Difference between revisions of "Talk:Transport Layer Protection Cheat Sheet"

From OWASP
Jump to: navigation, search
m
 
(One intermediate revision by one other user not shown)
Line 2: Line 2:
  
 
Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.
 
Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.
 +
 +
== Rule - Do Not Provide Non-TLS Pages for Secure Content ==
 +
 +
Currently this rule states: ''"All pages which are available over TLS must not be available over a non-TLS connection. A user may inadvertently bookmark or manually type a URL to a HTTP page (e.g. http://example.com/myaccount) within the authenticated portion of the application. If this request is processed by the application then the response, and any sensitive data, would be returned to the user over the clear text HTTP."''
 +
 +
Wouldn't it be more precise to state that secure '''data''' shouldn't be availabe over non-TLS connections ? Pages still can be available over non-TLS connections, and pose no risk when they provide non-secure data.
 +
It's up to the application to provide secure data only when the connection is properly secured.
 +
--[[User:Peter Mosmans|Peter Mosmans]] 01:16, 14 May 2013 (UTC)
 +
 +
I added a rule about the SHA-1 deprecation issue today.  It's a temporary issue with limited duration value (a couple years), but IMO, if someone comes to us asking about the proper way to set up SSL/TLS - I think we should tell them about the issue.  Feel free to edit/expand as you see fit.  Thanks! Dan
 +
--[[User:Dan Anderson|Dan Anderson]] ([[User talk:Dan Anderson|talk]]) 14:34, 28 October 2014 (CDT)

Latest revision as of 14:34, 28 October 2014

Make the warning about "no such thing as internal network" more prominent. There are several types of attacks that can be conducted by using ARP spoofing and MitM an SSL/TLS session. One of the most interesting is hijacking credentials to virtual machine provisioning interfaces, then reusing the credentials to create malicious VMs, boot existing VMs off of untrusted media, etc. I think this is an overlooked issue with SSL since most of the focus is on ecommerce.

Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.

Rule - Do Not Provide Non-TLS Pages for Secure Content

Currently this rule states: "All pages which are available over TLS must not be available over a non-TLS connection. A user may inadvertently bookmark or manually type a URL to a HTTP page (e.g. http://example.com/myaccount) within the authenticated portion of the application. If this request is processed by the application then the response, and any sensitive data, would be returned to the user over the clear text HTTP."

Wouldn't it be more precise to state that secure data shouldn't be availabe over non-TLS connections ? Pages still can be available over non-TLS connections, and pose no risk when they provide non-secure data. It's up to the application to provide secure data only when the connection is properly secured. --Peter Mosmans 01:16, 14 May 2013 (UTC)

I added a rule about the SHA-1 deprecation issue today. It's a temporary issue with limited duration value (a couple years), but IMO, if someone comes to us asking about the proper way to set up SSL/TLS - I think we should tell them about the issue. Feel free to edit/expand as you see fit. Thanks! Dan --Dan Anderson (talk) 14:34, 28 October 2014 (CDT)