This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Transport Layer Protection Cheat Sheet"
From OWASP
m |
m |
||
| Line 26: | Line 26: | ||
=== Rule #5 - Do Not Mix SSL and Non-SSL Content === | === Rule #5 - Do Not Mix SSL and Non-SSL Content === | ||
| + | |||
| + | |||
== Server Certificate & Protocol Configuration == | == Server Certificate & Protocol Configuration == | ||
| − | === Rule #6 - Use an Appropriate Certificate Authority for User Base === | + | === Rule #6 - Use an Appropriate Certificate Authority for the Application's User Base === |
| − | === Rule #7 - Only Support Strong Cryptographic Algorithms<br> === | + | === Rule #7 - Only Support Strong Cryptographic Algorithms<br> === |
| − | === Rule #8 - Only Support Strong Protocols === | + | === Rule #8 - Only Support Strong Protocols === |
=== Rule #9 - Establish a Strong Private Key for the Server === | === Rule #9 - Establish a Strong Private Key for the Server === | ||
| − | === Certificate | + | === Rule #10 - Use a Certificate That Supports All Available Domain Names<br> === |
| + | |||
| + | |||
| + | |||
| + | |||
== Client Configuration == | == Client Configuration == | ||
Revision as of 01:55, 6 October 2009
Page is under contruction - [email protected]
- 1 Introduction
- 2 Rules for Transport Layer Protection
- 2.1 Secure Server Design
- 2.1.1 Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
- 2.1.2 Rule #2 - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
- 2.1.3 Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
- 2.1.4 Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
- 2.1.5 Rule #5 - Do Not Mix SSL and Non-SSL Content
- 2.2 Server Certificate & Protocol Configuration
- 2.2.1 Rule #6 - Use an Appropriate Certificate Authority for the Application's User Base
- 2.2.2 Rule #7 - Only Support Strong Cryptographic Algorithms
- 2.2.3 Rule #8 - Only Support Strong Protocols
- 2.2.4 Rule #9 - Establish a Strong Private Key for the Server
- 2.2.5 Rule #10 - Use a Certificate That Supports All Available Domain Names
- 2.3 Client Configuration
- 2.4 Additional Controls
- 2.1 Secure Server Design
Introduction
Benefits
Confidentiality
Integrity
Replay Protection
End Point Authentication
Rules for Transport Layer Protection
Secure Server Design
Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
Rule #2 - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
Rule #5 - Do Not Mix SSL and Non-SSL Content
Server Certificate & Protocol Configuration
Rule #6 - Use an Appropriate Certificate Authority for the Application's User Base
Rule #7 - Only Support Strong Cryptographic Algorithms
Rule #8 - Only Support Strong Protocols
Rule #9 - Establish a Strong Private Key for the Server
Rule #10 - Use a Certificate That Supports All Available Domain Names
Client Configuration
Certificate Validation
Trusted Root Store
Revocation List Checking
