docs: More content.

.markdownlint.base.jsonc

@@ -119,6 +119,7 @@
       "picture",
       "pre",
       "source",
+      "span",
       "summary",
       "ul"
     ]

content/learning/recommended-cipher-suites.md

@@ -0,0 +1,52 @@
+---
+title: Recommended Cipher Suites
+description: Reduce the attack surface of your website by enabling secure handshakes
+layout: learn-single
+
+---
+
+## Summary
+
+<p class="not-prose text-xl py-4 font-semibold">The 2010s were a terrible decade for TLS security.</p>
+
+In [TLS Vulnerabilities]({{% relref "vulns" %}}), we list a number of known vulnerabilities in cipher suites — most of which were discovered between 2010–2019. This triggered the need to radically shift how we approach security on the web.
+
+Rather than continuing to allow access to older cipher suites with outdated security in order to allow older clients and web browsers to connect, the lessons from the 2010s taught us that it's the _future or bust_.
+
+## Recommended settings
+
+### TLS versions
+
+* ✅ <span class="ui-badge-success-wrap">TLS 1.3</span> + <span class="ui-badge-success-wrap">TLS 1.2</span>.
+
+* ❌ <span class="ui-badge-error-wrap">TLS 1.1</span>, <span class="ui-badge-error-wrap">TLS 1.0</span>, <span class="ui-badge-error-wrap">SSLv3</span>, and <span class="ui-badge-error-wrap">SSLv2</span>.
+
+### TLS 1.3 cipher suites
+
+In order to simplify configuration and increase security, **TLS 1.3** has three cipher suites which are meant to be non-configurable.
+
+1. <span class="ui-badge-success-wrap">TLS_AES_128_GCM_SHA256</span>
+
+1. <span class="ui-badge-success-wrap">TLS_AES_256_GCM_SHA384</span>
+
+1. <span class="ui-badge-success-wrap">TLS_CHACHA20_POLY1305_SHA256</span>
+
+### TLS 1.2 cipher suites
+
+#### Recommended
+
+**TLS 1.2** carried-forward the habit of allowing administrators to configure which cipher suites to support, which led to _several_ security vulnerabilies being exposed during the 2010s.
+
+As a result, these are the only cipher suites with no known vulnerabilities left, and are likely to work with most server software.
+
+1. <span class="ui-badge-success-wrap">TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</span>
+
+1. <span class="ui-badge-success-wrap">TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</span>
+
+1. <span class="ui-badge-success-wrap">TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</span>
+
+These are equivalent to the cipher suite identifiers used in **TLS 1.3**. The only difference being that they specify the key exchange (`ECDHE`) and the authenticating signing mechanism (`ECDSA`).
+
+#### Tolerable
+
+The following cipher suites are also **secure**, however they aren't **recommended**

content/learning/tls/3des.md

@@ -1,6 +1,6 @@
 ---
 title: Triple Data Encryption Standard (3DES)
-description: Vulnerable encryption algorithm
+description: ❌ Vulnerable encryption algorithm
 layout: learn-single
 
 tls_part: encryption-algo

content/learning/tls/_index.md

@@ -1,7 +1,6 @@
 ---
 title: TLS and Cipher Suites
-description: ...
-# layout: learn-single
+description: '@TODO'
 layout: list
 
 good_better_best:

content/learning/tls/aes.md

@@ -1,6 +1,6 @@
 ---
 title: Advanced Encryption Standard (AES)
-description: Secure encryption algorithm
+description: ✅ Secure encryption algorithm
 layout: learn-single
 
 tls_part: encryption-algo

content/learning/tls/anon.md

@@ -1,6 +1,6 @@
 ---
 title: Anonymous Key Exchanges (anon)
-description: Vulnerable key exchange
+description: ❌ Vulnerable key exchange
 layout: learn-single
 
 tls_part: key-exchange

content/learning/tls/aria.md

@@ -1,6 +1,6 @@
 ---
 title: ARIA
-description: Secure encryption algorithm (non-standard)
+description: ✅ Secure encryption algorithm (non-standard)
 layout: learn-single
 
 tls_part: encryption-algo

content/learning/tls/cbc.md

@@ -1,6 +1,6 @@
 ---
 title: Cipher Block Chaining (CBC)
-description: Vulnerable encryption algorithm
+description: ❌ Vulnerable encryption algorithm
 layout: learn-single
 
 tls_part: encryption-algo

content/learning/tls/des.md

@@ -1,6 +1,6 @@
 ---
 title: Data Encryption Standard (DES)
-description: Vulnerable encryption algorithm
+description: ❌ Vulnerable encryption algorithm
 layout: learn-single
 
 tls_part: encryption-algo

content/learning/tls/dh.md

@@ -1,6 +1,6 @@
 ---
 title: Diffie-Hellman (DH)
-description: Vulnerable key exchange
+description: ❌ Vulnerable key exchange
 layout: learn-single
 
 tls_part: key-exchange
@@ -38,7 +38,7 @@ The newer [elliptic-curve][ECC] (ECDHE) key exchange algorithms are more secure
 | Ephemeral    | _No_         |
 | Related tech | [PGP]        |
 
-¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-<a href="https://en.wikipedia.org/wiki/Quantum_computing">Quantum computing</a>)
+¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-<a href="https://en.wikipedia.org/wiki/Quantum_computing">Quantum computing</a>).
 
 [Diffie-Hellman]: https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
 [ECC]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography

content/learning/tls/dhe.md

@@ -1,6 +1,6 @@
 ---
 title: Diffie-Hellman, Ephemeral (DHE)
-description: Vulnerable key exchange
+description: ❌ Vulnerable key exchange
 layout: learn-single
 
 tls_part: key-exchange
@@ -39,7 +39,7 @@ The newer [elliptic-curve][ECC] (ECDHE) key exchange algorithms are more secure
 | Ephemeral    | _Yes_        |
 | Related tech | [PGP]        |
 
-¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-<a href="https://en.wikipedia.org/wiki/Quantum_computing">Quantum computing</a>)
+¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-<a href="https://en.wikipedia.org/wiki/Quantum_computing">Quantum computing</a>).
 
 [Diffie-Hellman]: https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
 [ECC]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography

content/learning/tls/dss.md

@@ -1,6 +1,6 @@
 ---
 title: Digital Signature Standard (DSS)
-description: Deprecated authentication signing
+description: 👎 Deprecated authentication signing
 layout: learn-single
 
 tls_part: auth-sig
@@ -9,7 +9,9 @@ tls_part: auth-sig
 
 ## Summary
 
-The [DSS] standard (including the [DSA] signature algorithm) signing method was developed by the [NSA], proposed by U.S. NIST in 1991, then [became a _Federal Information Processing Standard_ (FIPS) in 1994][FIPS-186]. In 2023, U.S. NIST announced that they were deprecating the _Digital Signing Algorithm_.
+The [Digital Signature Standard][DSS] (DSS) is an overarching [U.S. federal standard][FIPS-186] which evolves over time. _One part_ of that standard is the [Digital Signature Algorithm][DSA] (DSA).
+
+The _Digital Signature Algorithm_ signing method was developed by the [NSA], proposed by U.S. NIST in 1991, then [became a _Federal Information Processing Standard_ (FIPS) in 1994][FIPS-186]. In 2023, U.S. NIST [announced] that they were deprecating the _Digital Signing Algorithm_ in favor of [ECDSA]({{% relref "ECDSA" %}}) and `EdDSA`.
 
 Any cipher suite with `DSS` in the name should be avoided. `ECDSA` signing should be strongly preferred.
 
@@ -22,6 +24,7 @@ Any cipher suite with `DSS` in the name should be avoided. `ECDSA` signing shoul
 | Deprecated   | 2023                   |
 | Related tech | [FIPS-186]             |
 
+[announced]: https://www.nist.gov/news-events/news/2023/02/nist-revises-digital-signature-standard-dss-and-publishes-guideline
 [DSA]: https://en.wikipedia.org/wiki/Digital_Signature_Algorithm
 [DSS]: https://en.wikipedia.org/wiki/Digital_Signature_Standard
 [FIPS-186]: https://csrc.nist.gov/pubs/fips/186-5/final

content/learning/tls/ecdsa.md

@@ -1,25 +1,50 @@
 ---
 title: Elliptic Curve Digital Signature Algorithm (ECDSA)
-description: Secure authentication signing
+description: ✅ Secure authentication signing
 layout: learn-single
 
 tls_part: auth-sig
 
+learn_more:
+  - text: 'ECDSA: The digital signature algorithm of a better internet'
+    url: https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/
+    source: Cloudflare
+
+  - text: 'Standards for Efficient Cryptography: Elliptic Curve Cryptography'
+    url: https://www.secg.org/sec1-v2.pdf
+    source: Standards for Efficient Cryptography Group
+
+  - text: 'A Brief History of the U.S. Trying to Add Backdoors Into Encrypted Data'
+    url: https://www.atlasobscura.com/articles/a-brief-history-of-the-nsa-attempting-to-insert-backdoors-into-encrypted-data
+    source: Atlas Obscura
+
 ---
 
 ## Summary
 
-[ECDSA] is a digital signature algorithm using elliptic curve cryptography, offering a more secure alternative to traditional [DSA]({{% relref "DSS" %}}). It involves key generation, signature creation, and verification, with a focus on the importance of randomness in the signing process. While ECDSA offers security advantages, vulnerabilities in implementation, such as static random number generation, have been exploited in real-world attacks.
+[ECDSA] is a digital signature algorithm using elliptic curve cryptography, offering a more secure alternative to traditional [DSA]({{% relref "DSS" %}}). It involves key generation, signature creation, and verification, with a focus on the importance of randomness in the signing process.
+
+It is based on the underlying mathematical concepts of [Elliptic-curve cryptography][ECC].
+
+## Concerns
+
+While ECDSA offers security advantages, vulnerabilities in poor implementations (such as static random number generation) have been exploited in real-world attacks (e.g., jailbreaking Sony’s PlayStation 3).
+
+There have been political concerns about the trustworthiness of U.S. NIST-produced curves, after revelations were made that [the NSA willingly inserts backdoors into software][backdoors], hardware components and published standards.
 
-@TODO
+Well-known cryptographers (including [Bruce Schneier]) have expressed doubts about [how the NIST curves were designed][P-curves], and voluntary tainting [has already been proven][tainting] in the past. Nevertheless, a proof that the named NIST curves exploit a rare weakness is missing yet.
 
 ## Information
 
-| Field        | Value                  |
-|--------------|------------------------|
-| Kind         | Authentication signing |
-| Invented     | 1991                   |
-| Deprecated   | 2023                   |
-| Related tech |                        |
+| Field      | Value                  |
+|------------|------------------------|
+| Kind       | Authentication signing |
+| Proposed   | 1992                   |
+| Deprecated | -                      |
 
+[backdoors]: https://www.theguardian.com/us-news/2015/feb/23/nsa-director-defends-backdoors-into-technology-companies
+[Bruce Schneier]: https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
+[ECC]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography
 [ECDSA]: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
+[P-curves]: https://safecurves.cr.yp.to/rigid.html
+[tainting]: https://www.scientificamerican.com/article/nsa-nist-encryption-scandal/

content/learning/tls/export.md

@@ -1,6 +1,6 @@
 ---
 title: Export-grade encryption (EXPORT)
-description: Vulnerable encryption algorithms
+description: ❌ Vulnerable encryption algorithms
 layout: learn-single
 
 tls_part: encryption-algo

content/learning/tls/null.md

@@ -1,6 +1,6 @@
 ---
 title: 'NULL algorithm'
-# description: Vulnerable key exchange
+# description: ❌ Vulnerable key exchange
 layout: learn-single
 ---
 

content/learning/tls/rc2.md

@@ -1,6 +1,6 @@
 ---
 title: Rivest Cipher 2 (RC2)
-description: Vulnerable encryption algorithm
+description: ❌ Vulnerable encryption algorithm
 layout: learn-single
 
 tls_part: encryption-algo

content/learning/tls/rc4.md

@@ -1,6 +1,6 @@
 ---
 title: Rivest Cipher 4 (RC4)
-description: Vulnerable encryption algorithm
+description: ❌ Vulnerable encryption algorithm
 layout: learn-single
 
 tls_part: encryption-algo

content/learning/tls/rsa-kex.md

@@ -1,6 +1,6 @@
 ---
 title: RSA (Key Exchange)
-description: Vulnerable key exchange
+description: ❌ Vulnerable key exchange
 layout: learn-single
 
 tls_part: key-exchange

content/learning/tls/rsa-sig.md

@@ -1,6 +1,6 @@
 ---
 title: RSA (Authentication Signing)
-description: Secure authentication signing
+description: ✅ Secure authentication signing
 layout: learn-single
 
 tls_part: auth-sig

content/learning/vulns/goldendoodle.md

@@ -0,0 +1,40 @@
+---
+title: GOLDENDOODLE
+description:
+layout: vuln
+
+year: 2019
+classes:
+  - Data leakage
+
+learn_more:
+  - text: 'Introducing Zombie POODLE and GOLDENDOODLE'
+    url: https://www.tripwire.com/state-of-security/zombie-poodle-goldendoodle
+    source: Tripwire
+
+  - text: 'TLS CBC Padding Oracles in 2019'
+    url: https://www.tripwire.com/state-of-security/tls-cbc-padding-oracles
+    source: Tripwire
+
+  - text: 'TLS CBC Padding Oracle Checker'
+    url: https://github.com/Tripwire/padcheck
+    source: GitHub
+
+---
+
+## Overview
+
+The [GOLDENDOODLE] attack is a type of TLS CBC padding oracle vulnerability (like [POODLE]({{% relref "POODLE" %}})).
+
+GOLDENDOODLE can be used to hijack authenticated TLS sessions if the server reveals the padding validity of application data records in such a way that a Man-in-the-Middle (MITM) attacker can recognize well-formed padding independently of a valid Message Authentication Code (MAC).
+
+The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with recommended cipher suites) and TLS 1.3.
+
+## Information
+
+| Field                    | Value               |
+|--------------------------|---------------------|
+| Vulnerability discovered | {{% param-year %}}  |
+| Vulnerability class      | {{% param-class %}} |
+
+[GOLDENDOODLE]: https://www.tripwire.com/state-of-security/goldendoodle-attack