SSL TLS

• ssl validations 

ssl auditing

ssl-server reporting

Since your certificate grade is public knowledge and is easily determined using SSLLabs or a similar tool, it also reflects on user opinion of your website.

https://www.ssllabs.com/

compliance testing output for PCI/HIPAA/NIST

https://www.immuniweb.com/ssl/

• Verify your SSL, TLS & Ciphers implementation.

Having misconfigured SSL/TLS can lead your website to vulnerable, so check out following online tools to find out if something wrong.

• Check if your SSL Certificate is installed properly and trusted by browsers

https://www.thesslstore.com/ssltools/ssl-checker.php

• SSL/TLS Vulnerability & 

Configuration Scanner

Check the supported protocol, server preferences, 

certificate details, common vulnerabilities and more

TLS Scanner – detailed testing to find out the common misconfiguration and vulnerabilities.

https://gf.dev/tls-scanner

• TLS Test – quickly find out which TLS protocol version is supported. As you can see, the tool is capable of testing the latest TLS 1.3

Check TLS Version

Test supported TLS version on the site

https://gf.dev/tls-test

• Test an SSL Web Server

https://www.wormly.com/test_ssl

• SSL Certificate Checker

https://www.digicert.com/help/

• The Mozilla Observatory has helped over 170,000 websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.

https://observatory.mozilla.org/

• Let’s Encrypt is an open certificate authority that allows you to easily create free SSL certificates.

Let’s Encrypt is a free, automated, and open Certificate Authority.

https://letsencrypt.org/

• The death knell for HPKP?

HTTP Public Key Pinning, or HPKP, has sure had an interesting journey as a standard but today marks what will probably be the final blow for the dying mechanism. Chrome has announced their plans to deprecate and remove support for HPKP as soon as 29th May 2018.
What is HPKP?
This document defines a new HTTP header that allows web host operators to instruct user agents to remember ("pin") the hosts' cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities.
https://scotthelme.co.uk/the-death-knell-for-hpkp/

• HPKP Suicide

Sadly there is a term for this and all it involves is a site making a potentially simple error. You enable HPKP, tell the browser which keys you will always use and then you lose those keys. They could be accidentally deleted, stolen in a hack or whatever, it doesn't matter. If you pin yourself to a set of keys and then no longer have the ability to use them, you're in big trouble
I also crawl the Alexa Top 1 Million sites every day and one of the things I monitor is the use of HPKP
https://scotthelme.co.uk/im-giving-up-on-hpkp/

Smashing Magazine used to send an HTTP header with each response that looked like this:

• 
  

Public-Key-Pins:
pin-sha256="8RoC2kEF47SCVwX8Er+UBJ44pDfDZY6Ku5mm9bSXT3o=";
pin-sha256="78j8kS82YGC1jbX4Qeavl9ps+ZCzb132wCvAY7AxTMw=";
pin-sha256="GQGOWh/khWzFKzDO9wUVtRkHO7BJjPfzd0UVDhF+LxM=";
max-age=31536000; includeSubDomains
In theory, this header can be a strong weapon against the threat of “Man in the middle attacks.” These are attacks where someone would impersonate Smashing Magazine with a false certificate somehow generated via a Certificate Authority that your browser already trusts.


The key pinning header above tells browsers to refuse to accept any certificate that hasn’t been signed with one of the three keys indicated in the header for one year after visiting the site. Not just for www.smashingmagazine.com, but also for all other subdomains

Key pinning protects against a relatively rare attack that’s very hard to pull off and that’s not a major threat scenario against a content-driven website like Smashing Magazine, but it does so at the cost of potentially causing major — in the worst case even catastrophic — outages.
For Smashing Magazine this happened when they were updating their expiring SSL certificate. They created a new wildcard certificate, added the digest of the new private key to the Public-Key-Pins header

The old header had told visitors to Smashing Magazine that their browser should never accept any certificate that wasn’t listed in the old key pinning headers for the next 365 days.
all previous visitors with a browser that had pinned the old certificate were now completely unable to visit Smashing Magazine!
Even worse, this could not simply be rolled back since the old certificate had expired!

If you really think you need public key pinning, consider at least setting a max-age that’s low enough that you can survive it if something goes wrong.

https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/

• HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.

To ensure the authenticity of a server's public key used in TLS sessions, this public key is wrapped into a X.509 certificate which is usually signed by a certificate authority (CA). Web clients such as browsers trust a lot of these CAs, which can all create certificates for arbitrary domain names. If an attacker is able to compromise a single CA, they can perform MITM attacks on various TLS connections. HPKP can circumvent this threat for the HTTPS protocol by telling the client which public key belongs to a certain web server.

HPKP is a Trust on First Use (TOFU) technique. The first time a web server tells a client via a special HTTP header which public keys belong to it, the client stores this information for a given period of time. When the client visits the server again, it expects at least one certificate in the certificate chain to contain a public key whose fingerprint is already known via HPKP. If the server delivers an unknown public key, the client should present a warning to the user.

Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.

Enabling HPKP
First you need to extract the public key information from your certificate or key file and encode them using Base64.

Setting up your webserver to include the HPKP header
Apache
Nginx
Lighttpd
IIS

https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

• What is HSTS?

HTTPS (HTTP encrypted with SSL or TLS) is an essential part of the measures to secure traffic to a website, making it very difficult for an attacker to intercept, modify, or fake traffic between a user and the website.

When a user enters a web domain manually (providing the domain name without the http:// or https:// prefix) or follows a plain http:// link, the first request to the website is sent unencrypted, using plain HTTP. Most secured websites immediately send back a redirect to upgrade the user to an HTTPS connection, but a well‑placed attacker can mount a man‑in‑the‑middle (MITM) attack to intercept the initial HTTP request and can control the user’s session from then on.

HSTS seeks to deal with the potential vulnerability by instructing the browser that a domain can only be accessed using HTTPS. Even if the user enters or follows a plain HTTP link, the browser strictly upgrades the connection to HTTPS:

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

•  Whenever a website connects through HTTP and then redirects to HTTPS, an opportunity for a man-in-the-middle attack is created and the redirect can lead the users to a malicious website because users first have to communicate with the non-encrypted version of the website

 

 A server implements the HSTS policy by supplying a header over an HTTPS connection which informs the browser to load a site using HTTPS rather than HTTP

 

 Explanation: If a user type in an address bar http://www.geeksforgeeks.com/ or geeksforgeeks.com this will create a chance for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

 

 

 https://www.geeksforgeeks.org/http-headers-strict-transport-security/

• Securing Mobile Applications With Cert Pinning

Securing your mobile applications with cert pinning will help you ward off man-in-the-middle (MiTM) attacks, verify users using trusted certificates, and secure HTTPS network traffic

Implementing cert pinning in your mobile app can strengthen the security of its network communications and is a big step in protecting your app data. Once you invest in cert pinning, test to ensure that you have properly implemented cert pinning to prevent MiTM attacks

https://dzone.com/refcardz/securing-mobile-applications-with-cert-pinning?chapter=1