This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Transport Layer Protection Cheat Sheet"
From OWASP
m |
(wrote skeleton of document) |
||
| Line 5: | Line 5: | ||
== Benefits == | == Benefits == | ||
| − | Confidentiality | + | *Confidentiality |
| + | *Integrity | ||
| + | *Replay Protection | ||
| + | *End Point Authentication | ||
| − | + | = Rules for Transport Layer Protection<br> = | |
| − | + | == Secure Server Design <br> == | |
| − | + | === Rule - Use SSL for All Login Pages and All Authenticated Pages<br> === | |
| − | = | + | === Rule - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data<br> === |
| + | |||
| + | === Rule - Do Not Provide Non-SSL Pages for Secure Content<br> === | ||
| + | |||
| + | === Rule - Do Not Perform Redirects from Non-SSL Page to SSL Login Page === | ||
| − | == | + | === Rule - Do Not Mix SSL and Non-SSL Content === |
| − | === Rule | + | === Rule - Use "Secure" Cookie Flag === |
| − | |||
| − | |||
| − | == | + | == Server Certificate & Protocol Configuration == |
| − | === Rule | + | === Rule - Use an Appropriate Certificate Authority for the Application's User Base === |
| + | === Rule - Only Support Strong Cryptographic Algorithms<br> === | ||
| + | === Rule - Only Support Strong Protocols === | ||
| − | == Server | + | === Rule - Establish a Strong Private Key for the Server === |
| − | === Rule | + | === Rule - Use a Certificate That Supports All Available Domain Names<br> === |
| − | |||
| − | |||
| − | == | + | == Client Configuration == |
| − | === Rule | + | === Rule - Validate the Server's Certificate<br> === |
| + | === Rule - Perform Certificate Revocatoin List Checking<br> === | ||
| + | === Rule - Ensure the Trusted Root Store Contains Only Trusted Entries<br> === | ||
| + | === Rule - Deny Connections if Any SSL Related Errors are Encountered<br> === | ||
| − | |||
| − | + | == Additional Controls == | |
| − | + | === Extended Validation Certificates<br> === | |
| − | + | === Client Side Certificates === | |
| − | == | + | === === |
Revision as of 02:20, 6 October 2009
Page is under contruction - [email protected]
- 1 Introduction
- 2 Rules for Transport Layer Protection
- 2.1 Secure Server Design
- 2.1.1 Rule - Use SSL for All Login Pages and All Authenticated Pages
- 2.1.2 Rule - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
- 2.1.3 Rule - Do Not Provide Non-SSL Pages for Secure Content
- 2.1.4 Rule - Do Not Perform Redirects from Non-SSL Page to SSL Login Page
- 2.1.5 Rule - Do Not Mix SSL and Non-SSL Content
- 2.1.6 Rule - Use "Secure" Cookie Flag
- 2.2 Server Certificate & Protocol Configuration
- 2.2.1 Rule - Use an Appropriate Certificate Authority for the Application's User Base
- 2.2.2 Rule - Only Support Strong Cryptographic Algorithms
- 2.2.3 Rule - Only Support Strong Protocols
- 2.2.4 Rule - Establish a Strong Private Key for the Server
- 2.2.5 Rule - Use a Certificate That Supports All Available Domain Names
- 2.3 Client Configuration
- 2.4 Additional Controls
- 2.1 Secure Server Design
Introduction
Benefits
- Confidentiality
- Integrity
- Replay Protection
- End Point Authentication
