DigiCert® SSL/TLS Best Practice Workshop Student Guide 2021-02 v1 © 2021 DigiCert, Inc. All rights reserved. DigiCert is a registered trademark of DigiCert, Inc. in the USA and elsewhere. All other trademarks and registered trademarks are the property of their respective owners. DIGICERT® BEST PRACTICE WORKSHOP 1 Table of Contents Acronyms ................................................................................................................................................ 5 Introduction ............................................................................................................................................ 6 SSL Overview ........................................................................................................................................... 8 SSL & TLS ............................................................................................................................................. 8 Domain Name System (DNS) ............................................................................................................ 14 SSL Certificates .................................................................................................................................. 15 Subject........................................................................................................................................... 16 Certificate Extensions ................................................................................................................... 16 Certificate Formats ........................................................................................................................... 17 Certificate Signing Request (CSR) .................................................................................................. 18 SAN & Wildcard ............................................................................................................................. 19 Public SSL Certificates ....................................................................................................................... 20 DV Certificates............................................................................................................................... 21 OV Certificates .............................................................................................................................. 21 EV Certificates ............................................................................................................................... 22 Domain Validation ........................................................................................................................ 23 Organisation Validation ................................................................................................................ 26 Extended Validation ...................................................................................................................... 27 How SSL Works ................................................................................................................................. 28 SSL Handshake .............................................................................................................................. 32 Authority Information Access (AIA) .............................................................................................. 34 Certificate Revocation List (CRL) ................................................................................................... 38 Online Certificate Status Protocol (OCSP) ..................................................................................... 39 SSL Protocols & Algorithms ............................................................................................................... 42 RSA ................................................................................................................................................ 42 Diffie-Hellman ............................................................................................................................... 44 Elliptic Curve Cryptography ........................................................................................................... 45 SSL Handshake Details ...................................................................................................................... 45 Session Resumption ...................................................................................................................... 49 Forward Secrecy ................................................................................................................................ 50 Cipher Suites ..................................................................................................................................... 54 SSL Risks & Vulnerabilities .................................................................................................................... 56 Expired/misconfigured Certificates .................................................................................................. 56 Self-signed & Vendor Certificates ..................................................................................................... 59 DIGICERT® BEST PRACTICE WORKSHOP 2 Attacks on SSL ................................................................................................................................... 61 Phishing ............................................................................................................................................. 64 Attacks on Certificate Authorities ..................................................................................................... 67 Case Studies ...................................................................................................................................... 68 Industry Trends ..................................................................................................................................... 70 CA/Browser Forum Requirements .................................................................................................... 70 Certificate Transparency (CT)............................................................................................................ 72 Certificate Authority Authorization (CAA) ........................................................................................ 78 Examples ....................................................................................................................................... 79 Certificate Pinning ............................................................................................................................. 80 What can go wrong with Certificate Pinning? .............................................................................. 81 Enforcing HTTPS ................................................................................................................................ 82 “Always-on” SSL ................................................................................................................................ 86 HTTP/2 .............................................................................................................................................. 87 Encrypting DNS: DoH & DoT ............................................................................................................. 88 Signed HTTP Exchanges (SXG) ........................................................................................................... 89 Implementing SXG......................................................................................................................... 90 Delegated Credentials ....................................................................................................................... 91 Automatic Certificate Management Environment (ACME) .............................................................. 92 SSL/TLS Best Practice ............................................................................................................................ 93 Security ............................................................................................................................................. 93 Identify .......................................................................................................................................... 94 Remediate ..................................................................................................................................... 95 Protect ........................................................................................................................................... 97 Monitor ......................................................................................................................................... 99 Performance ................................................................................................................................... 100 Optimize cryptography ............................................................................................................... 100 Use session resumption .............................................................................................................. 101 Use HTTP/2 ................................................................................................................................. 101 Use a CDN...................................................................................................................................