« Two bugs in mod_sslhaf fixed | Main | SSL Labs: Improved Elliptic Curve and TLS 1.2 detection »

September 09, 2009

SSL Threat Model

SSL is easy to use but also very easy to use incorrectly. The ecosystem, which is built of the specifications, the implementations, the CAs and the PKI, is full of traps, each of which is very easy to fall into. Once I started to spend significant time thinking about SSL I set out to build a model of the ecosystem, for my own education and to ensure that I understand it all. That's how I arrived to the SSL Threat Model. The image is too big to include here, but just click on the link below to get it:

I do understand that many of the elements in the model need explanations, but the diagram is all I have at the moment. As a matter of fact, the diagram has been sitting in my virtual drawer for months in the hope that I would eventually accompany it with some documentation. But seeing that the documentation is not going to happen any time soon, I decided to go ahead and publish the diagram alone.

Feel free to post comments here, though!

Posted by Ivan Ristić at 12:18:29 in SSL

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54fd889f288340120a55b8975970b

Listed below are links to weblogs that reference SSL Threat Model:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

I know what you mean ... models get bigger and bigger ... and then the blog provider doesn't let you publish stuff coz it is insecure!

BTW, I am trying to reference this blog post from my site; is there a HTML entity I can use for you name?

Posted by: Iang (browser attack tree from 2004) | September 09, 2009 at 11:37 PM

Don't worry about the correct entity. A humble c is perfectly fine. (The character's code is 0x107, by the way.) I'll have to compare your map to mine to make sure I am not missing anything.

Posted by: Ivan Risti | September 11, 2009 at 08:51 AM

What software did you use to create the nice threat model tree?

Posted by: Robin | October 16, 2009 at 05:55 AM

Nice mindmap Ivan. I am not sure if you know but it is possible to upload a map to the FreeMind gallery and have it viewable by a flash plug-in. The link is

http://freemind.sourceforge.net/wiki/index.php/Mind_Map_Gallery

and I have put quite a few maps under the technology, section 1.1.

rgs Luke

Posted by: Luke O'Connor | December 01, 2009 at 09:30 PM

Thanks Luke, I didn't know that. The Flash viewer looks very useful; I will look into it.

Posted by: Ivan Ristic | December 04, 2009 at 12:19 PM

The comments to this entry are closed.

MY WORK

IronBee is the next generation web application firewall engine, and it's open source too.
ModSecurity Handbok cover
ModSecurity Handbook is the definitive guide to the world's most popular web application firewall.
Apache Security cover
Apache Security is the complete guide to securing your Apache web server.
SSL Labs offers a comprehensive SSL security assessment consisting of 250+ checks. To start, enter your domain name below:

ABOUT ME

Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server.   [LinkedIn Profile]

My Photo

TWITTER

@ivanristic

    Categories

    Archives

    FEEDS