This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Transport Layer Protection Cheat Sheet

From OWASP

Revision as of 22:01, 7 October 2009 by MichaelCoates (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Page is under construction - [email protected]

1 Introduction
- 1.1 Architectural Decision
2 Rules for VPN
3 Rules for SSL/TLS

Introduction

Architectural Decision

Rules for VPN

Rules for SSL/TLS

Benefits

Confidentiality
Integrity
Replay Protection
End Point Authentication

SSL vs TLS

Secure Server Design

Rule - Use SSL for All Login Pages and All Authenticated Pages

Rule - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data

Rule - Do Not Provide Non-SSL Pages for Secure Content

Rule - Do Not Perform Redirects from Non-SSL Page to SSL Login Page

Rule - Do Not Mix SSL and Non-SSL Content

Rule - Use "Secure" Cookie Flag

Server Certificate & Protocol Configuration

Rule - Use an Appropriate Certificate Authority for the Application's User Base

Rule - Only Support Strong Cryptographic Algorithms

Rule - Only Support Strong Protocols

Rule - Establish a Strong Private Key for the Server

Rule - Use a Certificate That Supports All Available Domain Names

Client Configuration

Rule - Validate the Server's Certificate

Rule - Perform Certificate Revocatoin List Checking

Rule - Ensure the Trusted Root Store Contains Only Trusted Entries

Rule - Deny Connections if Any SSL Related Errors are Encountered

Additional Controls

Extended Validation Certificates

Client Side Certificates

Retrieved from "https://wiki.owasp.org/index.php?title=Transport_Layer_Protection_Cheat_Sheet&oldid=71065"