This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SSL TLS Knowledge Center"
(→Resources) |
(→Online Tools) |
||
| (10 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
=Purpose= | =Purpose= | ||
| − | The SSL/TLS Knowledge Center serves as a central point to provide references to SSL/TLS. | + | The SSL/TLS Knowledge Center serves as a central point to provide references to SSL/TLS. This is a community driven page. Please contribute by adding links or requests for links. |
=Resources= | =Resources= | ||
| + | |||
| + | == OWASP Resources == | ||
| + | |||
[[Transport_Layer_Protection_Cheat_Sheet]] - OWASP SSL/TLS Cheat Sheet | [[Transport_Layer_Protection_Cheat_Sheet]] - OWASP SSL/TLS Cheat Sheet | ||
| + | [[Testing for SSL-TLS (OWASP-CM-001)|Testing for SSL-TLS]] | ||
| + | |||
| + | [[Guide to Cryptography]] | ||
| + | |||
| + | == Articles & Blogs == | ||
| + | |||
| + | [http://hackademix.net/2009/09/23/strict-transport-security-in-noscript/ STS in No Script] - How to enable STS support within No Script plugin | ||
| + | |||
| + | [http://michael-coates.blogspot.com/2009/11/https-data-exposure-get-vs-post.html HTTPS Data Exposure] - HTTPS data exposure comparison for GET and POST | ||
| + | |||
| + | [https://www.ssllabs.com/projects/rating-guide/index.html SSL Server Rating Guide] - SSL Labs guide providing information on correct configuration of SSL. Focuses mainly at the network layer | ||
| + | |||
| + | == Online Tools == | ||
| + | |||
| + | [https://www.ssllabs.com/ SSL Labs] - Online tool to verify SSL/TLS certificate and configuration. | ||
| + | |||
| + | [https://www.htbridge.com/ssl/ High-Tech Bridge] - Online tool to verify SSL/TLS compliance with NIST SP 800-52 guidelines and PCI DSS requirements. | ||
| + | |||
| + | == NIST Guides == | ||
| + | |||
| + | [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf SP 800-52 Guidelines for the selection and use of transport layer security (TLS) Implementations] | ||
| + | |||
| + | [http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf FIPS 140-2 Security Requirements for Cryptographic Modules] | ||
| + | |||
| + | [http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program] | ||
| + | |||
| + | [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf SP 800-57 Recommendation for Key Management, Revision 2] | ||
| + | |||
| + | [http://csrc.nist.gov/publications/drafts.html#sp800-95 SP 800-95 Guide to Secure Web Services] | ||
| + | |||
| + | == Specs == | ||
[http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html Strict Transport Security Spec] - Specification for STS which allows a website to instruct the browser to not send requests to the web server over non-TLS channels. | [http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html Strict Transport Security Spec] - Specification for STS which allows a website to instruct the browser to not send requests to the web server over non-TLS channels. | ||
| − | [http:// | + | [http://www.ietf.org/rfc/rfc3280.txt RFC 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile] |
| + | [http://www.ietf.org/rfc/rfc4346.txt RFC 4346 The Transport Layer Security (TLS) Protocol Version 1.1] | ||
| − | Needed | + | = Needed = |
Guides for configuring SSL/TLS cipher support in common web servers | Guides for configuring SSL/TLS cipher support in common web servers | ||
| + | |||
References to current SSL/TLS RFC specs | References to current SSL/TLS RFC specs | ||
| − | Anything else that would be | + | |
| + | More entries to this "Needed" list | ||
| + | |||
| + | Anything else that would be helpful related to SSL/TLS | ||
Latest revision as of 10:52, 19 November 2015
Purpose
The SSL/TLS Knowledge Center serves as a central point to provide references to SSL/TLS. This is a community driven page. Please contribute by adding links or requests for links.
Resources
OWASP Resources
Transport_Layer_Protection_Cheat_Sheet - OWASP SSL/TLS Cheat Sheet
Articles & Blogs
STS in No Script - How to enable STS support within No Script plugin
HTTPS Data Exposure - HTTPS data exposure comparison for GET and POST
SSL Server Rating Guide - SSL Labs guide providing information on correct configuration of SSL. Focuses mainly at the network layer
Online Tools
SSL Labs - Online tool to verify SSL/TLS certificate and configuration.
High-Tech Bridge - Online tool to verify SSL/TLS compliance with NIST SP 800-52 guidelines and PCI DSS requirements.
NIST Guides
SP 800-52 Guidelines for the selection and use of transport layer security (TLS) Implementations
FIPS 140-2 Security Requirements for Cryptographic Modules
Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program
SP 800-57 Recommendation for Key Management, Revision 2
SP 800-95 Guide to Secure Web Services
Specs
Strict Transport Security Spec - Specification for STS which allows a website to instruct the browser to not send requests to the web server over non-TLS channels.
RFC 4346 The Transport Layer Security (TLS) Protocol Version 1.1
Needed
Guides for configuring SSL/TLS cipher support in common web servers
References to current SSL/TLS RFC specs
More entries to this "Needed" list
Anything else that would be helpful related to SSL/TLS
