Category:WASS Secure Channel

From OWASP
Jump to: navigation, search

Establish a secure communication channel.

The default communication mechanism for web applications and client browsers to communicate is HTTP, a plain text protocol. However, HTTP can be “tunneled” over a secure point-to-point connection via Secure Sockets Layer (SSL) to protect against interception and/or tampering of data in transit. Additionally, SSL provides limited assurance about the authenticity of end-hosts. Following steps should be taken while negotiating a HTTP over SSL (HTTPS) connection to avoid weak or untrusted connections from being established.

  1. Ensure that a valid certificate is used to identify the web server. Certificates should...
    1. match the server address where it resides
    2. be signed by a valid root Certificate Authority
    3. be valid for the length of time the audit is certifying the application for (i.e. should not expire for a minimum of 3 months if reviews are quarterly)
    4. must reference a certificate revocation list
    5. be an SSL certificate only (code signing certificate etc not allowed)
    6. utilize a strength of at least 128 bits
    7. perform key exchange through a channel protected by a strong cipher scheme (as specified in ssl specifications)
  2. SSL version 3.1 (TLS version 1) should be used for secure communications

This category currently contains no pages or media.