Readings

Background

Wikipedia’s Transport Layer Security page includes a quite extensive summary of TLS vulnerabilities.

The First Few Milliseconds of an HTTPS Connection, Jeff Moser, 2009.
Discussion about TLS1.2/1.3 Updates

Protocol Specification

The Transport Layer Security (TLS) Protocol Version 1.3 (Internet Draft, 22 December 2016 is latest version as of today, 29 December 2016.)

Earlier versions:

• The Transport Layer Security (TLS) Protocol Version 1.2 [PDF], August 2008.
• Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS) [PDF], June 2002.
• The Secure Sockets Layer (SSL) Protocol Version 3.0 [PDF], August 2011.
• The TLS Protocol Version 1.0, January 1999.

Protocol Analysis

David Wagner, Bruce Schneier. Analysis of the SSL 3.0 Protocol. In Second USENIX Workshop on Electronic Commerce Proceedings, 1996. [PDF]

Attacks

RFC on known attacks: Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). Y. Sheffer, et al. RFC 7457. February 2015. [HTML] [PDF]

Daniel Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. CRYPTO 1998. [PDF]

Serge Vaudenay. Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS…. EuroCRYPT 2002. [PDF]

David Brumley and Daniel Boneh. Remote Timing Attacks are Practical. USENIX Security Symposium 2003, and Computer Networks, August 2005. PDF

Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux. Password Interception in a SSL/TLS Channel. CRYPTO 2003. [PDF]

Thai Duong and Juliano Rizzo. Here Come The ⊕ Ninjas. 2011. [PDF]

Nadhem AlFardan, Daniel J. Bernstein, Kenneth G. Paterson, Bertram Poettering, and Jacob C.N. Schuldt. On the Security of RC4 in TLS. USENIX Security Symposium 2013. [PDF] [Video]

Nadhem J. AlFardan and Kenneth G. Paterson. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. IEEE Symposium on Security and Privacy (Oakland) 2013. [PDF] [Website]

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. 22nd ACM Conference on Computer and Communications Security (CCS ’15), October 2015. [PDF] [Website]

Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt. DROWN: Breaking TLS using SSLv2. 25th USENIX Security Symposium, Austin, TX, August 2016. [PDF] [Website]

Formal Methods

John C. Mitchell, Vitaly Shmatikov, and Ulrich Stern. Finite-State Analysis of SSL 3.0. USENIX Security Symposium, January 1998. [PDF]

Lawrence C. Paulson. Inductive Analysis of the Internet Protocol TLS. ACM Transactions of Information and System Security, August 1999. [PDF]

Karthikeyan Bhargavan, Ricardo Corin, Cédric Fournet, Eugen Zalinescu. Cryptographically Verified Implementations for TLS. ACM CCS 2008. [PDF]

Tibor Jager, Florian Kohlar, Sven Schäge, and Jörg Schwenk. On the Security of TLS-DHE in the Standard Model. May 2011. [eprint] [PDF]

Krawczyk, Hugo, Kenneth G. Paterson, and Hoeteck Wee. On the Security of the TLS Protocol: A Systematic Analysis. CRYPTO 2013. [eprint] [PDF]

Karthikeyan Bhargavan, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub. Implementing TLS with Verified Cryptographic Security IEEE Symposium on Security and Privacy (Oakland), 2013. [PDF] [Extended Tech Report, PDF]

Karthikeyan Bhargavan1, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Santiago Zanella-Beguelin. Proving the TLS Handshake Secure (As It Is). CRYPTO 2014. [PDF]

Implementation Bugs

Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, Vitaly Shmatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. ACM CCS 2012. [PDF]

David Kaloper-Mersinjak, Hannes Mehnert, Anil Madhavapeddy and Peter Sewell. Not-quite-so-broken TLS: lessons in re-engineering a security protocol specification and implementation. USENIX Security 2015. [PDF]

Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, Jean Karim Zinzindohoue. A Messy State of the Union: Taming the Composite State Machines of TLS. IEEE Symposium on Security and Privacy (Oakland) 2015. [PDF] [Talk Video]

Suman Jana, Yuan Kang, Samuel Roth, and Baishakhi Ray. Automatically Detecting Error Handling Bugs using Error Specifications. USENIX Security 2016. [PDF]

Testing

Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, Vitaly Shmatikov. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations. IEEE Symposium on Security and Privacy (Oakland) 2014. [PDF].

Benjamin Beurdouche, Antoine Delignat-Lavaud, Nadim Kobeissi, Alfredo Pironti, Karthikeyan Bhargavan. FLEXTLS: A Tool for Testing TLS Implementations. USENIX Workshop on Offensive Technologies, 2015. [PDF]

Measurement

Cristian Coarfa, Peter Druschel, and Dan S. Wallach. Performance Analysis of TLS Web Servers. ACM Transactions on Computer Systems (earlier version in NDSS 2002), February 2006. [PDF]

Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J. Alex Halderman, Vern Paxson. The Security Impact of HTTPS Interception. NDSS 2017. [PDF]

Certificates

Jeremy Clark and Paul C. van Oorschot. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. IEEE Symposium on Security and Privacy (Oakland) 2013. [PDF]

Dan Wendlandt, David G. Andersen, and Adrian Perrig. Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. USENIX ATC 2008. [PDF] [Project Site]

Certificate Transparency
Let’s Encrypt
ACMS

Extensions

David Naylor, Kyle Schomp, Matteo Varvello, Ilias Leontiadis, Jeremy Blackburn, Diego Lopez, Konstantina Papagiannaki, Pablo Rodriguez Rodriguez, and Peter Steenkiste. Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS. SIGCOMM 2015. [PDF]

Post-Quantum

Joppe W. Bos, Craig Costello, Michael Naehrig, and Douglas Stebila. Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. IEEE Symposium on Security and Privacy (Oakland) 2016. [PDF] [Talk Video]

Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. Post-quantum Key Exchange—A New Hope. USENIX Security Symposiumn 2016. [PDF] [Talk Video]