Archive
2022
- Bulletproof TLS and PKI, Second Edition is out
February 16, 2022
2021
- OpenSSL Cookbook 3rd Edition now available
February 01, 2021
2020
- Second edition of Bulletproof SSL and TLS now in preview
November 01, 2020
2017
- Announcing Bulletproof SSL and TLS, the 2017 revision
July 11, 2017
- Bulletproof SSL and TLS, three years later
July 04, 2017
- SSL Labs Grading Redesign (Preview 1)
June 30, 2017
- SSL Labs Distrusts WoSign and StartCom certificates
April 05, 2017
- CAA Mandated by CA/Browser Forum
March 13, 2017
- Ticketbleed detection added to SSL Labs
February 23, 2017
- What’s new in SSL Labs 1.26.5
January 13, 2017
2016
- Per-protocol cipher suite detection in SSL Labs
November 29, 2016
- SSL Labs now showing multiple certificate chains
November 22, 2016
- Announcing SSL Labs grading changes for 2017
November 16, 2016
- Is HTTP Public Key Pinning dead?
September 06, 2016
- SSL Labs: Improved suite detection
August 31, 2016
- TLS version intolerance in SSL Pulse
August 02, 2016
- New release of SSL/TLS Deployment Best Practices
June 27, 2016
- Available now: The Best TLS Training in the World
June 15, 2016
- SSL Labs in 2016 and beyond
May 16, 2016
- SSL Labs DROWN test implementation details
March 04, 2016
- DROWN grading update
March 04, 2016
- DROWN abuses SSL v2 to attack TLS
March 01, 2016
2015
- How Bulletproof SSL and TLS is a living book
August 31, 2015
- Introducing TLS Maturity Model
June 08, 2015
- SSL Labs: Increased penalty when TLS 1.2 is not supported
May 22, 2015
- SSL Labs 1.17: RC4, Obsolete Crypto, and Logjam
May 21, 2015
- What's new in SSL Labs 1.16
April 28, 2015
- SSL Labs RC4 deprecation plan
April 23, 2015
- OpenSSL Cookbook 2nd Edition released
March 03, 2015
- Apache Security: free, ten years later
February 26, 2015
- SSL Labs APIs now available in Beta
January 22, 2015
2014
- SSL Labs end of year 2014 updates
December 08, 2014
- POODLE bites TLS
December 08, 2014
- SSL 3 is dead, killed by the POODLE attack
October 15, 2014
- SHA1 deprecation: what you need to know
September 09, 2014
- Bulletproof SSL and TLS proofs on my desk
August 12, 2014
- Bulletproof SSL and TLS has been released!
August 05, 2014
- Bulletproof SSL and TLS June Update: Cryptography, Protocol, and PKI
June 24, 2014
- SSL Labs: New grades for trust (T) and mismatch (M) issues
June 17, 2014
- SSL Pulse: 49% vulnerable to CVE-2014-0224, 14% exploitable
June 13, 2014
- Bulletproof SSL and TLS May Update: Deployment and Performance
May 20, 2014
- SSL Labs test for the Heartbleed attack
April 08, 2014
- Bulletproof SSL and TLS April Update: Attacks and Weaknesses
April 08, 2014
- HTTPS mixed content: still the easiest way to break SSL
March 19, 2014
- Significant SSL/TLS improvements in Java 8
March 11, 2014
- How to build your own test for Apple's TLS authentication bug
March 10, 2014
- Bulletproof SSL and TLS March Update: Protocol Attacks
March 04, 2014
- SSL Labs: Testing for Apple's TLS authentication bug
February 24, 2014
- Checking OCSP revocation using OpenSSL
February 24, 2014
- Bulletproof SSL and TLS available for early access and preorder
February 04, 2014
- SSL Labs: Stricter security requirements for 2014
January 21, 2014
2013
- Apple enabled BEAST mitigations in OS X 10.9 Mavericks
October 31, 2013
- SSL Pulse now tracking Forward Secrecy and RC4
October 09, 2013
- OpenSSL Cookbook v1.1 released
October 08, 2013
- Introducing the SSL Client Test
October 02, 2013
- Open letter from UK security researchers
September 20, 2013
- Updated SSL/TLS Deployment Best Practices deprecates RC4
September 17, 2013
- Is BEAST still a threat?
September 10, 2013
- Increasing DHE strength on Apache 2.4.x
August 15, 2013
- Defending against the BREACH attack
August 07, 2013
- Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
August 05, 2013
- Compiling Apache with static OpenSSL libraries
August 03, 2013
- Deploying Forward Secrecy
June 25, 2013
- Announcing Bulletproof SSL and TLS
May 22, 2013
- RC4 in TLS is broken: Now what?
March 19, 2013
- SSL Labs update increases security requirements
February 07, 2013
2012
- Large-scale passive SSL monitoring at ICSI
November 12, 2012
- Improved passive SSL fingerprinting in sslhaf
October 18, 2012
- CRIME: Information leakage attack against SSL/TLS
September 14, 2012
- Protocol-level evasion of web application firewalls
July 25, 2012
- How good is client-side support for RC4?
July 17, 2012
- Lead application security researcher wanted to join a great team
June 26, 2012
- ModSecurity and ModSecurity Core Rule Set Multipart Bypasses
June 15, 2012
- My Infosecurity London 2012 SSL Panel Notes
May 23, 2012
- Announcing SSL Pulse
April 30, 2012
- Qualys supports reform at CA/Browser Forum
March 30, 2012
- SSL and Browsers: The Pillars of Broken Security
March 07, 2012
- Announcing the SSL/TLS Deployment Best Practices guide
February 23, 2012
- IronBee reboot
February 21, 2012
2011
- TLS Renegotiation and Denial of Service Attacks
October 31, 2011
- Mitigating the BEAST attack on TLS
October 17, 2011
- SSL Labs: Announcing launch of two Convergence notaries
September 29, 2011
- Key SSL/TLS mailing lists to follow
September 26, 2011
- SSL Survey: How many sites support TLS 1.1 and better?
September 23, 2011
- So, what really breaks SSL?
August 09, 2011
- A study of what really breaks SSL
May 25, 2011
- Fresh Internet SSL Survey results (April 2011) available
April 27, 2011
- IronBee versus ModSecurity
March 16, 2011
- IronBee, a new Apache-licensed web application firewall
February 14, 2011
- How to choose a good name for your product or project
February 11, 2011
- Unfortunate current practices for HTTP over TLS
January 19, 2011
2010
- SSL Labs: Added test for ephemeral DH parameters
December 23, 2010
- ModSecurity Handbook Wordle
December 20, 2010
- Apache Security Wordle
December 19, 2010
- Detection of certificate chain issues in SSL Labs
November 30, 2010
- Stop complaining and solve a security problem instead
November 25, 2010
- Debian stable (Lenny) will support secure renegotiation
November 17, 2010
- We're hiring: I have 3 open positions on my WAF team
November 02, 2010
- Private assessment option added to the SSL server test
October 07, 2010
- Disabling SSL renegotiation is a crutch, not a fix
October 06, 2010
- Qualys SSL Labs releases raw data from the Internet SSL survey
October 05, 2010
- Canoe: XSS prevention via context-aware output encoding
September 24, 2010
- Internet SSL Survey 2010 is here!
July 29, 2010
- SSL Labs 1.0.63: Detection and reporting of certificate chain issues
July 13, 2010
- SSL Server Survey: what data are we collecting?
July 02, 2010
- SSL Server Survey: So what's with the 22M invalid certificates claim?
July 02, 2010
- Internet SSL Server Survey at Black Hat USA 2010
July 02, 2010
- SSL Labs assessment engine v1.0.59 improvements
June 17, 2010
- Qualys acquires SSL Labs
June 15, 2010
- Secure renegotiation test added to SSL Labs
May 25, 2010
- Breaking SSL: Why leave to others what you can do yourself
May 21, 2010
- Deep protocol and cipher suite testing in SSL Labs
May 14, 2010
- Speaking on SSL at OWASP AppSec Research in Sweden
April 27, 2010
- Apache Security 1ed now available from Feisty Duck
April 21, 2010
- The state of ModSecurity in March 2010 (Part 2)
April 13, 2010
- Lua Programming Gems PDF now available from Feisty Duck
April 12, 2010
- The state of ModSecurity in March 2010 (Part 1)
March 19, 2010
- ModSecurity Handbook in print
March 15, 2010
- ModSecurity Handbook shipping soon!
March 11, 2010
- Firefox extension installation process vulnerable to MITM attack
February 09, 2010
- SSL Labs using Firefox 3.6 CA certs
January 25, 2010
- Programming in Lua 2ed now sold by Feisty Duck (PDF only)
January 19, 2010
- How to render SSL useless
January 14, 2010
2009
- Testing for SSL renegotiation
December 15, 2009
- HTTP parser for intrusion detection and web application firewalls
November 30, 2009
- Clientless SSL VPN products break the Web
November 30, 2009
- ModSecurity Handbook available for pre-order and early access
November 26, 2009
- Initial test for SSL renegotiation added to SSL Labs
November 17, 2009
- Announcing ModSecurity Handbook
November 16, 2009
- Not just CSRF: SSL Authentication Gap used for credentials theft
November 14, 2009
- Planned usability improvements for ModSecurity 2.6
November 12, 2009
- SSL and TLS Authentication Gap vulnerability discovered
November 05, 2009
- Entropy on a USB stick
October 01, 2009
- The key to successful WAF deployment is getting the ownership right
September 30, 2009
- Analysis of Elliptic Curve support in current browsers
September 29, 2009
- SSL Labs: Improved Elliptic Curve and TLS 1.2 detection
September 22, 2009
- SSL Threat Model
September 09, 2009
- Two bugs in mod_sslhaf fixed
September 04, 2009
- SSL Labs: a batch of small improvements
September 03, 2009
- Tuning ModSecurity Console on Windows
September 01, 2009
- Is RC4 safe for use in SSL?
August 28, 2009
- Black Hat 2009 SSL Review: Breaking the Myths of Extended Validation SSL Certificates (Alexander Sotirov and Mike Zusman)
August 07, 2009
- Black Hat 2009 SSL Review: More Tricks For Defeating SSL In Practice (Moxie Marlinspike)
August 05, 2009
- Black Hat 2009 SSL Review: Black Ops of PKI (Dan Kaminsky)
August 04, 2009
- Improved SSLv2 detection in SSL Labs
August 03, 2009
- TLS Server Name Indication now in Apache
July 29, 2009
- Can you have too much SSL?
July 24, 2009
- Announcing the SSL Server Rating Guide and the Public SSL Server Database
July 22, 2009
- Firefox SSL extensions
July 16, 2009
- Examples of the information collected from SSL handshakes
July 09, 2009
- Analysis of Googlebot's frugal cipher suite list
July 02, 2009
- Improved handling of SSL warnings in Firefox 3.5
July 01, 2009
- HTTP client fingerprinting using SSL handshake analysis
June 17, 2009
- Security researchers ask Google to enable SSL encryption by default
June 16, 2009
- SSL Labs launches
June 15, 2009
- The death of dual-licensing as a commercial open source strategy
May 15, 2009
- How did MySQL become so successful?
May 15, 2009
- Security is difficult; open source security sometimes even more so
March 30, 2009
- ModSecurity training at OWASP AppSec Europe 2009
March 27, 2009
- Read ChangeThis and you may not need to buy a business book ever again
March 18, 2009
- Signing the ModSecurity Contribution Agreement
March 17, 2009
- A taxonomy of open source business models
March 12, 2009
- Dual-licensing for open source businesses
March 09, 2009
- D.J. Bernstein, I salute you!
March 06, 2009
- Is that open source project secure (enough)?
March 03, 2009
- Application security, Italian style
March 02, 2009
- Apache Security Model
February 18, 2009
- The worst idea ever: Let's break SSL for mobile users
January 31, 2009
- On technical writers and their wives
January 14, 2009
2008
- Will the real John Viega please stand up?
December 31, 2008
- HOWTO: Create a rogue CA certificate for $2000
December 30, 2008
- Leaving ModSecurity
December 15, 2008
- ModSecurity at ApacheCon US 2008
October 10, 2008
- The world is full of penetration testers
September 11, 2008
- Stop picking on Google Chrome
September 05, 2008
- How to explain Open Source to a non-technical crowd
August 28, 2008
- Defect-free code is vulnerability-free code
July 29, 2008
- Changes to Computer Misuse Act will turn security professionals into criminals
July 23, 2008
- Self-signed certificates in production point to a failure of SSL
July 17, 2008
- Edward Tufte is dull
July 16, 2008
- Firefox versus SSL is really about security versus usability
July 15, 2008
- ComputerWeekly IT security blog award nomination
July 14, 2008
- Verizon's Data Breach Investigations Report is a pot of gold
June 19, 2008
- Eliminating session hijacking... forever
June 04, 2008
- Bitfrost (OLPC) solved the desktop security problem
May 07, 2008
- Open Source lesson: SpringSource falling from grace
May 02, 2008
- Firefox 3 improves handling of invalid SSL certificates
April 29, 2008
- Open Source must be free of commercial interests
April 28, 2008
- Microsoft vs. Yahoo analysis on Marc Andreessen's blog
April 28, 2008
- PCI Council clarifies Requirement 6.6, ends ambiguities
April 17, 2008
- No such thing as Open Source business model
April 16, 2008
- Changes to British law target criminals, but affect the entire security industry
April 01, 2008
- Criminals are taking over the Internet
March 26, 2008
- Open Source wants to ruin my life
March 18, 2008
- Threat modelling: real-life asset devaluation example
March 10, 2008
- Open source continuity: Solid is dead, will solidDb survive?
March 07, 2008
- Extended Validation SSL certificates not going anywhere, as predicted
February 27, 2008
- Barracuda Networks is defending itself, the rest is spin
February 12, 2008
- Is PCI 6.6 good for web application firewalls?
February 05, 2008
- Do not confuse companies with open source products for Open Source
January 29, 2008
- Tide is turning for web application firewalls
January 22, 2008
- Another year, another blog
January 10, 2008
- Speaking about ModSecurity at ApacheCon Europe 2008
January 08, 2008
2007
- Apache process infection
June 27, 2007
- Extended Validation Certificates: A change for the better (but not enough)
June 15, 2007
2006
- ModSecurity has been acquired
September 24, 2006
- Apache reverse proxy memory consumption observations
August 14, 2006
- Forrester Research Q2 2006 Web Application Firewall Evaluation
July 24, 2006
- Secure Browsing Mode proposal
June 27, 2006
- Apache Security in Japanese!
June 26, 2006
- Apache suEXEC chroot patch
June 23, 2006
- Jailing Apache on Windows
June 13, 2006
- Apache Security one year after
March 27, 2006
2005
- Our bundle of joy has arrived!
November 23, 2005
- Software documentation with DocBook quick how-to
November 19, 2005
- Apache programming book on the way!
September 12, 2005
- Apache 2.1.7 Beta released
September 12, 2005
- The PHP chapter from Apache Security available for download
June 13, 2005
- The public life of Apache Security begins
April 26, 2005
- Apache Security cover and beta chapter available!
February 16, 2005