19. November 2019 - 9:00
Share it on:

The Best TLS Training in the World & Internet PKI in Depth - London | Impact Hub King's Cross | Tuesday, 19. November 2019

Designed by the author of the much acclaimed Bulletproof SSL and TLS, this two-day practical training course will teach you how to deploy secure servers and encrypted web applications and understand both the theory and practice of Internet PKI. On Day 1, we’ll focus on what you need in your daily work to deliver best security, availability and performance. And you will learn how to get an A+ on SSL Labs! On Day 2, we will start with the basics and the theory of Internet PKI, then discuss how the PKI is implemented in the real world, and finish with a practical example of a realistic private certification authority.
The course is taught in small classes.
Why This Course is for You

Understand threats and attacks against encryption
Identify real risks that apply to your systems
Deploy servers with strong private keys and valid certificates
Deploy TLS configurations with strong encryption and forward secrecy
Understand higher-level attacks against web applications
Use the latest defence technologies, such as HSTS, CSP, and HPKP
Learn about key PKI standards and formats
Understand where practice differs from theory
Analyze certificate lifecycle in detail
Evaluate PKI weaknesses and how they affect you
Deploy robust protection using public key pinning
Learn about what's coming in the future
Practise what you've learned

Target Audience
This course is for system administrators, developers, and IT security professionals who wish to learn how to deploy secure servers and encrypted web applications and understand the theory and practice of Internet PKI.
    Level:  Intermediate    Duration: 2 days    Extras: Lunch and refreshments included
About a month prior to the course we'll send you a digital copy of Bulletproof SSL and TLS, our comprehensive guide to SSL/TLS and Internet PKI. You'll get the paper copy on the day. We'll also give you a bunch of exercises and a hardcopy of the slides.
Prerequisites

Basic Linux command line skills: moving about, invoking commands, editing configuration files.
A laptop with a modern browser (Chrome or Firefox) and a SSH client, which you will only need to connect to your assigned virtual server. To connect to the server, you will need:
HTTP/HTTPS on ports 80 and 443
SSH on port 22
You should be comfortable using a command-line editor.

Course Outline
DAY 1
1. Introduction        a. The need for network encryption        b. Understanding encrypted communication        c. The role of public key infrastructure (PKI)        d. SSL/TLS and Internet PKI threat model
2.  Keys and certificates        a. RSA and ECDSA: selecting the right key algorithm and size        b. Certificate hostnames and lifetime        c.  Practical work:               i. Private key generation               ii. Certificate Signing Request (CSR) generation               iii. Self-signed certificates               iv. Obtaining valid certificates from Let’s Encrypt        d. Sidebar: Revocation
3. Protocols and cipher suites        a. Protocol security        b. Key exchange strength        c. Forward security        d. Cipher suite configuration        e. Practical work               i. Secure web server configuration               ii. Server testing using SSL Labs        f.  Sidebar: Server Name indication (SNI)        g. Sidebar: Performance considerations
4. HTTPS topics        a. Man-in-the-middle attacks        b. Mixed content        c. Cookie security        d. CRIME: Information leakage via compression        e. HTTP Strict Transport Security        f. Content Security Policy        g. HTTP Public Key Pinning        h. Practical work:               i. Deploying HSTS to deploy robust encryption               ii. Deploying CSP to deal with mixed content
5. Putting it all together: Getting an A+ in SSL Labs
DAY 2
1. Introduction
2. Standards        a. X.509 certificates        b. Certificate chains        c. Name constraints        d. Trust path building        e. Validation process
3.  Internet PKI        a. Certification Authorities        b. Relying parties        c. Certificate types (DV, EV, OV)        d. Certificate lifecycle (validation, issuance, and revocation)        e. CA/B Forum and its standards        f.  Weaknesses        g. History of attacks
4.  Revocation        a. CRL        b. OCSP        c. OCSP stapling        d. CRLsets and OneCRL        e. Short-lived certificates
5. Defenses        a. Certification Authority Authorization (CAA)        b. Public Key Pinning              i. Static pinning              ii. HPKP              iii. DNSSEC/DANE
6. Certificate Transparency
7. PKI ecosystem monitoring                i. SSL Pulse               ii. Censys               iii. crt.sh
8. Project: Building and deploying a realistic private CA
We will also provide you with many additional exercises that you can work on in your own time. You'll be able to ask us for help via email. And if you're already familiar with the basics, we'll challenge you with some of the advanced exercises on the day.
Meet the Trainer
Scott Helme is a security researcher, consultant and international speaker. He can often be found talking about web security and performance online and helping organisations better deploy both.
Founder of report-uri.io, a free CSP report collection service, and securityheaders.io, a free security analyser, Scott has a tendency to always be involved in building something new and exciting.
Meet the Author
Ivan Ristić is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs web site.
He is the author of three books, Apache Security, ModSecurity Handbook, and Bulletproof SSL and TLS, which he publishes via Feisty Duck, his own platform for continuous writing and publishing. Ivan is an active participant in the security community and you'll often find him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. He is currently working on Hardenize, a brand-new security posture analysis service that makes security fun again.
Terms and Conditions
Feisty Duck's Terms and Conditions and Privacy Policy apply to this training.
FAQs
Where can I contact the organiser with any questions?Contact us at training@feistyduck.com with any questions about the event.
What is the refund policy?Any cancellation by you must be made by emailing training@feistyduck.com.
You may cancel or reschedule a course subject to the following charges:

Cancellation or reschedule with more than 60 days’ notice prior to course start date – no charge
Cancellation or reschedule with 31-60 days’ notice prior to course start date - 50% of the course fee
Cancellation or reschedule with less than 30 days’ notice prior to course start date - 100% of the course fee

Other dates?Can't make this date? Tickets sold out? Email training@feistyduck.com to be notified about the future dates.