Talk:OWASP Application Security FAQ

I feel that this page/article should be renamed to "OWASP Application Security FAQ". The complete form is usually preferred in Wikipedia articles and it does make the page title more readable and probably more search engine friendly. --Varunvnair 23:19, 2 July 2006 (EDT)

Need for more questions and answers
I think more questions and answers should be included into the OWASP Application Security FAQ. This requires contribution from other readers. If an answer needs clarification, please mention it in 'Discussion'.

SSL Could Use a Refresh
The "SSL" sections here are getting pretty dated. For example, there's no mention of "AES" or "SHA1" and the only mentioned symmetric key bit lengths are 40 and 128. Jlampe 09:35, 23 February 2009 (EST)

The SSL section indicates, "After the initial SSL negotiation is done and the connection is on HTTPS, everything is encrypted including the page request. So any data sent in the query string will also be encrypted." This statement is technically not correct. While the connection between the client and the server are secured, the request and response are not encrypted, but are unreadable by a third party who might examine the network traffic packet details and thusly largely secured from eavesdropping. I would suggest changing the language to read, "After the initial SSL negotiation is done and the connection is secured, everything sent over the secured connection between the client and server is secured from eavesdropping, including the page request."

MD5 Password Hashing
The FAQ talks about hashing passwords with MD5. I believe bcrypt is the current accepted standard. Ryan Dewhurst 22:02, 22 March 2013 (GMT)

Cache info is wrong
"If a webpage is delivered using SSL, no content can be cached."

That's just totally wrong. I use Firefox to diagnose caching issues with SSL content all the time. Rick.mitchell 15:08, 28 May 2013 (UTC)