TLS/HTTPS Security for Web Developers – Scott Helme – NDC Security Gold Coast

NDC Security Australia 29 April -1 May 2019 – QT Gold Coast, Australia Get tickets at ndcsecurity.com.au TLS/HTTPS Security for Web Developers – Scott Helme Spend two days to understand both the theory and practice of SSL/TLS and Internet PKI…

TLS/HTTPS Security for Web Developers - Scott Helme - NDC Security Gold Coast

Source

0
(0)

NDC Security Australia
29 April -1 May 2019 – QT Gold Coast, Australia
Get tickets at ndcsecurity.com.au

TLS/HTTPS Security for Web Developers – Scott Helme
Spend two days to understand both the theory and practice of SSL/TLS and Internet PKI

Designed by the author of the much acclaimed Bulletproof SSL and TLS, this practical training course will teach you how to deploy secure servers and encrypted web applications and understand both the theory and practice of Internet PKI.

Why This Course is for You
Understand threats and attacks against encryption
Identify real risks that apply to your systems
Deploy servers with strong private keys and valid certificates
Deploy TLS configurations with strong encryption and forward secrecy
Understand higher-level attacks against web applications
Use the latest defence technologies, such as HSTS, CSP, and HPKP
Learn about key PKI standards and formats
Understand where practice differs from theory
Analyze certificate lifecycle in detail
Evaluate PKI weaknesses and how they affect you
Deploy robust protection using public key pinning
Learn about what’s coming in the future
Course Outline
On day 1, we’ll focus on what you need in your daily work to deliver best security, availability and performance. And you will learn how to get an A+ on SSL Labs! On day 2, we will start with the basics and the theory, then discuss how the PKI is implemented in the real world, and finish with a practical example of a realistic private certification authority.

Day 1: The Best TLS Training in the World
1. Introduction

The need for network encryption
Understanding encrypted communication
The role of public key infrastructure (PKI)
SSL/TLS and Internet PKI threat model
2. Keys and certificates

RSA and ECDSA: selecting key algorithm and size
Certificate hostnames and lifetime
Practical work:
Private key generation
Certificate Signing Request (CSR) generation
Self-signed certificates
Obtaining valid certificates from Let’s Encrypt
Sidebar: Revocation
3. Protocols and cipher suites

Protocol security
Key exchange strength
Forward security
Cipher suite configuration
Practical work:
Secure web server configuration
Server testing using SSL Labs
Sidebar: Server Name indication (SNI)
Sidebar: Performance considerations
4. HTTPS topics

Man in the middle attacks
Mixed content
Cookie security
CRIME: Information leakage via compression
HTTP Strict Transport Security
Content Security Policy
HTTP Public Key Pinning
Practical work:
Deploying HSTS to deploy robust encryption
Deploying CSP to deal with mixed content
5. Putting it all together: Getting A+ in SSL Labs

Day 2: Internet PKI in Depth
1. Introduction

2. Standards

X.509 certificates
Certificate chains
Name constraints
Trust path building
Validation process
3. Internet PKI

Certification Authorities
Relying parties
Certificate types (DV, EV, OV)
Certificate lifecycle (validation, issuance, and revocation)
CA/B Forum and its standards
Weaknesses
History of attacks
4. Revocation

CRL
OCSP
OCSP stapling
CRLsets and OneCRL
Short-lived certificates
5. Defenses

Certification Authority Authorization (CAA)
Public Key Pinning
Static pinning
HPKP
DNSSEC/DANE
6. Certificate Transparency

7. PKI ecosystem monitoring

SSL Pulse
Censys
crt.sh
8. Project: Building and deploying a realistic private CA

We will also provide you with many additional exercises that you can work on in your own time. You’ll be able to ask us for help via email. And if you’re already familiar with the basics, we’ll challenge you with some of the advanced exercises on the day.

Computer setup:

Attendees will need to bring a computer with the following software installed:

Windows users need to download and install PuTTY (link) and
Mac users will not need to install anything.

0 / 5. 0

Leave a Reply

Your email address will not be published. Required fields are marked *