This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Transport Layer Protection Cheat Sheet
From OWASP
Revision as of 01:41, 6 October 2009 by MichaelCoates (talk | contribs)
Page is under contruction - [email protected]
- 1 Introduction
- 2 Rules for Transport Layer Protection
- 2.1 Secure Server Design
- 2.1.1 Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
- 2.1.2 Rule #2 - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
- 2.1.3 Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
- 2.1.4 Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
- 2.1.5 Rule #5 - Do Not Mix SSL and Non-SSL Content
- 2.2 Server Certificate & Protocol Configuration
- 2.3 Client Configuration
- 2.4 Additional Controls
- 2.1 Secure Server Design
Introduction
Benefits
Confidentiality
Integrity
Replay Protection
End Point Authentication
Rules for Transport Layer Protection
Secure Server Design
Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
Rule #2 - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
Rule #5 - Do Not Mix SSL and Non-SSL Content
Server Certificate & Protocol Configuration
Rule #6 - Use an Appropriate Certificate Authority for User Base
Rule #7 - Only Support Strong Cryptographic Algorithms
Rule #8 - Only Support Strong Protocols
Rule #9 - Establish a Strong Private Key for the Server
Certificate Considerations
Client Configuration
Certificate Validation
Trusted Root Store
Revocation List Checking
