This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "User talk:Mohammed ALDOUB"
(→User Legal and Political Protection Cheat Sheet: new section) |
|||
Line 28: | Line 28: | ||
''' | ''' | ||
− | Any online platform that handles user identities, private information or communications must be secured with the | + | Any online platform that handles user identities, private information or communications must be secured with the use of strong cryptography. User communications must be encrypted in transit and storage. User secrets such as passwords must also be protected using strong, collision-resistant hashing algorithms with increasing work factors, in order to greatly mitigate the risks of exposed credentials as well as proper integrity control. |
− | To protect data in transit, | + | To protect data in transit, developers must use and adhere to TSL/SSL best practices such as verified certificates, adequately protected private keys, usage of strong ciphers only, informative and clear warnings to users, as well as sufficient key lengths. |
+ | |||
+ | Private data must be encrypted in storage as well, using keys with sufficient lengths and under strict access conditions, both technical and procedural. User credentials must be hashed regardless of whether or not they are encrypted in storage. | ||
+ | |||
+ | For detailed guides about strong cryptography and best practices, read the following OWASP references: | ||
+ | |||
+ | 1- [https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Cryptographic Storage Cheat Sheet] | ||
+ | 2- [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet] | ||
+ | 3- [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheat Sheet] | ||
+ | 4- [https://www.owasp.org/index.php/Guide_to_Cryptography Guide to Cryptography] | ||
+ | 5- [https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 Testing for TLS/SSL] |
Revision as of 20:59, 7 August 2012
Welcome to OWASP! We hope you will contribute much and well. You will probably want to read the help pages. Again, welcome and have fun! KateHartmann 11:26, 31 May 2012 (UTC)
Testing
Hello, I'm testing. If you see this, please say Hello World
User Legal and Political Protection Cheat Sheet
Introduction
The political and legal impact of online activities has been rising significantly over the years, with users now able to take down entire governments and change legislation using online services and social networking. This fact puts into focus the grave danger users are getting introduced to by using these online services, especially in oppressive regions around the world.
This OWASP Cheat Sheet introduces risks and mitigations that web developers need to realize in order to protect their users from a vast array of potential aggressors, including oppressive governments and organized crime rings around the world.
Scope of Threats
An array of potential threats surrounds online users, and this cheat sheet focuses on political and legal threats that users might face by using these online services, especially social networking and communication platforms. The various reports of imprisonments and even execution for users in some parts of the world simply for using online services must be taken seriously by web developers.
Guidelines
1- Strong Cryptography:
Any online platform that handles user identities, private information or communications must be secured with the use of strong cryptography. User communications must be encrypted in transit and storage. User secrets such as passwords must also be protected using strong, collision-resistant hashing algorithms with increasing work factors, in order to greatly mitigate the risks of exposed credentials as well as proper integrity control.
To protect data in transit, developers must use and adhere to TSL/SSL best practices such as verified certificates, adequately protected private keys, usage of strong ciphers only, informative and clear warnings to users, as well as sufficient key lengths.
Private data must be encrypted in storage as well, using keys with sufficient lengths and under strict access conditions, both technical and procedural. User credentials must be hashed regardless of whether or not they are encrypted in storage.
For detailed guides about strong cryptography and best practices, read the following OWASP references:
1- Cryptographic Storage Cheat Sheet 2- Authentication Cheat Sheet 3- Transport Layer Protection Cheat Sheet 4- Guide to Cryptography 5- Testing for TLS/SSL