
Ask HN: Want to study SSL, HTTPS, and the works. Where to start? - surds
I want to study SSL, HTTPS, CAs, certificates, installation and management of certificates, and other things that I probably don&#x27;t know about this domain.<p>Where do I start? Any advice as well as references to blogs, books or papers is appreciated. I am fairly technically competent, so technically heavy references are okay.
======
tialaramex
I recommend beginning at the fundamentals. For example here's a video that
walks through Diffie Hellman, so that anybody can follow, you can probably
sprint through it, but by taking it slow they avoid accidentally forgetting
anything important.

[https://www.youtube.com/watch?v=YEBfamv-
_do](https://www.youtube.com/watch?v=YEBfamv-_do)

Grasping the fundamentals means that when it comes to policy decisions (e.g.
in the management of certificates) you can see what the consequences of a
particular decision are, rather than just hoping that whoever proposed that
policy knew what they were doing.

For example, I think a lot of people today use Certificate Signing Request
(CSR) files without understanding them at all. But once you have a grounding
in the underlying elements you can see at once what the CSR does, and why it's
necessary without needing to have that spelled out separately.

Or another example, understanding what was and was not risky as a result of
the known weakness of SHA-1. I saw a lot of scare-mongering by security people
who saw the SHA-1 weakness as somehow meaning impossible things were now
likely, but it only affected an important but quite narrow type of usage,
people who understood that could make better, more careful decisions without
putting anybody at risk.

------
ZoFreX
I'm more of a learning by doing person. Here's three exercises that you'll
learn a lot doing:

1) [https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/) \- try
to get an A+. It's not important to in most cases in practice, but you'll
learn a lot getting there. Their rating guide is also handy:
[https://github.com/ssllabs/research/wiki/SSL-Server-
Rating-G...](https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide)

2) MITM yourself. I've done this using Charles, you can do it with any HTTP
proxy that lets you rewrite requests on the fly - I hear Fiddler is popular.
MITM yourself and try changing the page for an HTTP site. Then try doing it on
a website that is part HTTP part HTTPS (e.g. HTTPS for login page for example)
and "steal your password". Try again on a website that redirects from HTTP to
HTTPS using a 301 but does not have HSTS. Finally try on a site with HSTS (nb:
you won't manage this one). Congratulations, you now truly understand why HSTS
is important and what it does better than most people!

3) Set up HTTPS on a website. You've probably already done this. In which case
maybe do it with LetsEncrypt for an extra challenge?

~~~
surds
That's awesome. I prefer to learn by doing too. It is way more effective and
practical. Thanks for the advice. These steps, along with a book to read on
the topic, should work very well! Thanks!

------
indescions_2017
Check out High Performance Browser Networking. Ilya Grigorik is a very smart
cookie and will take you right up to the present day state-of-the-art:

[https://hpbn.co/](https://hpbn.co/)

~~~
surds
That's a sweet resource. Thanks!

------
AaronSmith
To study SSL, HTTPS, CAs including installation and management of SSL
certificates, You can consider following references:

[https://www.sslshopper.com/what-is-ssl.html](https://www.sslshopper.com/what-
is-ssl.html)

[https://www.cheapsslshop.com/blog](https://www.cheapsslshop.com/blog)

[https://www.whichssl.com/what-is-ssl.html](https://www.whichssl.com/what-is-
ssl.html)

------
moondev
I learn best by example, and I have learned so much just by evaluating and
implementing hashicorp vault:
[https://www.vaultproject.io/docs/secrets/pki/index.html](https://www.vaultproject.io/docs/secrets/pki/index.html)

It doesn't hold your hand at all, but it gives you a nice "task" to
accomplish. Reading up on all the terminology and exactly how and why it works
was really fun.

------
schoen
I hear good things about _Bulletproof SSL /TLS_ by Ivan Ristić:

[https://www.feistyduck.com/books/bulletproof-ssl-and-
tls/](https://www.feistyduck.com/books/bulletproof-ssl-and-tls/)

There was also a nice web page presenting all kinds of PKI concepts that I
came across a few years ago but haven't been able to find since then. :-(

~~~
surds
That book should cover pretty much all that I am concerned with. Thanks!

