Category:WASS Secure Channel

From OWASP

Jump to: navigation, search

Establish a secure communication channel.

The default communication mechanism for web applications and client browsers to communicate is HTTP, a plain text protocol. However, HTTP can be “tunneled” over a secure point-to-point connection via Secure Sockets Layer (SSL) to protect against interception and/or tampering of data in transit. Additionally, SSL provides limited assurance about the authenticity of end-hosts. Following steps should be taken while negotiating a HTTP over SSL (HTTPS) connection to avoid weak or untrusted connections from being established.

  1. Ensure that a valid certificate is used to identify the web server. Certificates should...
    1. match the server address where it resides
    2. be signed by a valid root Certificate Authority
    3. be valid for the length of time the audit is certifying the application for (i.e. should not expire for a minimum of 3 months if reviews are quarterly)
    4. must reference a certificate revocation list
    5. be an SSL certificate only (code signing certificate etc not allowed)
    6. utilize a strength of at least 128 bits
    7. perform key exchange through a channel protected by a strong cipher scheme (as specified in ssl specifications)
  2. SSL version 3.1 (TLS version 1) should be used for secure communications

This category currently contains no articles or media.

Retrieved from "http://www.owasp.org/index.php/Category:WASS_Secure_Channel"
Personal tools