« RC4 in TLS is broken: Now what? | Main | Deploying Forward Secrecy »

Announcing Bulletproof SSL and TLS

May 22, 2013

For those of you who have been following my blog, or my work on the SSL Labs web site, it won't come as a surprise that my next book is about SSL/TLS and PKI, and all the related things you need to know if you want to use these technologies.

Bulletproof SSL and TLS is the book I wish I had back when I was starting to get involved with SSL. I don't remember when exactly that was, but I do remember how, when I was writing my first book, Apache Security, I began to appreciate cryptography. I began to like it, even. Before, SSL seemed simple to me; but then I realised how vast the world of cryptography actually is.

In 2009 I began to work on SSL Labs, and, for me, that world began to unravel. Fast-forward a couple of years, and in 2013 I still feel like I am only starting. Cryptography is a unique field where the more you learn the less you know.

In supporting the SSL Labs users over the years, I've realised that there is a lot of documentation on SSL/TLS and PKI, but that it suffers from two problems: (1) it's not documented in one place, and so the little bits and pieces (e.g., RFCs) are difficult to find and (2) it tends to be very detailed and low-level. I needed years of effort to begin to understand the everything fits together.

Bulletproof SSL and TLS aims to address the documentation gap, offering a very practical book that paints the whole picture and then proceeds to discuss the bits and pieces that you need in daily work, going as deep as needed to explain what you need to know.

At this point, the manuscript is about 120 pages long, which I estimate to be between 30% and 50% of the finished book. I expect the book will be available in Autumn. Until then, I have a little treat for you; if you head over to the Feisty Duck web site, I am realeasing the main OpenSSL chapter as a standalone free ebook called OpenSSL Cookbook. It's about 50 pages at the moment, but I hope that grows longer over time. Qualys has graciously allowed me to include the SSL/TLS Deployment Best Practices document in the appendix.