Szilárd Pfeiffer
A free software fanatic developer, a security commited engineer, a free-culture enthusiastic jounalist, an agile believer manager.
Pfeiffer Szilárd
Balasys
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
a8ae2f4a56baf78845c041c833946d00
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua
5e1e4087285a6c7c7d503332b14c5bf7
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
a8ae2f4a56baf78845c041c833946d00
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
TLS
_ECDHE
_RSA
_AES_128_CBC
_SHA256
ECDHE-RSA-AES128-SHA256
Cryptographical Protocol
theory
implementation
Cryptographical Primitives
theory
implementation
performance
politics
Public Key Infrastructure
theory
implementation
Application Layer Protocol
Software
implementation
configuration
SSL (2.0, 3.0)
TLS 1.2
early TLS (1.0, 1.1)
TLS 1.3
Forward Secrecy
ephemeral
static
Key Strength
Session Resumption
session id
session ticket
Diffie–Hellman
(DH)
Rivest–Shamir–Adleman
(RSA)
Elliptic-curve
Diffie–Hellman
(ECDH)
Elliptic-curve
Diffie–Hellman Ephemeral
(ECDHE)
Diffie-Hellman Ephemeral
(DHE)
Key Exchange
Authentication
Symmetric Cipher
Block Cipher Mode
Message Authentication Code
PayPal
F5
Citrix
Cisco
Palo Alto Networks
Symantec
FortiNet
Block Cipher
secure
insecure
unused
Block Cipher Mode
top 100.000
1.1%
top 1.000.000
0.5%
eBay
Nasdaq
Banco Mercantil
Union Bank
Ziraat Bank
Match
Walmart
Citrix
Rivest Cipher 4
(ARCFOUR/RC4)
ChaCha
(ChaCha20)
Block Size of 64 bits
(DES, 3DES, GHOST, IDEA, RC2)
Advanced Encryption Standard
(AES128, AES256)
CBC mode only
(SEED)
Far East
(ARIA, Camellia)
Cipher Block Chaining
(CBC)
Galois/Counter Mode
(GCM)
Counter with CBC-MAC
(CCM/CCM-8)
MAC types
HMAC
UMAC
MAC algorithms
Message-Digest Algorithm 5
(MD5)
Poly1305
(POLY1305)
Secure Hash Algorithm 2
(SHA256, SHA384)
Secure Hash Algorithm 1
(SHA-1)
Message-Digest Algorithm 5
(MD5)
Poly1305
(POLY1305)
Secure Hash Algorithm 2
(SHA256, SHA384)
Secure Hash Algorithm 1
(SHA-1)
top 1.000.000
25%
all sites
33%
Yahoo
Alibaba
Flickr
Samsung
NBA
Asus
Bangood
Apache
top 1.000.000 sites
8.4%
all sites
3.4%
SMTP servers
14.8%
POP3S servers
8.9%
IMAPS servers
8.4%
14.000.000 sites
36.7%
US sites
35%
US government servers
cipher suites
explicit list
list operations
cipher preference
Certificate Revocation List
Online Certificate Status Protocol
Responders
Stapling
Certificate validity period
Location
CRL
✗
Access
Size
✗
✗
OCSP
✗
✗
✓
Privacy
✗
✓
OCSP Stapling
✓
✓
✓
✓
Full Chain
✗
✓
✓
OCSP Multi Stapling
✓
✓
✓
✓
✓
?
Support
✓
✓
✓
Hack proof
✗
✗
✗
✗
Key Exchange
Session Resumption
Revocation Check
Performance
Support
Diffie–Hellman
(DH)
Rivest–Shamir–Adleman
(RSA)
Elliptic-curve
Diffie–Hellman
(ECDH)
Elliptic-curve
Diffie–Hellman Ephemeral
(ECDHE)
Diffie-Hellman Ephemeral
(DHE)
anonymous
(NULL)
Rivest–Shamir–Adleman
(RSA)
Elliptic Curve
Digital Signature Algorithm
(ECDSA)
Digital Signature Algorithm
(DSA)
Edwards-Curve
Digital Signature Algorithm
(EdDSA)
Rivest Cipher 4
(ARCFOUR/RC4)
ChaCha
(ChaCha20)
Block Size of 64 bits
(DES, 3DES, GHOST, IDEA, RC2)
Advanced Encryption Standard
(AES128, AES256)
CBC mode only
(SEED)
Far East
(ARIA, Camellia)
Cipher Block Chaining
(CBC)
Galois/Counter Mode
(GCM)
Counter with CBC-MAC
(CCM/CCM-8)
Message-Digest Algorithm 5
(MD5)
Poly1305
(POLY1305)
Secure Hash Algorithm 2
(SHA256, SHA384)
Secure Hash Algorithm 1
(SHA-1)
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256
TLS_CHACHA20_POLY1305_SHA256
Certificate Revocation List
Online Certificate Status Protocol
Responders
Stapling
session resumption
(session id)
session resumption without server-side state
(session ticket)
static pre-shared-key
(PSK_KE)
ephemeral pre-shared-key
(PSK_DHE_KE)
Handshake
Resumption
Application layer
Most popular
(Chrome/Chromium, Firefox)
Less popular
(Apple, Edge)
Most popular
(Apache, NGINX)
Less popular
(IIS, Lighty)
Most popular
(Cloudflare, KeyCDN)
Most popular
(OpenSSL, GnuTLS)
Less popular
(Boring SSL, Fizz)
Automatic Redirection to HTTPS
Security Headers
Automatic Redirect to HTTPS
Public Key Pinning
Defense against
Clickjacking
Content Injection Attacks
Cross-site scripting
setenv.add-response-header=("Strict-Transport-Security"=>"Value")
add_header Strict-Transport-Security 'Value' always;
Header always set Strict-Transport-Security "Value"
max-age=63072000; includeSubdomains;
preload
setenv.add-response-header=("Public-Key-Pins"=>"Value")
add_header Public-Key-Pins 'Value' always;
Header always set Public-Key-Pins "Value"
pin-sha256="GRAH5Ex+kB4cCQi5gMU82urf...";
report-uri="https://example.com/report/hpkp";
max-age=15768000;
includeSubDomains
setenv.add-response-header=("Expect-Staple"=>"Value")
add_header Expect-Staple 'Value' always;
Header always set Expect-Staple "Value"
max-age=31536000;
report-uri="https://example.com/report/staple";
includeSubDomains;
preload
setenv.add-response-header=("Expect-Staple"=>"Value")
add_header Expect-Staple 'Value' always;
Header always set Expect-Staple "Value"
max-age=31536000;
report-uri="https://example.com/report/staple";
enforce
setenv.add-response-header=("X-Frame-Options"=>"Value")
add_header X-Frame-Options "Value" always;
Header always set X-Frame-Options "Value"
deny/sameorigin
setenv.add-response-header=("X-XSS-Protection"=>"Value")
add_header X-XSS-Protection "Value" always;
Header always set X-XSS-Protection "Value"
X-XSS-Protection: 1; mode=block
setenv.add-response-header=("Feature-Policy"=>"Value")
add_header Feature-Policy "Value" always;
Header always set Feature-Policy "Value"
microphone 'none';
geolocation ''*'';
payment 'self';
...
setenv.add-response-header=("Content-Security-Policy"=>"Value")
add_header Content-Security-Policy "Value" always;
Header always set Content-Security-Policy "Value"
default-src https://same.domain:443
Configuration
Updates
Snippet
Generators
Checkers
Online
Offline
ssl.use-sslv2 = "disable" ...
ssl_protocols TLSv1.2 TLSv1.3;
SSLProtocol +TLSv1.2 +TLSv1.3
!TLSv1.1 !TLSv1.0 !TLSv1 !SSLv2 !SSLv3
ssl.cipher-list = "CipherSuiteString"
ssl_ciphers CipherSuiteString
SSLCipherSuite CipherSuiteString
HIGH:!PSK:!SRP:!aNULL:!aDSS:!kRSA:!ARIA:!CAMELLIA:!SHA:!AESCCM
honor-cipher-order = "enable"
ssl_prefer_server_ciphers On;
SSLHonorCipherOrder On
Always On
-
ssl_stapling on;
SSLUseStapling on
Should Be On
Transport Layer Security
Security Headers
By Szilárd Pfeiffer
Attributions: log jam by Luis Prado from the Noun Project
A free software fanatic developer, a security commited engineer, a free-culture enthusiastic jounalist, an agile believer manager.