This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Transport Layer Protection Cheat Sheet"
From OWASP
m |
m |
||
| Line 1: | Line 1: | ||
| − | Page is under contruction - [email protected]<br> | + | Page is under contruction - [email protected]<br> |
= Introduction = | = Introduction = | ||
| Line 13: | Line 13: | ||
End Point Authentication | End Point Authentication | ||
| − | = Rules for Transport Layer Protection<br> = | + | = Rules for Transport Layer Protection<br> = |
| − | == Server | + | == Secure Server Design <br> == |
| − | === | + | === Rule #1 - Use SSL for All Login Pages and All Authenticated Pages<br> === |
| − | === Rule # | + | === Rule #2 - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data<br> === |
| − | === Rule # | + | === Rule #3 - Do Not Provide Non-SSL Pages for Secure Content<br> === |
| − | === Rule # | + | === Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page === |
| − | === Rule # | + | === Rule #5 - Do Not Mix SSL and Non-SSL Content === |
| − | == | + | == Server Certificate & Protocol Configuration == |
| + | === Rule #6 - Use an Appropriate Certificate Authority for User Base === | ||
| + | === Rule #7 - Only Support Strong Cryptographic Algorithms<br> === | ||
| − | === | + | === Rule #8 - Only Support Strong Protocols === |
| − | + | === Rule #9 - Establish a Strong Private Key for the Server === | |
=== Certificate Considerations === | === Certificate Considerations === | ||
Revision as of 01:41, 6 October 2009
Page is under contruction - [email protected]
- 1 Introduction
- 2 Rules for Transport Layer Protection
- 2.1 Secure Server Design
- 2.1.1 Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
- 2.1.2 Rule #2 - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
- 2.1.3 Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
- 2.1.4 Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
- 2.1.5 Rule #5 - Do Not Mix SSL and Non-SSL Content
- 2.2 Server Certificate & Protocol Configuration
- 2.3 Client Configuration
- 2.4 Additional Controls
- 2.1 Secure Server Design
Introduction
Benefits
Confidentiality
Integrity
Replay Protection
End Point Authentication
Rules for Transport Layer Protection
Secure Server Design
Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
Rule #2 - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
Rule #5 - Do Not Mix SSL and Non-SSL Content
Server Certificate & Protocol Configuration
Rule #6 - Use an Appropriate Certificate Authority for User Base
Rule #7 - Only Support Strong Cryptographic Algorithms
Rule #8 - Only Support Strong Protocols
Rule #9 - Establish a Strong Private Key for the Server
Certificate Considerations
Client Configuration
Certificate Validation
Trusted Root Store
Revocation List Checking
