DigiCert® SSL/TLS Best Practice Workshop Student Guide 2020-03 v1 © 2020 DigiCert, Inc. All rights reserved. DigiCert is a registered trademark of DigiCert, Inc. in the USA and elsewhere. All other trademarks and registered trademarks are the property of their respective owners. DIGICERT® BEST PRACTICE WORKSHOP 1 Table of Contents Acronyms ................................................................................................................................................ 4 Introduction ............................................................................................................................................ 5 SSL Overview ........................................................................................................................................... 7 SSL & TLS ............................................................................................................................................. 7 SSL Certificates .................................................................................................................................. 12 Subject........................................................................................................................................... 13 Certificate Extensions ................................................................................................................... 13 Certificate Formats ........................................................................................................................... 14 Certificate Signing Request (CSR) .................................................................................................. 15 SAN & Wildcard ............................................................................................................................. 16 Public SSL Certificates ....................................................................................................................... 17 DV Certificates............................................................................................................................... 17 OV Certificates .............................................................................................................................. 18 EV Certificates ............................................................................................................................... 19 Domain Validation ........................................................................................................................ 20 Organisation Validation ................................................................................................................ 22 Extended Validation ...................................................................................................................... 23 How SSL Works ................................................................................................................................. 24 SSL Handshake .............................................................................................................................. 28 Authority Information Access (AIA) .............................................................................................. 30 Certificate Revocation List (CRL) ................................................................................................... 33 Online Certificate Status Protocol (OCSP) ..................................................................................... 33 SSL Protocols & Algorithms ............................................................................................................... 36 RSA ................................................................................................................................................ 36 Diffie-Hellman ............................................................................................................................... 38 Elliptic Curve Cryptography ........................................................................................................... 39 SSL Handshake Details ...................................................................................................................... 39 Session Resumption ...................................................................................................................... 43 Forward Secrecy ................................................................................................................................ 44 Cipher Suites ..................................................................................................................................... 48 SSL Risks & Vulnerabilities .................................................................................................................... 51 Expired/misconfigured Certificates .................................................................................................. 51 Self-signed & Vendor Certificates ..................................................................................................... 54 Attacks on SSL ................................................................................................................................... 56 DIGICERT® BEST PRACTICE WORKSHOP 2 Phishing ............................................................................................................................................. 58 Attacks on Certificate Authorities ..................................................................................................... 61 Case Studies ...................................................................................................................................... 62 Industry Trends ..................................................................................................................................... 64 CA/Browser Forum Requirements .................................................................................................... 64 Certificate Transparency (CT)............................................................................................................ 65 Certificate Authority Authorization (CAA) ........................................................................................ 71 Examples ....................................................................................................................................... 72 Certificate Pinning ............................................................................................................................. 73 Enforcing HTTPS ................................................................................................................................ 76 “Always-on” SSL ................................................................................................................................ 80 HTTP/2 .............................................................................................................................................. 81 Signed HTTP Exchanges (SXG) ........................................................................................................... 83 Implementing SXG......................................................................................................................... 83 Delegated Credentials ....................................................................................................................... 84 Automatic Certificate Management Environment (ACME) .............................................................. 85 SSL/TLS Best Practice ............................................................................................................................ 86 Security ............................................................................................................................................. 86 Identify .......................................................................................................................................... 87 Remediate ..................................................................................................................................... 88 Protect ........................................................................................................................................... 90 Monitor ......................................................................................................................................... 91 Performance ..................................................................................................................................... 92 Optimize cryptography ................................................................................................................. 92 Use session resumption ................................................................................................................ 92 Use HTTP/2 ................................................................................................................................... 93 Use a CDN...................................................................................................................................... 93 Use OCSP Stapling ......................................................................................................................... 93 Case Study Exercise ............................................................................................................................... 95 About DigiBank ................................................................................................................................