Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Transport Layer Protection"

From OWASP
Jump to: navigation, search
(Created page with "== Vulnerability Title == Insufficient Transport Layer Protection === Root Cause Summary === <summary here> === Browser / Standards Solution === <browser/standards solutions ...")
 
(added encryption less algorithm, RC4 discussion)
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Vulnerability Title ==
+
[[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]]
Insufficient Transport Layer Protection
+
 
 +
== Insufficient Transport Layer Protection ==
 +
 
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
<summary here>
+
Not all traffic flowing between two endpoints is properly secured, which makes it possible for attackers to perform man-in-the-middle attacks.
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
<browser/standards solutions here>
+
Implement HTTP Strict Transport Security in all browsers, which makes it possible to better enforce secure connections.
 +
Implement Certificate and Public Key pinning in browsers where applicable.
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
<perimeter solutions here>
+
* Make sure that SSL is properly configured on the server:
 
+
** Disable all weak SSL/TLS protocols (such as SSLv2)
Complexity: High/Medium/Low<br>
+
** Disable all weak 'export' algorithms (such as DES, RC4-40, DHE-RSA-Export)
Impact: High/Medium/Low
+
** Make sure that the minimum session key size is 128 bits
 +
** Use a SSL certificate with a minimum key size of 2048 bits
 +
** Do not use MD5 as cryptographic hash algorithm
 +
** Do not use the RC4 algorithm
 +
** Disable anonymous key establishment algorithms (Anonymous Diffie-Hellman, aNULL)
 +
** Disable algorithms offering no encryption (NULL, eNULL)
 +
* Enforce HTTP Strict Transport Security (HSTS)
 +
* Redirect all HTTP request to HTTPS
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
<generic framework solutions here>
+
None
 
+
Complexity: High/Medium/Low<br>
+
Impact: High/Medium/Low
+
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
<custom framework solutions here>
+
None
 
+
Complexity: High/Medium/Low<br>
+
Impact: High/Medium/Low
+
  
 
=== Custom Code Solution ===
 
=== Custom Code Solution ===
<custom code solutions here>
+
None
 
+
Complexity: High/Medium/Low<br>
+
Impact: High/Medium/Low
+
  
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
<discussion / controversy tracking here>
+
* HTTP Strict Transport Security is at the entry-level maturity, a proposed standard. Not all browsers implement it (yet). <br>
 +
* The security of ciphers changes over time, so it's important to periodically review whether certain ciphers and minimum key sizes are still considered safe enough.
 +
* Certificate and Public Key Pinning is a relatively new technique and not widely used or implemented. Google Chrome's browser is one of the first major browsers to use this technique.
 +
* According to NIST SP800-52, RC4 is "acceptable for use [..] where secure information
 +
is to be transferred [..] and 3DES or better (e.g., AES) is not supported by the server".
  
 
=== References ===
 
=== References ===
<references here>
+
[https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection Insufficient Transport Layer Protection (OWASP)]<br>
 +
[http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection Insufficient Transport Layer Protection (WASC TC)]<br>
 +
[http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (NIST SP 800-52)]<br>
 +
[http://tools.ietf.org/html/rfc6797 HTTP Strict Transport Security (IETF)]<br>
 +
[https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning Certificate and Public Key Pinning (OWASP)]<br>
 +
[http://blog.chromium.org/2011/06/new-chromium-security-features-june.html Google Chrome implements certificate pinning (Google)]

Revision as of 03:42, 16 May 2013

Return to Periodic Table Working View

Contents

Insufficient Transport Layer Protection

Root Cause Summary

Not all traffic flowing between two endpoints is properly secured, which makes it possible for attackers to perform man-in-the-middle attacks.

Browser / Standards Solution

Implement HTTP Strict Transport Security in all browsers, which makes it possible to better enforce secure connections. Implement Certificate and Public Key pinning in browsers where applicable.

Perimeter Solution

  • Make sure that SSL is properly configured on the server:
    • Disable all weak SSL/TLS protocols (such as SSLv2)
    • Disable all weak 'export' algorithms (such as DES, RC4-40, DHE-RSA-Export)
    • Make sure that the minimum session key size is 128 bits
    • Use a SSL certificate with a minimum key size of 2048 bits
    • Do not use MD5 as cryptographic hash algorithm
    • Do not use the RC4 algorithm
    • Disable anonymous key establishment algorithms (Anonymous Diffie-Hellman, aNULL)
    • Disable algorithms offering no encryption (NULL, eNULL)
  • Enforce HTTP Strict Transport Security (HSTS)
  • Redirect all HTTP request to HTTPS

Generic Framework Solution

None

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

  • HTTP Strict Transport Security is at the entry-level maturity, a proposed standard. Not all browsers implement it (yet).
  • The security of ciphers changes over time, so it's important to periodically review whether certain ciphers and minimum key sizes are still considered safe enough.
  • Certificate and Public Key Pinning is a relatively new technique and not widely used or implemented. Google Chrome's browser is one of the first major browsers to use this technique.
  • According to NIST SP800-52, RC4 is "acceptable for use [..] where secure information

is to be transferred [..] and 3DES or better (e.g., AES) is not supported by the server".

References

Insufficient Transport Layer Protection (OWASP)
Insufficient Transport Layer Protection (WASC TC)
Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (NIST SP 800-52)
HTTP Strict Transport Security (IETF)
Certificate and Public Key Pinning (OWASP)
Google Chrome implements certificate pinning (Google)