Category:WASS Secure Channel
Establish a secure communication channel.
The default communication mechanism for web applications and client browsers to communicate is HTTP, a plain text protocol. However, HTTP can be “tunneled” over a secure point-to-point connection via Secure Sockets Layer (SSL) to protect against interception and/or tampering of data in transit. Additionally, SSL provides limited assurance about the authenticity of end-hosts. Following steps should be taken while negotiating a HTTP over SSL (HTTPS) connection to avoid weak or untrusted connections from being established.
- Ensure that a valid certificate is used to identify the web server. Certificates should...
- match the server address where it resides
- be signed by a valid root Certificate Authority
- be valid for the length of time the audit is certifying the application for (i.e. should not expire for a minimum of 3 months if reviews are quarterly)
- must reference a certificate revocation list
- be an SSL certificate only (code signing certificate etc not allowed)
- utilize a strength of at least 128 bits
- perform key exchange through a channel protected by a strong cipher scheme (as specified in ssl specifications)
- SSL version 3.1 (TLS version 1) should be used for secure communications
This category currently contains no pages or media.