Top 10 2010-A9-Insufficient Transport Layer Protection

Scenario #1 : A site simply doesn’t use SSL for all pages that require authentication. Attacker simply monitors network traffic (like an open wireless or their neighborhood cable modem network), and observes an authenticated victim’s session cookie. Attacker then replays this cookie and takes over the user’s session.

Scenario #2 : A site has improperly configured SSL certificate which causes browser warnings for its users. Users have to accept such warnings and continue, in order to use the site. This causes users to get accustomed to such warnings. Phishing attack against the site’s customers lures them to a lookalike site which doesn’t have a valid certificate, which generates similar browser warnings. Since victims are accustomed to such warnings, they proceed on and use the phishing site, giving away passwords or other private data.

Scenario #3 : A site simply uses standard ODBC/JDBC for the database connection, not realizing all traffic is in the clear.

For a more complete set of requirements and problems to avoid in this area, see the ASVS requirements on Communications Security (V10)
 * OWASP Transport Layer Protection Cheat Sheet
 * OWASP Top 10-2007 on Insecure Communications
 * OWASP Development Guide: Chapter on Cryptography
 * OWASP Testing Guide: Chapter on SSL/TLS Testing


 * CWE Entry 319 on Cleartext Transmission of Sensitive Information
 * SSL Labs Server Test
 * Definition of FIPS 140-2 Cryptographic Standard