but local testing)
- sslshopper (???)
- sslscan: invalid or null cipher suites...
$ sslscan URL
π» To-do π»
Stuff that I found, but never read/used yet.
- CertDB
- SSLMate
- Monitor > Renew certificate > Avoid expired problems
- Let's encrypt notes in Web
- SSL decryption
- SSL hijacking
- HTTPS spoofing
- SSL stripping
- ssl-config
- cipherlist
- Unique domain (all), wildcard (DV/OV), multi-domains (DV, OV, EV)
- TLS attacks
- Server_Side_TLS