Difference between revisions of "Talk:Transport Layer Protection Cheat Sheet"

From OWASP
Jump to: navigation, search
m
(Rule - Do Not Provide Non-TLS Pages for Secure Content: new section)
 
Line 2: Line 2:
  
 
Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.
 
Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.
 +
 +
== Rule - Do Not Provide Non-TLS Pages for Secure Content ==
 +
 +
Currently this rule states: ''"All pages which are available over TLS must not be available over a non-TLS connection. A user may inadvertently bookmark or manually type a URL to a HTTP page (e.g. http://example.com/myaccount) within the authenticated portion of the application. If this request is processed by the application then the response, and any sensitive data, would be returned to the user over the clear text HTTP."''
 +
 +
Wouldn't it be more precise to state that secure '''data''' shouldn't be availabe over non-TLS connections ? Pages still can be available over non-TLS connections, and pose no risk when they provide non-secure data.
 +
It's up to the application to provide secure data only when the connection is properly secured.
 +
--[[User:Peter Mosmans|Peter Mosmans]] 01:16, 14 May 2013 (UTC)

Latest revision as of 20:16, 13 May 2013

Make the warning about "no such thing as internal network" more prominent. There are several types of attacks that can be conducted by using ARP spoofing and MitM an SSL/TLS session. One of the most interesting is hijacking credentials to virtual machine provisioning interfaces, then reusing the credentials to create malicious VMs, boot existing VMs off of untrusted media, etc. I think this is an overlooked issue with SSL since most of the focus is on ecommerce.

Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.

Rule - Do Not Provide Non-TLS Pages for Secure Content

Currently this rule states: "All pages which are available over TLS must not be available over a non-TLS connection. A user may inadvertently bookmark or manually type a URL to a HTTP page (e.g. http://example.com/myaccount) within the authenticated portion of the application. If this request is processed by the application then the response, and any sensitive data, would be returned to the user over the clear text HTTP."

Wouldn't it be more precise to state that secure data shouldn't be availabe over non-TLS connections ? Pages still can be available over non-TLS connections, and pose no risk when they provide non-secure data. It's up to the application to provide secure data only when the connection is properly secured. --Peter Mosmans 01:16, 14 May 2013 (UTC)