SSL/TLS Threat Model.

Handshake stage

• Version negotiation. TLS 1.0/1.1 deprecated (RFC 8996, 2021). TLS 1.2 still acceptable with restricted ciphers; TLS 1.3 preferred. SSLv2/v3 disabled everywhere.
• Downgrade attacks.
  • POODLE (SSLv3 padding oracle) — kill SSLv3.
  • Version-rollback in clients claiming TLS support — TLS 1.3 includes SCSV mechanism to detect.
  • Client signal "I support up to X" — server must enforce X-or-higher.
• Cipher-suite selection.
  • Deprecated: RC4 (RFC 7465), 3DES (Sweet32), CBC-mode with SHA1 MAC (Lucky 13, BEAST), export-grade RSA (FREAK, Logjam), static RSA key exchange (no forward secrecy).
  • Current safe (TLS 1.2): ECDHE-RSA / ECDHE-ECDSA with AES-GCM or ChaCha20-Poly1305 + SHA-256/SHA-384.
  • Current safe (TLS 1.3): TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256. All forward-secret by default.
• Renegotiation. Secure-renegotiation extension RFC 5746 required. Legacy servers without it = vulnerable to injection.

Certificate path / PKI

• Trust store. OS bundle (Microsoft, Apple, Mozilla NSS). Custom enterprise CA appended carefully — over-broad trust = SSL inspection becomes lateral-movement channel if appliance compromised.
• Chain construction. Server should send entire chain except root. Missing intermediate = client must fetch from AIA (slow, sometimes failing).
• Validation strictness. Verify: chain to trusted root, validity dates, hostname match, key-usage extension, basic-constraints, name-constraints.
• Revocation.
  • CRL: large, downloaded periodically, often soft-fail (treat unreachable as valid).
  • OCSP: real-time, privacy leak (CA learns who you visit), often soft-fail.
  • OCSP stapling: server includes CA-signed status in handshake. Closest to right answer.
  • Short-lived certs (Let's Encrypt 90 days, eventually 6 days) make revocation less critical.
• Certificate Transparency. All public CA issuance logged to append-only Merkle trees. Monitor your domains via crt.sh, certstream, Censys for mis-issuance. Catches phishing certs and rogue CAs.
• Pinning. HPKP deprecated (foot-gun). Use static pinning in mobile apps only. For web: rely on CT monitoring + short cert lifetimes.
• HSTS. Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. Preload list via hstspreload.org kills first-visit downgrade.

Historic attack timeline

• BEAST (2011). CBC IV predictable in TLS 1.0. Counter: 1/n-1 split or TLS 1.1+.
• CRIME (2012). TLS compression leaks via length. Counter: disable TLS-level compression.
• BREACH (2013). HTTP-level compression leaks reflected secrets. Counter: don't compress + don't reflect.
• Lucky 13 (2013). CBC MAC timing leak. Counter: AEAD ciphers.
• POODLE (2014). SSLv3 padding oracle. Counter: kill SSLv3.
• FREAK / Logjam (2015). Export-grade RSA / DH forced via downgrade. Counter: kill EXPORT ciphers, use ≥2048-bit DH or ECDHE.
• DROWN (2016). SSLv2 on same key as TLS 1.2 server compromises both. Counter: kill SSLv2, separate keys.
• Sweet32 (2016). 64-bit block cipher (3DES) collision attack on long-lived connection. Counter: AES.
• ROBOT (2017). Bleichenbacher resurrected on misconfigured RSA-PKCS#1v1.5. Counter: prefer ECDHE; if RSA, vendor patches.

Current safe baseline

• TLS 1.3 with TLS 1.2 fallback (only for ancient client compatibility).
• Ciphers limited to AES-GCM, AES-CCM, ChaCha20-Poly1305.
• ECDHE (P-256 or X25519) for key agreement.
• Cert signed with ECDSA P-256 or RSA-2048 minimum.
• OCSP stapling on, HSTS on with long max-age + preload, CT monitoring on.
• Mozilla SSL Configuration Generator ("Modern" or "Intermediate") is the canonical recipe.