This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Transport Layer Protection Cheat Sheet

From OWASP
Revision as of 22:12, 7 October 2009 by MichaelCoates (talk | contribs)

Jump to: navigation, search

Page is under construction - [email protected]

Introduction

Benefits

  • Confidentiality
  • Integrity
  • Replay Protection
  • End Point Authentication

Architectural Decision

An architectual decision must be made to determine the appropriate method of implementing transport layer security. The most common options available to corporations are Virtual Private Networks (VPN) or a SSL/TLS model commonly used for web applications.  This decision will be determined by the business needs of the particular system. For example, a VPN connection may be the best design for a partnership between two companies that includes mutual access to a shared server over a variety of protocols. Conversely, a company hosting an application which will be used exclusively over the HTTP protocol by a variety of Internet users would likely be best served by a SSL/TLS model.

For each security model there are several security considerations which must be properly addressed in order to provide effective transport layer security.

Rules for VPN

Rule -

Rules for SSL/TLS

SSL vs TLS

"The differences between this protocol (TLS) and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate (although TLS 1.0 does incorporate a mechanism by which a TLS implementation can back down to SSL 3.0).“ RFC 2246

For the purposes of this cheat sheet we will refer to the technology genericly as SSL.

Secure Server Design

Rule - Use SSL for All Login Pages and All Authenticated Pages

Rule - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data

Rule - Do Not Provide Non-SSL Pages for Secure Content

Rule - Do Not Perform Redirects from Non-SSL Page to SSL Login Page

Rule - Do Not Mix SSL and Non-SSL Content

Rule - Use "Secure" Cookie Flag

Server Certificate & Protocol Configuration

Rule - Use an Appropriate Certificate Authority for the Application's User Base

Rule - Only Support Strong Cryptographic Algorithms

Rule - Only Support Strong Protocols

Rule - Establish a Strong Private Key for the Server

Rule - Use a Certificate That Supports All Available Domain Names

Client Configuration

Rule - Validate the Server's Certificate

Rule - Perform Certificate Revocatoin List Checking

Rule - Ensure the Trusted Root Store Contains Only Trusted Entries

Rule - Deny Connections if Any SSL Related Errors are Encountered

Additional Controls

Extended Validation Certificates

Client Side Certificates

Retrieved from "https://wiki.owasp.org/index.php?title=Transport_Layer_Protection_Cheat_Sheet&oldid=71066"