tlssec.bib

@inproceedings{aviram_drown:_2016,
	address = {Austin, TX},
	title = {{DROWN}: {Breaking} {TLS} {Using} {SSLv}2},
	isbn = {978-1-931971-32-4},
	url = {https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/aviram},
	booktitle = {25th {USENIX} {Security} {Symposium} ({USENIX} {Security} 16)},
	publisher = {USENIX Association},
	author = {Aviram, Nimrod and Schinzel, Sebastian and Somorovsky, Juraj and Heninger, Nadia and Dankel, Maik and Steube, Jens and Valenta, Luke and Adrian, David and Halderman, J. Alex and Dukhovni, Viktor and Käsper, Emilia and Cohney, Shaanan and Engels, Susanne and Paar, Christof and Shavitt, Yuval},
	year = {2016},
	pages = {689--706}
}

@inproceedings{adrian_imperfect_2015,
	title = {Imperfect {Forward} {Secrecy}: {How} {Diffie}-{Hellman} {Fails} in {Practice}},
	booktitle = {22nd {ACM} {Conference} on {Computer} and {Communications} {Security}},
	author = {Adrian, David and Bhargavan, Karthikeyan and Durumeric, Zakir and Gaudry, Pierrick and Green, Matthew and Halderman, J. Alex and Heninger, Nadia and Springall, Drew and Thomé, Emmanuel and Valenta, Luke and VanderSloot, Benjamin and Wustrow, Eric and Zanella-Béguelin, Santiago and Zimmermann, Paul},
	month = oct,
	year = {2015}
}

@inproceedings{vanhoef_all_2015,
	address = {Washington, D.C.},
	title = {All {Your} {Biases} {Belong} to {Us}: {Breaking} {RC}4 in {WPA}-{TKIP} and {TLS}},
	isbn = {978-1-931971-23-2},
	url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/vanhoef},
	booktitle = {24th {USENIX} {Security} {Symposium} ({USENIX} {Security} 15)},
	publisher = {USENIX Association},
	author = {Vanhoef, Mathy and Piessens, Frank},
	year = {2015},
	pages = {97--112}
}

@inproceedings{bhargavan_practical_2016,
	address = {New York, NY, USA},
	series = {{CCS} '16},
	title = {On the {Practical} ({In}-){Security} of 64-bit {Block} {Ciphers}: {Collision} {Attacks} on {HTTP} over {TLS} and {OpenVPN}},
	isbn = {978-1-4503-4139-4},
	url = {http://doi.acm.org/10.1145/2976749.2978423},
	doi = {10.1145/2976749.2978423},
	booktitle = {Proceedings of the 2016 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Bhargavan, Karthikeyan and Leurent, Gaëtan},
	year = {2016},
	keywords = {CBC, collision attack, HTTPs, OpenVPN, TLS},
	pages = {456--467}
}

@article{moller_this_2014,
	title = {This {POODLE} bites: exploiting the {SSL} 3.0 fallback},
	journal = {Security Advisory},
	author = {Möller, Bodo and Duong, Thai and Kotowicz, Krzysztof},
	year = {2014}
}

@inproceedings{durumeric_matter_2014,
	address = {New York, NY, USA},
	series = {{IMC} '14},
	title = {The {Matter} of {Heartbleed}},
	isbn = {978-1-4503-3213-2},
	url = {http://doi.acm.org/10.1145/2663716.2663755},
	doi = {10.1145/2663716.2663755},
	booktitle = {Proceedings of the 2014 {Conference} on {Internet} {Measurement} {Conference}},
	publisher = {ACM},
	author = {Durumeric, Zakir and Kasten, James and Adrian, David and Halderman, J. Alex and Bailey, Michael and Li, Frank and Weaver, Nicolas and Amann, Johanna and Beekman, Jethro and Payer, Mathias and Paxson, Vern},
	year = {2014},
	keywords = {heartbleed, internet-wide scanning, openssl, Security},
	pages = {475--488}
}

@inproceedings{fardan_lucky_2013,
	title = {Lucky {Thirteen}: {Breaking} the {TLS} and {DTLS} {Record} {Protocols}},
	doi = {10.1109/SP.2013.42},
	abstract = {The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto secure protocol of choice for Internet and mobile applications. DTLS is a variant of TLS that is growing in importance. In this paper, we present distinguishing and plaintext recovery attacks against TLS and DTLS. The attacks are based on a delicate timing analysis of decryption processing in the two protocols. We include experimental results demonstrating the feasibility of the attacks in realistic network environments for several different implementations of TLS and DTLS, including the leading OpenSSL implementations. We provide countermeasures for the attacks. Finally, we discuss the wider implications of our attacks for the cryptographic design used by TLS and DTLS.},
	booktitle = {2013 {IEEE} {Symposium} on {Security} and {Privacy}},
	author = {Fardan, N. J. Al and Paterson, K. G.},
	month = may,
	year = {2013},
	keywords = {CBC-mode encryption, Ciphers, computer network security, cryptographic design, cryptographic protocols, data confidentiality, data integrity, decryption, de facto secure protocol, DTLS, DTLS record protocols, Encryption, Internet, Media Access Protocol, mobile applications, Mobile computing, OpenSSL implementations, plaintext recovery, plaintext recovery attacks, Timing, timing analysis, timing attack, TLS, transport layer security protocol},
	pages = {526--540}
}

@inproceedings{alfardan_security_2013,
	address = {Berkeley, CA, USA},
	series = {{SEC}'13},
	title = {On the {Security} of {RC}4 in {TLS}},
	isbn = {978-1-931971-03-4},
	url = {http://dl.acm.org/citation.cfm?id=2534766.2534793},
	booktitle = {Proceedings of the 22Nd {USENIX} {Conference} on {Security}},
	publisher = {USENIX Association},
	author = {AlFardan, Nadhem J. and Bernstein, Daniel J. and Paterson, Kenneth G. and Poettering, Bertram and Schuldt, Jacob C. N.},
	year = {2013},
	pages = {305--320}
}

@inproceedings{alfardan_security_2013-1,
	address = {Washington, D.C.},
	title = {On the {Security} of {RC}4 in {TLS}},
	isbn = {978-1-931971-03-4},
	url = {https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan},
	booktitle = {Presented as part of the 22nd {USENIX} {Security} {Symposium} ({USENIX} {Security} 13)},
	publisher = {USENIX},
	author = {AlFardan, Nadhem and Bernstein, Daniel J. and Paterson, Kenneth G. and Poettering, Bertram and Schuldt, Jacob C. N.},
	year = {2013},
	pages = {305--320}
}

@book{way_transport_2010,
	series = {Request for {Comments}},
	title = {Transport {Layer} {Security} ({TLS}) {Renegotiation} {Indication} {Extension}},
	url = {https://rfc-editor.org/rfc/rfc5746.txt},
	abstract = {Secure Socket Layer (SSL) and Transport Layer Security (TLS) renegotiation are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client. The server treats the client\&\#39;s initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data. This specification defines a TLS extension to cryptographically tie renegotiations to the TLS connections they are being performed over, thus preventing this attack. [STANDARDS-TRACK]},
	number = {5746},
	publisher = {RFC Editor},
	author = {Way, One and Ray, Marsh and Dispensa, Steve and Rescorla, Eric},
	month = feb,
	year = {2010},
	note = {Published: RFC 5746
DOI: 10.17487/rfc5746}
}

@inproceedings{huang_analyzing_2014,
	address = {Washington, DC, USA},
	series = {{SP} '14},
	title = {Analyzing {Forged} {SSL} {Certificates} in the {Wild}},
	isbn = {978-1-4799-4686-0},
	url = {http://dx.doi.org/10.1109/SP.2014.13},
	doi = {10.1109/SP.2014.13},
	booktitle = {Proceedings of the 2014 {IEEE} {Symposium} on {Security} and {Privacy}},
	publisher = {IEEE Computer Society},
	author = {Huang, Lin Shung and Rice, Alex and Ellingsen, Erling and Jackson, Collin},
	year = {2014},
	keywords = {certificates, man-in-the-middle attack, SSL},
	pages = {83--97}
}

@inproceedings{de_carnavalet_killed_2016,
	title = {Killed by {Proxy}: {Analyzing} {Client}-end {TLS} {Interception} {Software}},
	booktitle = {Network and {Distributed} {System} {Security} {Symposium} ({NDSS} 2016), {San} {Diego}, {CA}, {USA}},
	author = {de Carnavalet, Xavier de Carné and Mannan, Mohammad},
	year = {2016}
}

@misc{valsorda_komodia_2015,
	title = {Komodia superfish ssl validation is broken},
	url = {https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/},
	journal = {Flippo.io},
	author = {Valsorda, Filippo},
	month = feb,
	year = {2015}
}

@misc{bock_superfish_2015,
	title = {Superfish 2.0: {Dangerous} {Certificate} on {Dell} {Laptops} breaks encrypted {HTTPS} {Connections}},
	url = {https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html},
	journal = {Hanno'sblog},
	author = {Böck, Hanno},
	year = {2015}
}

@misc{bock_more_2015,
	title = {More {TLS} {Man}-in-the-{Middle} failures - {Adguard}, {Privdog} again and {ProtocolFilters}.dll},
	url = {https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html},
	journal = {Hanno'sblog},
	author = {Böck, Hanno},
	year = {2015}
}

@misc{bock_how_2015,
	title = {How {Kaspersky} makes you vulnerable to the {FREAK} attack and other ways {Antivirus} software lowers your {HTTPS} security},
	url = {https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html},
	journal = {Hanno'sblog},
	author = {Böck, Hanno},
	year = {2015}
}

@inproceedings{bock_tls_nodate,
	address = {Mildenberg, Alemania},
	title = {{TLS} interception considered harmful {How} {Man}-in-the-{Middle} filtering solutions harm the security of {HTTPS}},
	url = {https://events.ccc.de/camp/2015/Fahrplan/events/6833.html},
	abstract = {With the more widespread use of encrypted HTTPS connections many software vendors intercept these connections by installing a certificate into the user's browser. This is widely done by Antivirus applications, parental filter software or ad injection software. This can go horribly wrong, as the examples of Superfish and Privdog have shown. But even if implemented properly these solutions almost always decrease the security of HTTPS.

In February a software called Superfish was detected preinstalled on Lenovo laptops that would intercept HTTPS connections by installing a certificate into the user's browser. This certificate was shared amongst different installations and therefore an extraction of the certificate allowed creating rogue certificates that would be accepted by many Lenovo laptops. Shortly after Superfish many other software products with the same or similar vulnerabilities were found. The speaker of this talk discovered that the software Privdog, advertised by the certificate authority Comodo, had an even worse vulnerability.

Superfish and Privdog were extreme examples, but the technology of intercepting HTTPS connections by installing X.509 root certificates into the browser is widespread. These solutions are often part of software that is supposed to bring more security to the user - like Antivirus applications - but they lower the user's security. For example Kaspersky Antivirus users were still affected by the FREAK vulnerability months after the issue was found and fixed.

The talk will first give an introduction into some problems in the TLS protocol that were found in recent years (BEAST, CRIME, FREAK, CA failures) and show some technologies that were invented to prevent common problems of TLS (e. g. HPKP). After that the speaker will give some examples of TLS interception software and how it endangers the security of the user.},
	author = {Böck, Hanno}
}

@misc{noauthor_tls_nodate,
	title = {{TLS} interception considered harmful - video and slides - {Hanno}'s blog},
	url = {https://blog.hboeck.de/archives/875-TLS-interception-considered-harmful-video-and-slides.html},
	urldate = {2017-03-23},
	file = {TLS interception considered harmful - video and slides - Hanno's blog:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\G9H3U6XC\\875-TLS-interception-considered-harmful-video-and-slides.html:text/html}
}

@misc{noauthor_https_nodate,
	title = {{HTTPS} {Interception} {Weakens} {TLS} {Security} {\textbar} {US}-{CERT}},
	url = {https://www.us-cert.gov/ncas/alerts/TA17-075A},
	urldate = {2017-03-23},
	file = {HTTPS Interception Weakens TLS Security | US-CERT:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\SVZVWK3E\\TA17-075A.html:text/html}
}

@misc{noauthor_risks_nodate,
	title = {The {Risks} of {SSL} {Inspection}},
	url = {https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html},
	urldate = {2017-03-23},
	file = {The Risks of SSL Inspection:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\4V8SS72A\\the-risks-of-ssl-inspection.html:text/html}
}

@misc{bock_software_2015,
	title = {Software {Privdog} worse than {Superfish} - {Hanno}'s blog},
	url = {https://blog.hboeck.de/archives/865-Software-Privdog-worse-than-Superfish.html},
	urldate = {2017-03-23},
	author = {Böck, Hanno},
	year = {2015},
	file = {Software Privdog worse than Superfish - Hanno's blog:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\H5CAZFEH\\865-Software-Privdog-worse-than-Superfish.html:text/html}
}

@misc{noauthor_diginotar_nodate,
	title = {{DigiNotar} reports security incident},
	url = {https://www.vasco.com/about-vasco/press/2011/news_diginotar_reports_security_incident.html},
	abstract = {OAKBROOK TERRACE, Illinois and ZURICH, Switzerland – August 30, 2011 – VASCO Data Security International, Inc. (Nasdaq: VDSI; www.vasco.com) today comments on DigiNotar’},
	urldate = {2017-03-23},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\FICDDNKA\\news_diginotar_reports_security_incident.html:text/html}
}

@misc{noauthor_comodo_2011,
	title = {Comodo {Report} of {Incident} - {Comodo} detected and thwarted an intrusion on 26-{MAR}-2011},
	url = {https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html?key5sk1=b0cc105de9f45d9bba702a25da2b97fb4861b7b9},
	urldate = {2017-03-23},
	year = {2011},
	file = {Comodo Report of Incident - Comodo detected and thwarted an intrusion on 26-MAR-2011:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\3IUG2UDJ\\Comodo-Fraud-Incident-2011-03-23.html:text/html}
}

@misc{noauthor_turktrust_2013,
	title = {{TURKTRUST} {Unauthorized} {CA} {Certificates}},
	url = {https://www.entrust.com/turktrust-unauthorized-ca-certificates/},
	abstract = {Although unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.},
	urldate = {2017-03-23},
	journal = {Entrust, Inc.},
	month = jan,
	year = {2013},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\MKZQ6VDV\\turktrust-unauthorized-ca-certificates.html:text/html}
}

@misc{noauthor_syrian_2011,
	title = {A {Syrian} {Man}-{In}-{The}-{Middle} {Attack} against {Facebook}},
	url = {https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook},
	abstract = {UPDATE: If you are in Syria and your browser shows you this certificate warning on Facebook, it is not safe to login to Facebook. You may wish to use Tor to connect to Facebook, or use proxies outside of Syria. UPDATE II: We have received reports that some Syrian ISPs are blocking Tor. If Tor is not working for you, you may try to connect through another ISP.},
	urldate = {2017-03-23},
	journal = {Electronic Frontier Foundation},
	month = may,
	year = {2011},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\2ZP8W63Q\\syrian-man-middle-against-facebook.html:text/html}
}

@article{wei_survey_2016,
	title = {A {Survey} on \{{HTTPS}\} {Implementation} by {Android} {Apps}: {Issues} and {Countermeasures}},
	issn = {2210-8327},
	url = {http://www.sciencedirect.com/science/article/pii/S2210832716300722},
	doi = {http://dx.doi.org/10.1016/j.aci.2016.10.001},
	abstract = {Abstract As more and more sensitive data is transferred from mobile applications across unsecured channels, it seems imperative that transport layer encryption should be used in any non-trivial instance. Yet, research indicates that many Android developers do not use \{HTTPS\} or violate rules which protect user data from man-in-the-middle attacks. This paper seeks to find a root cause of the disparities between theoretical \{HTTPS\} usage and in-the-wild implementation of the protocol by looking into Android applications, online resources, and papers published by \{HTTPS\} and Android security researchers. From these resources, we extract a set of barrier categories that exist in the path of proper \{TLS\} use. These barriers not only include improper developer practices, but also server misconfiguration, lacking documentation, flaws in libraries, the fundamentally complex \{TLS\} \{PKI\} system, and a lack of consumer understanding of the importance of HTTPS. Following this discussion, we compile a set of potential solutions and patches to better secure Android \{HTTPS\} and the TLS/SSL protocol in general. We conclude our survey with gaps in current understanding of the environment and suggestions for further research.},
	journal = {Applied Computing and Informatics},
	author = {Wei, Xuetao and Wolf, Michael},
	year = {2016},
	keywords = {Mobile development},
	pages = {--}
}

@book{evans_public_2015,
	series = {Request for {Comments}},
	title = {Public {Key} {Pinning} {Extension} for {HTTP}},
	url = {https://rfc-editor.org/rfc/rfc7469.txt},
	abstract = {This document defines a new HTTP header that allows web host operators to instruct user agents to remember (\"pin\") the hosts\&\#39; cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities.},
	number = {7469},
	publisher = {RFC Editor},
	author = {Evans, Chris and Palmer, Chris and Sleevi, Ryan},
	month = apr,
	year = {2015},
	note = {Published: RFC 7469
DOI: 10.17487/rfc7469}
}

@inproceedings{durumeric_neither_2015,
	address = {New York, NY, USA},
	series = {{IMC} '15},
	title = {Neither {Snow} {Nor} {Rain} {Nor} {MITM}...: {An} {Empirical} {Analysis} of {Email} {Delivery} {Security}},
	isbn = {978-1-4503-3848-6},
	url = {http://doi.acm.org/10.1145/2815675.2815695},
	doi = {10.1145/2815675.2815695},
	booktitle = {Proceedings of the 2015 {Internet} {Measurement} {Conference}},
	publisher = {ACM},
	author = {Durumeric, Zakir and Adrian, David and Mirian, Ariana and Kasten, James and Bursztein, Elie and Lidzborski, Nicolas and Thomas, Kurt and Eranti, Vijay and Bailey, Michael and Halderman, J. Alex},
	year = {2015},
	keywords = {dkim, dmarc, email, mail, smtp, spf, starttls, TLS},
	pages = {27--39}
}

@misc{mayer_impact_2017,
	title = {The impact on network security through encrypted protocols – {TLS} 1.3},
	url = {http://blogs.cisco.com/security/the-impact-on-network-security-through-encrypted-protocols-tls-1-3},
	urldate = {2017-03-24},
	journal = {blogs@Cisco - Cisco Blogs},
	author = {Mayer, Tobias},
	year = {2017},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\XF9KHKTZ\\the-impact-on-network-security-through-encrypted-protocols-tls-1-3.html:text/html}
}

@misc{noauthor_imperialviolet_2015,
	title = {{ImperialViolet} - {AEADs}: getting better at symmetric cryptography},
	url = {https://www.imperialviolet.org/2015/05/16/aeads.html},
	urldate = {2017-03-24},
	year = {2015},
	file = {ImperialViolet - AEADs\: getting better at symmetric cryptography:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\CWEBNGKF\\aeads.html:text/html}
}

@book{sheffer_summarizing_2015,
	series = {Request for {Comments}},
	title = {Summarizing {Known} {Attacks} on {Transport} {Layer} {Security} ({TLS}) and {Datagram} {TLS} ({DTLS})},
	url = {https://rfc-editor.org/rfc/rfc7457.txt},
	abstract = {Over the last few years, there have been several serious attacks on Transport Layer Security (TLS), including attacks on its most commonly used ciphers and modes of operation. This document summarizes these attacks, with the goal of motivating generic and protocol-specific recommendations on the usage of TLS and Datagram TLS (DTLS).},
	number = {7457},
	publisher = {RFC Editor},
	author = {Sheffer, Yaron and Holz, Ralph and Saint-Andre, Peter},
	month = feb,
	year = {2015},
	note = {Published: RFC 7457
DOI: 10.17487/rfc7457}
}

@misc{noauthor_certificate_2017,
	title = {Certificate {Transparency}},
	url = {https://www.certificate-transparency.org/},
	abstract = {This site describes the Certificate Transparency effort being spearheaded by Ben Laurie, Adam Langley and Stephen McHenry. The effort is designed to significantly increase the security of the Public Key Infrastructure used by web sites and services.},
	urldate = {2017-03-24},
	year = {2017},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\E6KUMK3B\\www.certificate-transparency.org.html:text/html}
}

@misc{adkins_update_2011,
	title = {An update on attempted man-in-the-middle attacks},
	url = {https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html},
	abstract = {Posted by Heather Adkins, Information Security Manager 
 
 Today we received reports of attempted SSL man-in-the-middle (MITM) attacks again...},
	urldate = {2017-03-24},
	journal = {Google Online Security Blog},
	author = {Adkins, Heather},
	year = {2011},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\X6DMSB5Q\\update-on-attempted-man-in-middle.html:text/html}
}

@book{hodges_http_2012,
	series = {Request for {Comments}},
	title = {{HTTP} {Strict} {Transport} {Security} ({HSTS})},
	url = {https://rfc-editor.org/rfc/rfc6797.txt},
	abstract = {This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example. [STANDARDS-TRACK]},
	number = {6797},
	publisher = {RFC Editor},
	author = {Hodges, Jeff and Jackson, Collin and Barth, Adam},
	month = nov,
	year = {2012},
	note = {Published: RFC 6797
DOI: 10.17487/rfc6797}
}

@misc{noauthor_sts_2017,
	title = {{STS} {Preload} {List} - {Google} {Chrome}},
	url = {https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json},
	urldate = {2017-03-24},
	year = {2017},
	file = {transport_security_state_static.json - Code Search:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\ZKNPDFBS\\transport_security_state_static.html:text/html}
}

@misc{noauthor_firefox_2017,
	title = {Firefox {STS} {Preload} {List}},
	url = {https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc},
	urldate = {2017-03-24},
	year = {2017},
	file = {nsSTSPreloadList.inc - DXR:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\S5VMSUSF\\nsSTSPreloadList.html:text/html}
}

@misc{sleevi_sustaining_2015,
	title = {Sustaining {Digital} {Certificate} {Security}},
	url = {https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html},
	abstract = {Posted by Ryan Sleevi, Software Engineer   This post updates our previous notification  of a misissued certificate for google.com   Followin...},
	urldate = {2017-03-27},
	journal = {Google Online Security Blog},
	author = {Sleevi, Ryan},
	year = {2015},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\FQ4T3IM6\\sustaining-digital-certificate-security.html:text/html}
}

@misc{somogyi_improved_2015,
	title = {Improved {Digital} {Certificate} {Security}},
	url = {https://security.googleblog.com/2015/09/improved-digital-certificate-security.html},
	abstract = {Posted by Stephan Somogyi, Security \& Privacy PM, and Adam Eijdenberg, Certificate Transparency PM   On September 14, around 19:20 GMT, Syma...},
	urldate = {2017-03-27},
	journal = {Google Online Security Blog},
	author = {Somogyi, Stephan and Eijdenberg, Adam},
	year = {2015},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\MKFFZ474\\improved-digital-certificate-security.html:text/html}
}

@misc{sleevi_intent_2017,
	title = {Intent to {Deprecate} and {Remove}: {Trust} in existing {Symantec}-issued {Certificates} - {Grupos} de {Google}},
	url = {https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs},
	urldate = {2017-03-27},
	journal = {Google Groups},
	author = {Sleevi, Ryan},
	year = {2017},
	file = {Intent to Deprecate and Remove\: Trust in existing Symantec-issued Certificates - Grupos de Google:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\FRCQ4ZAF\\forum.html:text/html}
}

@book{hallam-baker_dns_2013,
	series = {Request for {Comments}},
	title = {{DNS} {Certification} {Authority} {Authorization} ({CAA}) {Resource} {Record}},
	url = {https://rfc-editor.org/rfc/rfc6844.txt},
	abstract = {The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by certificate issuers. [STANDARDS-TRACK]},
	number = {6844},
	publisher = {RFC Editor},
	author = {Hallam-Baker, Phillip and Stradling, Rob},
	month = jan,
	year = {2013},
	note = {Published: RFC 6844
DOI: 10.17487/rfc6844}
}

@misc{morton_2017_2017,
	title = {2017 – {Looking} {Back}, {Moving} {Forward}},
	url = {https://casecurity.org/2017/01/13/2017-looking-back-moving-forward/},
	abstract = {Looking Back at 2016 Fortunately, 2016 was not a year full of SSL/TLS vulnerabilities. Although some researchers did prove old cryptography algorithms should be put out to pasture. The year showed …},
	urldate = {2017-03-28},
	journal = {CA Security Council},
	author = {Morton, Bruce},
	year = {2017},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\8CF22RP3\\2017-looking-back-moving-forward.html:text/html}
}

@misc{noauthor_caa_2017,
	title = {{CAA} {Record} {Generator}},
	url = {https://sslmate.com/labs/caa/},
	urldate = {2017-03-28},
	year = {2017},
	file = {CAA Record Generator:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\3CX5B8WU\\caa.html:text/html}
}

@misc{noauthor_what_2013,
	title = {What {Is} {Certificate} {Transparency} and {How} {Does} {It} {Propose} to {Address} {Certificate} {Mis}-{Issuance}?},
	url = {https://casecurity.org/2013/09/09/what-is-certificate-transparency-and-how-does-it-propose-to-establish-certificate-validity/},
	abstract = {As originally architected by Netscape and others in the mid-1990s, the certificate issuance process envisioned that the CA would present the certificate and its contents to the named subject who wo…},
	urldate = {2017-03-28},
	journal = {CA Security Council},
	month = sep,
	year = {2013},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\WTUW4WQ4\\what-is-certificate-transparency-and-how-does-it-propose-to-establish-certificate-validity.html:text/html}
}

@misc{noauthor_how_nodate,
	title = {How {Certificate} {Transparency} {Works} - {Certificate} {Transparency}},
	url = {https://www.certificate-transparency.org/how-ct-works},
	abstract = {This site describes the Certificate Transparency effort being spearheaded by Ben Laurie, Adam Langley and Stephen McHenry. The effort is designed to significantly increase the security of the Public Key Infrastructure used by web sites and services.},
	urldate = {2017-03-28},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\DXHIKP86\\how-ct-works.html:text/html}
}

@misc{rowley_google_2016,
	title = {Google {Certificate} {Transparency} ({CT}) to {Expand} to {All} {Certificates} {Types}},
	url = {https://casecurity.org/2016/11/08/google-certificate-transparency-ct-to-expand-to-all-certificates-types/},
	abstract = {The policy change goes into effect October 2017 A recent Google announcement stated that all publicly trusted SSL/TLS certificates issued in October 2017 or later will be expected to comply with Ch…},
	urldate = {2017-03-28},
	journal = {CA Security Council},
	author = {Rowley, Jeremy},
	month = nov,
	year = {2016},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\BZ29TB6M\\google-certificate-transparency-ct-to-expand-to-all-certificates-types.html:text/html}
}

@misc{noauthor_tls_nodate-1,
	title = {tls - {How} does {OCSP} stapling work? - {Information} {Security} {Stack} {Exchange}},
	shorttitle = {tls - {How} does {OCSP} stapling work?},
	url = {https://security.stackexchange.com/questions/29686/how-does-ocsp-stapling-work},
	urldate = {2017-03-28},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\IDF9D4UP\\how-does-ocsp-stapling-work.html:text/html}
}

@misc{barnes_dane:_2011,
	title = {{DANE}: {Taking} {TLS} {Authentication} to the {Next} {Level} {Using} {DNSSEC} {\textbar} {Internet} {Society}},
	url = {https://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec},
	urldate = {2017-03-28},
	journal = {IETF Journal},
	author = {Barnes, Richard L.},
	year = {2011},
	file = {DANE\: Taking TLS Authentication to the Next Level Using DNSSEC | Internet Society:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\RRWR4IQR\\dane-taking-tls-authentication-next-level-using-dnssec.html:text/html}
}

@misc{noauthor_dane_nodate,
	title = {{DANE} {TLS} {Test} {Sites}},
	url = {https://www.huque.com/dane/testsite/},
	urldate = {2017-03-28},
	file = {DANE TLS Test Sites:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\PNCV8GJ8\\testsite.html:text/html}
}

@book{schlyter_dns-based_2012,
	series = {Request for {Comments}},
	title = {The {DNS}-{Based} {Authentication} of {Named} {Entities} ({DANE}) {Transport} {Layer} {Security} ({TLS}) {Protocol}: {TLSA}},
	url = {https://rfc-editor.org/rfc/rfc6698.txt},
	abstract = {Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain\&\#39;s TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. [STANDARDS-TRACK]},
	number = {6698},
	publisher = {RFC Editor},
	author = {Schlyter, Jakob and Hoffman, Paul E.},
	month = aug,
	year = {2012},
	note = {Published: RFC 6698
DOI: 10.17487/rfc6698}
}

@misc{noauthor_how_2015,
	title = {How {DANE} {Strengthens} {Security} for {TLS}, {S}/{MIME} and {Other} {Applications}},
	url = {https://blog.verisign.com/security/how-dane-strengthens-security-for-tls-smime-and-other-applications/},
	abstract = {The DNS offers ways to significantly strengthen the security of internet applications via a new protocol called DNS-based Authentication of Named Entities.},
	urldate = {2017-03-28},
	journal = {Verisign Blog},
	month = nov,
	year = {2015},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\PARP76AI\\how-dane-strengthens-security-for-tls-smime-and-other-applications.html:text/html}
}

@article{dong_detection_2016,
	title = {Detection of {Rogue} {Certificates} from {Trusted} {Certificate} {Authorities} {Using} {Deep} {Neural} {Networks}},
	volume = {19},
	issn = {2471-2566},
	url = {http://doi.acm.org/10.1145/2975591},
	doi = {10.1145/2975591},
	number = {2},
	journal = {ACM Trans. Priv. Secur.},
	author = {Dong, Zheng and Kane, Kevin and Camp, L. Jean},
	month = sep,
	year = {2016},
	keywords = {certificates, Machine learning},
	pages = {5:1--5:31}
}

@misc{noauthor_generate_nodate,
	title = {Generate {TLSA} {Record}},
	url = {https://www.huque.com/bin/gen_tlsa},
	urldate = {2017-03-28},
	file = {Generate TLSA Record:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\TKEJ5RP6\\gen_tlsa.html:text/html}
}

@misc{huque_dane_2017,
	title = {{DANE} {Resources}},
	url = {https://www.huque.com/dane/},
	urldate = {2017-03-28},
	author = {Huque, Simon},
	year = {2017},
	file = {DANE Resources:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\QJJ8X9WU\\dane.html:text/html}
}

@misc{noauthor_hsts_2017,
	title = {{HSTS} {Preload} {List} {Submission}},
	url = {https://hstspreload.org/},
	urldate = {2017-03-28},
	year = {2017},
	file = {HSTS Preload List Submission:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\NXSU8BAG\\hstspreload.org.html:text/html}
}

@misc{vaughan-nichols_how_nodate,
	type = {2013},
	title = {How the {NSA}, and your boss, can intercept and break {SSL}},
	url = {http://www.zdnet.com/article/how-the-nsa-and-your-boss-can-intercept-and-break-ssl/},
	abstract = {Most people believe that SSL is the gold-standard of Internet security. It is good, but SSL communications can be intercepted and broken. Here's how.},
	urldate = {2017-03-28},
	journal = {ZDNet},
	author = {Vaughan-Nichols, Steven J.},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\J6ZW2WHG\\how-the-nsa-and-your-boss-can-intercept-and-break-ssl.html:text/html}
}

@misc{noauthor_secure_2017,
	title = {'{Secure}' in {Chrome} {Browser} {Does} {Not} {Mean} '{Safe}'},
	url = {https://www.wordfence.com/blog/2017/03/chrome-secure/},
	abstract = {Google’s Chrome web browser is used by over 50\% of users on the web. When you visit a website that is using SSL, otherwise known as HTTPS or TLS, you see a green message in your browser location bar that says “Secure”. “Secure” in Chrome browser does not mean “Safe”. In this post I will explain …},
	urldate = {2017-03-28},
	journal = {Wordfence},
	month = mar,
	year = {2017},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\RQGA9F64\\chrome-secure.html:text/html}
}

@misc{van_elst_http_2017,
	title = {{HTTP} {Strict} {Transport} {Security} for {Apache}, {NGINX} and {Lighttpd} - {Raymii}.org},
	url = {https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html},
	urldate = {2017-03-28},
	author = {van Elst, Remy},
	year = {2017},
	file = {HTTP Strict Transport Security for Apache, NGINX and Lighttpd - Raymii.org:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\94F7UKZ7\\HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html:text/html}
}

@book{cooper_internet_2008,
	series = {Request for {Comments}},
	title = {Internet {X}.509 {Public} {Key} {Infrastructure} {Certificate} and {Certificate} {Revocation} {List} ({CRL}) {Profile}},
	url = {https://rfc-editor.org/rfc/rfc5280.txt},
	abstract = {This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]},
	number = {5280},
	publisher = {RFC Editor},
	author = {Cooper, Dave},
	month = may,
	year = {2008},
	note = {Published: RFC 5280
DOI: 10.17487/rfc5280}
}

@book{saint-andre_representation_2011,
	series = {Request for {Comments}},
	title = {Representation and {Verification} of {Domain}-{Based} {Application} {Service} {Identity} within {Internet} {Public} {Key} {Infrastructure} {Using} {X}.509 ({PKIX}) {Certificates} in the {Context} of {Transport} {Layer} {Security} ({TLS})},
	url = {https://rfc-editor.org/rfc/rfc6125.txt},
	abstract = {Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). This document specifies procedures for representing and verifying the identity of application services in such interactions. [STANDARDS-TRACK]},
	number = {6125},
	publisher = {RFC Editor},
	author = {Saint-Andre, Peter and Hodges, Jeff},
	month = mar,
	year = {2011},
	note = {Published: RFC 6125
DOI: 10.17487/rfc6125}
}

@article{lukas_javas_2015,
	title = {Java’s {SSLSocket}},
	volume = {9},
	issn = {2192-4260},
	url = {http://www.sicherheitsforschung-magdeburg.de/publikationen/journal.html},
	number = {1},
	urldate = {2015-03-20},
	author = {Lukas, Georg},
	year = {2015},
	keywords = {hacking, MISev, Security, security research selfarticle, sicherheit},
	pages = {506--513}
}

@misc{noauthor_is_2016,
	title = {Is {HTTP} {Public} {Key} {Pinning} {Dead}?},
	url = {https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead},
	abstract = {HTTP Public Key Pinning (HPKP, RFC 7469)—a standard that was intended to bring public key pinning to the masses—might be dead.},
	urldate = {2017-03-28},
	journal = {Network Security Blog {\textbar} Qualys, Inc.},
	month = sep,
	year = {2016},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\8S489AFB\\is-http-public-key-pinning-dead.html:text/html}
}

@misc{noauthor_detecting_2011,
	title = {Detecting {Certificate} {Authority} compromises and web browser collusion {\textbar} {The} {Tor} {Blog}},
	url = {https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion},
	urldate = {2017-03-29},
	year = {2011},
	file = {Detecting Certificate Authority compromises and web browser collusion | The Tor Blog:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\TCGUGHDZ\\detecting-certificate-authority-compromises-and-web-browser-collusion.html:text/html}
}

@misc{lokhande_ssl_2017,
	title = {{SSL} and {TLS} {Deployment} {Best} {Practices}},
	url = {https://github.com/ssllabs/research},
	abstract = {Contribute to research development by creating an account on GitHub.},
	urldate = {2017-03-29},
	journal = {GitHub},
	author = {Lokhande, Bushkhan},
	year = {2017},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\TCPBIKV6\\SSL-and-TLS-Deployment-Best-Practices.html:text/html}
}

@misc{profile_flame_nodate,
	title = {Flame malware collision attack explained},
	url = {https://blogs.technet.microsoft.com/srd/2012/06/06/flame-malware-collision-attack-explained/},
	abstract = {Since our last MSRC blog post, we’ve received questions on the nature of the cryptographic attack we saw in the complex, targeted malware known as Flame. This blog summarizes what our research revealed and why we made the decision to release Security Advisory 2718704 on Sunday night PDT. In short, by default the attacker’s certificate would...},
	urldate = {2017-03-29},
	journal = {Security Research \& Defense},
	author = {Profile, 267 Points 2 2 2 Recent Achievements Blog Party Starter Blog Conversation Starter New Blog Rater View},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\3UPCN7UB\\flame-malware-collision-attack-explained.html:text/html}
}

@misc{sotirov_md5_2008,
	title = {{MD}5 considered harmful today},
	url = {http://www.win.tue.nl/hashclash/rogue-ca/},
	urldate = {2017-03-29},
	author = {Sotirov, Alexander and Stevens, Marc and Appelbaum, Jacob and Lenstra, Arjen and Molnar, David and Dag Arne, Osvik and de Weger, Benne},
	year = {2008},
	file = {MD5 considered harmful today:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\RDTHF8GG\\rogue-ca.html:text/html}
}

@misc{noauthor_understanding_2015,
	title = {Understanding {HTTP} {Strict} {Transport} {Security} ({HSTS}) and preloading it into the browser},
	url = {https://www.troyhunt.com/understanding-http-strict-transport/},
	abstract = {During my travels over recent weeks I\&\#x2019;ve been doing a quick demo that works like this: First, I open up the dev tools in Chrome and select the network tab. Second, I load up americanexpress.com and show the network requests:  I point out how the first one},
	urldate = {2017-03-29},
	journal = {Troy Hunt},
	month = jun,
	year = {2015},
	file = {Snapshot:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\GPRS75EV\\understanding-http-strict-transport.html:text/html}
}

@misc{noauthor_using_nodate,
	title = {Using {TLS} in {Applications} (uta) - {IETF} {WG}},
	url = {https://datatracker.ietf.org/wg/uta/documents/},
	urldate = {2017-03-29},
	file = {Using TLS in Applications (uta) - Documents:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\PEQUHWNF\\documents.html:text/html}
}

@book{melnikov_updated_2016,
	series = {Request for {Comments}},
	title = {Updated {Transport} {Layer} {Security} ({TLS}) {Server} {Identity} {Check} {Procedure} for {Email}-{Related} {Protocols}},
	url = {https://rfc-editor.org/rfc/rfc7817.txt},
	abstract = {This document describes the Transport Layer Security (TLS) server identity verification procedure for SMTP Submission, IMAP, POP, and ManageSieve clients. It replaces Section 2.4 (Server Identity Check) of RFC 2595 and updates Section 4.1 (Processing After the STARTTLS Command) of RFC 3207, Section 11.1 (STARTTLS Security Considerations) of RFC 3501, and Section 2.2.1 (Server Identity Check) of RFC 5804.},
	number = {7817},
	publisher = {RFC Editor},
	author = {Melnikov, Alexey},
	month = mar,
	year = {2016},
	note = {Published: RFC 7817
DOI: 10.17487/rfc7817}
}

@book{alkemade_use_2015,
	series = {Request for {Comments}},
	title = {Use of {Transport} {Layer} {Security} ({TLS}) in the {Extensible} {Messaging} and {Presence} {Protocol} ({XMPP})},
	url = {https://rfc-editor.org/rfc/rfc7590.txt},
	abstract = {This document provides recommendations for the use of Transport Layer Security (TLS) in the Extensible Messaging and Presence Protocol (XMPP). This document updates RFC 6120.},
	number = {7590},
	publisher = {RFC Editor},
	author = {Alkemade, T. and Saint-Andre, Peter},
	month = jun,
	year = {2015},
	note = {Published: RFC 7590
DOI: 10.17487/rfc7590}
}

@techreport{fenton_smtp_2017,
	type = {Internet-{Draft}},
	title = {{SMTP} {Require} {TLS} {Option}},
	url = {https://datatracker.ietf.org/doc/html/draft-fenton-smtp-require-tls-03},
	abstract = {The SMTP STARTTLS option, used in negotiating transport-level encryption of SMTP connections, is not as useful from a security standpoint as it might be because of its opportunistic nature; message delivery is prioritized over security. This document describes a complementary SMTP service extension, REQUIRETLS. If the REQUIRETLS option is used when sending a message, it asserts a request on the part of the message sender to override the default negotiation of TLS, either by requiring that TLS be negotiated when the message is relayed, or by requesting that policy mechanisms such as SMTP STS and DANE be ignored when relaying a high priority message.},
	number = {draft-fenton-smtp-require-tls-03},
	institution = {Internet Engineering Task Force},
	author = {Fenton, Jim},
	month = feb,
	year = {2017},
	annote = {Work in Progress}
}

@techreport{moore_mail_2017,
	type = {Internet-{Draft}},
	title = {Mail {User} {Agent} {Strict} {Transport} {Security} ({MUA}-{STS})},
	url = {https://datatracker.ietf.org/doc/html/draft-ietf-uta-email-deep-06},
	abstract = {This specification defines a set of requirements and facilities designed to improve email confidentiality between a mail user agent (MUA) and a mail submission or mail access server. This provides mechanisms intended to increase use of already deployed Transport Layer Security (TLS) technology and provides a model for a mail user agent\&\#39;s confidentiality assurance. This enables mail service providers to advertise strict transport security (STS) policies that request MUAs increase confidentiality assurance.},
	number = {draft-ietf-uta-email-deep-06},
	institution = {Internet Engineering Task Force},
	author = {Moore, Keith and Newman, Chris},
	month = mar,
	year = {2017},
	annote = {Work in Progress}
}

@inproceedings{durumeric_analysis_2013,
	address = {New York, NY, USA},
	series = {{IMC} '13},
	title = {Analysis of the {HTTPS} {Certificate} {Ecosystem}},
	isbn = {978-1-4503-1953-9},
	url = {http://doi.acm.org/10.1145/2504730.2504755},
	doi = {10.1145/2504730.2504755},
	booktitle = {Proceedings of the 2013 {Conference} on {Internet} {Measurement} {Conference}},
	publisher = {ACM},
	author = {Durumeric, Zakir and Kasten, James and Bailey, Michael and Halderman, J. Alex},
	year = {2013},
	keywords = {certificates, HTTPs, internet-wide scanning, Measurement, public-key infrastructure, Security, SSL, TLS, x.509},
	pages = {291--304}
}

@misc{noauthor_incidents_nodate,
	title = {Incidents involving the {CA} {WoSign} - {Grupos} de {Google}},
	url = {https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I%5B1-25%5D},
	urldate = {2017-03-29},
	file = {Incidents involving the CA WoSign - Grupos de Google:C\:\\Users\\HozdelaHozEnriquedel\\AppData\\Roaming\\Zotero\\Zotero\\Profiles\\7v8oqfpk.default\\zotero\\storage\\9RSXS8W8\\forum.html:text/html}
}