Best SSL/TLS resources (Attacks, Tools, Talks)

This article will reference the best current resources on SSL/TLS, if you have other references you think should be included, please point them in the comment section and we'll include them:


BEAST: implicit initialization vector in CBC mode

CRIME: use compression as an auxiliary channel

TIME & BREACH: enhanced version of CRIME attack

LUCKY 13: oracle padding in CBC

RC4: statistical bias

POODLE: oracle padding in CBC for SSL 3.0

Triple Handshake: Impersonate client by retrieving credentials when connecting to a malicious website

GOTO fail in Apple: Bad coding practice leading to certificate validation failure

GOTO fail in GnuTLS: Bad coding practice leading to certificate validation failure

Heartbleed: stack overflow in read operation

Universal Signature Forgery in NSS: A flaw in the Network Security Services (NSS) library allows attackers to create forged RSA certificates

Server Code Execution in SChannel: Remote code execurtion vulnerability in the Microsoft Server

Early CCS: error in the state machine of OpenSSL

SMACK/FREAK/SKIP-TLS: Vulnerabilities in some SSL implementation that could disable encryption or downgraded to weak crackable encryption

LogJam: Downgrade attack similar to the FREAK, but is the result of a flaw in the protocol rather than a flaw in the implementation


TrustKit: iOS 8+ universal SSL pinning without the need to change the code.

FlexTLS: Tool for testing TLS implementation and easier writing of attack PoC.

nogotofail: on-path blackbox network traffic security testing tool


Truskit: Code injection in iOS 8 for the greater good

Breaking HTTPS with BGP Hijacking

SSL/TLS current status, 3 years after (french)

FLEXTLS: A Tool for Testing TLS Implementations

Prying Open Pandora's Box: KCI Attacks against TLS