The Best TLS Training in the World presented at AppSecCali 2017

by Scott Helme,

Summary : Spend a full day to understand both the theory and practice of SSL/TLS.
Designed by the author of the much acclaimed Bulletproof SSL and TLS, this practical course will teach you how to deploy secure servers and encrypted web applications during a day packed with theory and practical work. We’ll focus on what you need in your daily work to deliver best security, availability and performance. And you will learn how to get an A+ on SSL Labs!
Why This Course is for You
Understand threats and attacks against encryption
Identify real risks that apply to your systems
Deploy servers with strong private keys and valid certificates
Deploy TLS configurations with strong encryption and forward secrecy
Understand higher-level attacks against web applications
Use the latest defence technologies, such as HSTS, CSP, and HPKP
Course Outline
The need for network encryption
Understanding encrypted communication
The role of public key infrastructure (PKI)
SSL/TLS and Internet PKI threat model
Keys and certificates
RSA and ECDSA: selecting key algorithm and size
Certificate hostnames and lifetime
Practical work:
Private key generation
Certificate Signing Request (CSR) generation
Self-signed certificates
Obtaining valid certificates from Let’s Encrypt
Sidebar: Revocation
Protocols and cipher suites
Protocol security
Key exchange strength
Forward security
Cipher suite configuration
Practical work:
Secure web server configuration
Server testing using SSL Labs
Sidebar: Server Name indication (SNI)
Sidebar: Performance considerations
HTTPS topics
Man in the middle attacks
Mixed content
Cookie security
CRIME: Information leakage via compression
HTTP Strict Transport Security
Content Security Policy
HTTP Public Key Pinning
Practical work:
Deploying HSTS to deploy robust encryption
Deploying CSP to deal with mixed content
Putting it all together: Getting A+ in SSL Labs
We will also provide you with many additional exercises that you can work on in your own time. You'll be able to ask us for help via email. And if you're already familiar with the basics, we'll challenge you with some of the advanced exercises on the day.