Bulletproof SSL and TLS (英語) ペーパーバック – 2014/8/1
Kindle 端末は必要ありません。無料 Kindle アプリのいずれかをダウンロードすると、スマートフォン、タブレットPCで Kindle 本をお読みいただけます。
Bulletproof SSL and TLS is a complete guide to using SSL and TLS encryption to deploy secure servers and web applications. Written by Ivan Ristic, the author of the popular SSL Labs web site, this book will teach you everything you need to know to protect your systems from eavesdroppingand impersonation attacks.
In this book, you'll find just the right mix of theory, protocol detail, vulnerability and weakness information, and deployment advice to get your job done:
Comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI, with updates to the digital version
For IT security professionals, help to understand the risks
For system administrators, help to deploy systems securely
For developers, help to design and implement secure web applications
Practical and concise, with added depth when details are relevant
Introduction to cryptography and the latest TLS protocol version
Discussion of weaknesses at every level, covering implementation issues, HTTP and browser problems, and protocol vulnerabilities
Coverage of the latest attacks, such as BEAST, CRIME, BREACH, Lucky 13, RC4 biases, Triple Handshake Attack, and Heartbleed
Thorough deployment advice, including advanced technologies, such as Strict Transport Security, Content Security Policy, and pinning
Guide to using OpenSSL to generate keys and certificates and to create and run a private certification authority
Guide to using OpenSSL to test servers for vulnerabilities
Practical advice for secure server configuration using Apache httpd, IIS, Java, Nginx, Microsoft Windows, and Tomcat
Ivan Ristic is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs web site. He is the author of two books, Apache Security and ModSecurity Handbook, which he publishes via Feisty Duck, his own platform for continuous writing and publishing. Ivan is an active participant in the security community and you'll often find him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. He's currently Director of Application Security Research at Qualys.
As a software engineer, I read a lot of technical books. It's rare to see a book like this which combines so many different elements into a cohesive book. It could be split up into 2 books: one on the history/context of the development and vulnerabilities of SSL/TLS and another on using OpenSSL, configuring certs and servers. I'm glad it's all one book so I only need to recommend one! There aren't many books like this on the market on any topic. It's rare to see someone cover the basics of the theory, summary of attacks and mitigations, and trade-offs with deploying in the real world.
The book's binding and paper is great as well. If you properly break in the book, it will lie flat all the way from page 30 onward. I didn't have any problems reading it on a bed. I read this cover to cover in part of a weekend. It was a quick, fun and informative read. After reading this, you should be ready to dive into the RFCs.
My criticism is light. I don't think the wikipedia references have much value. Everyone knows you can search for things. I think using the URL shortener links are annoying. What happens when your server goes down? And I wish there was a quick reference appendix at the end which summarizes recommended future reading. There were some book recommendations throughout the book and a summary of important RFCs. It would be nice to have that all in one place.
Disclaimer: I skipped the Microsoft IIS hardening chapter.
I read the Amazon reviews of this book before buying it, and I was a bit skeptical. However my skepticism was wrong; this book should be reference material for any sysadmin or developer. It really is that good.
I won't bother with the chapter-by-chapter synopsis. All you need to know is if you are interested in SSL/TLS, encryption, relevant hardening techniques and testing/verification (mainly via OpenSSL), etc., then this book is for you. The author runs SSLlabs. If you have ever tested your public site for BEAST,POODLE, etc., chances are you have used his site.
Things this book does really well:
- Give a comprehensive view of encryption, known weaknesses and attacks, and implementation suggestions and tips. I really can't think of a systems or programming book that nails a relatively niche subtopic in IT as well.
- The author does a very good job of giving concrete real-world examples wherever and whenever possible.
- While pretty technical, the language used in the book is pretty conversant. There is very little "hard math" if that's a concern.
- The author is clearly an expert in SSL/TLS encryption. It is rare to read an introduction to normally rehashed material and say to yourself, 'Wait, it's THAT guy?"
- Brings up Linux, OSX and Windows-specific notes. Conceptually the book is platform agnostic though. It is a nice mix between theoretical and practical.
Thing that this book falls short on (keep in mind, these are very minor...not enough even to dock it a star):
- The content is a bit stale. The original was published in 2014 and the first revision in 2015. Now that it is 2017, updated notes on the topics listed above would be nice, especially regarding suggested cipher suites, etc. However I know this is very hard in technical print media.
- The amount of footnotes is staggering. The footnotes are practically all URL-shortened links to reference material. That's far from a bad thing normally, however they probably average out to 1-2 a page. It is not feasible to read them all.
This is seriously a great book on SSL/TLS encryption. It should be required for any graduating CS/S college types, any professional sysadmin regardless of their OS, anyone in the IT/IS security world, and any developer that plans on releasing code that will ever touch a network
Encryption isn't going away. It is in everyone's interest listed above to get familiar with the details of TLS unless they want to end up with a compromised app or website.