Talk:Transport Layer Protection Cheat Sheet - Revision history

Dan Anderson at 19:34, 28 October 2014

2014-10-28T19:34:01Z

Peter Mosmans: /* Rule - Do Not Provide Non-TLS Pages for Secure Content */ new section

2013-05-14T01:16:39Z

‎Rule - Do Not Provide Non-TLS Pages for Secure Content: new section

Jmanico at 07:27, 21 February 2012

2012-02-21T07:27:54Z

Jmanico: Created page with "Make the warning about "no such thing as internal network" more prominent. There are several types of attacks that can be conducted by using ARP spoofing and MitM an SSL/TLS s..."

2012-02-21T07:21:05Z

Created page with "Make the warning about "no such thing as internal network" more prominent. There are several types of attacks that can be conducted by using ARP spoofing and MitM an SSL/TLS s..."

New page

Make the warning about "no such thing as internal network" more prominent. There are several types of attacks that can be conducted by using ARP spoofing and MitM an SSL/TLS session. One of the most interesting is hijacking credentials to virtual machine provisioning interfaces, then reusing the credentials to create malicious VMs, boot existing VMs off of untrusted media, etc. I think this is an overlooked issue with SSL since most of the focus is on ecommerce.

← Older revision		Revision as of 19:34, 28 October 2014
Line 10:		Line 10:
	It's up to the application to provide secure data only when the connection is properly secured.		It's up to the application to provide secure data only when the connection is properly secured.
	--[[User:Peter Mosmans\|Peter Mosmans]] 01:16, 14 May 2013 (UTC)		--[[User:Peter Mosmans\|Peter Mosmans]] 01:16, 14 May 2013 (UTC)
		+
		+	I added a rule about the SHA-1 deprecation issue today. It's a temporary issue with limited duration value (a couple years), but IMO, if someone comes to us asking about the proper way to set up SSL/TLS - I think we should tell them about the issue. Feel free to edit/expand as you see fit. Thanks! Dan
		+	--[[User:Dan Anderson\|Dan Anderson]] ([[User talk:Dan Anderson\|talk]]) 14:34, 28 October 2014 (CDT)

← Older revision		Revision as of 01:16, 14 May 2013
Line 2:		Line 2:

	Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.		Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.
		+
		+	== Rule - Do Not Provide Non-TLS Pages for Secure Content ==
		+
		+	Currently this rule states: ''"All pages which are available over TLS must not be available over a non-TLS connection. A user may inadvertently bookmark or manually type a URL to a HTTP page (e.g. http://example.com/myaccount) within the authenticated portion of the application. If this request is processed by the application then the response, and any sensitive data, would be returned to the user over the clear text HTTP."''
		+
		+	Wouldn't it be more precise to state that secure '''data''' shouldn't be availabe over non-TLS connections ? Pages still can be available over non-TLS connections, and pose no risk when they provide non-secure data.
		+	It's up to the application to provide secure data only when the connection is properly secured.
		+	--[[User:Peter Mosmans\|Peter Mosmans]] 01:16, 14 May 2013 (UTC)

← Older revision		Revision as of 07:27, 21 February 2012
Line 1:		Line 1:
	Make the warning about "no such thing as internal network" more prominent. There are several types of attacks that can be conducted by using ARP spoofing and MitM an SSL/TLS session. One of the most interesting is hijacking credentials to virtual machine provisioning interfaces, then reusing the credentials to create malicious VMs, boot existing VMs off of untrusted media, etc. I think this is an overlooked issue with SSL since most of the focus is on ecommerce.		Make the warning about "no such thing as internal network" more prominent. There are several types of attacks that can be conducted by using ARP spoofing and MitM an SSL/TLS session. One of the most interesting is hijacking credentials to virtual machine provisioning interfaces, then reusing the credentials to create malicious VMs, boot existing VMs off of untrusted media, etc. I think this is an overlooked issue with SSL since most of the focus is on ecommerce.
		+
		+	Second, add a paragraph regarding the BEAST attack and mitigations present in later version of the TLS spec. Urge adoption of modern TLS implementations.