OWASP Periodic Table of Vulnerabilities - Insufficient Transport Layer Protection
Insufficient Transport Layer Protection
Root Cause Summary
Not all traffic flowing between two endpoints is properly secured, which makes it possible for attackers to perform man-in-the-middle attacks.
Browser / Standards Solution
Implement HTTP Strict Transport Security in all browsers, which makes it possible to better enforce secure connections. Fix DNS and browser technologies so that the intent of domain owners can be more strictly followed.
- Make sure that SSL is properly configured on the server:
- Disable all weak SSL/TLS protocols (such as SSLv2)
- Disable all weak 'export' algorithms (such as DES, RC4-40, DHE-RSA-Export)
- Make sure that the minimum session key size is 128 bits
- Use a SSL certificate with a minimum key size of 1024 bits
- Do not offer MD5 as cryptographic hash algorithm
- Disable Anonymous Diffie-Hellman key establishment
- Enforce HTTP Strict Transport Security (HSTS)
- Redirect all HTTP request to HTTPS
Generic Framework Solution
Custom Framework Solution
Custom Code Solution
Discussion / Controversy
HTTP Strict Transport Security is at the entry-level maturity, a proposed standard. Not all browsers implement it (yet).
The security of ciphers changes over time, so it's important to periodically review whether certain ciphers and minimum key sizes are still considered safe enough.
Insufficient Transport Layer Protection (OWASP)
Insufficient Transport Layer Protection (WASC TC)
Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (NIST SP 800-52) HTTP Strict Transport Security (IETF)