This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Transport Layer Protection"
From OWASP
m |
|||
| Line 6: | Line 6: | ||
=== Browser / Standards Solution === | === Browser / Standards Solution === | ||
Implement HTTP Strict Transport Security in all browsers, which makes it possible to better enforce secure connections. | Implement HTTP Strict Transport Security in all browsers, which makes it possible to better enforce secure connections. | ||
| − | + | Implement Certificate and Public Key pinning in browsers where applicable. | |
=== Perimeter Solution === | === Perimeter Solution === | ||
| Line 13: | Line 13: | ||
** Disable all weak 'export' algorithms (such as DES, RC4-40, DHE-RSA-Export) | ** Disable all weak 'export' algorithms (such as DES, RC4-40, DHE-RSA-Export) | ||
** Make sure that the minimum session key size is 128 bits | ** Make sure that the minimum session key size is 128 bits | ||
| − | ** Use a SSL certificate with a minimum key size of | + | ** Use a SSL certificate with a minimum key size of 2048 bits |
** Do not offer MD5 as cryptographic hash algorithm | ** Do not offer MD5 as cryptographic hash algorithm | ||
** Disable Anonymous Diffie-Hellman key establishment | ** Disable Anonymous Diffie-Hellman key establishment | ||
| Line 32: | Line 32: | ||
=== Discussion / Controversy === | === Discussion / Controversy === | ||
| − | HTTP Strict Transport Security is at the entry-level maturity, a proposed standard. Not all browsers implement it (yet). <br> | + | * HTTP Strict Transport Security is at the entry-level maturity, a proposed standard. Not all browsers implement it (yet). <br> |
| − | The security of ciphers changes over time, so it's important to periodically review whether certain ciphers and minimum key sizes are still considered safe enough. | + | * The security of ciphers changes over time, so it's important to periodically review whether certain ciphers and minimum key sizes are still considered safe enough. |
| + | * Certificate and Public Key Pinning is a relatively new technique and not widely used or implemented. Google Chrome's browser is one of the first major browsers to use this technique. | ||
=== References === | === References === | ||
[https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection Insufficient Transport Layer Protection (OWASP)]<br> | [https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection Insufficient Transport Layer Protection (OWASP)]<br> | ||
[http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection Insufficient Transport Layer Protection (WASC TC)]<br> | [http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection Insufficient Transport Layer Protection (WASC TC)]<br> | ||
| − | [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (NIST SP 800-52)] | + | [http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (NIST SP 800-52)]<br> |
| − | [http://tools.ietf.org/html/rfc6797 HTTP Strict Transport Security (IETF)] | + | [http://tools.ietf.org/html/rfc6797 HTTP Strict Transport Security (IETF)]<br> |
| + | [https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning Certificate and Public Key Pinning (OWASP)]<br> | ||
| + | [http://blog.chromium.org/2011/06/new-chromium-security-features-june.html Google Chrome implements certificate pinning (Google)] | ||
Revision as of 01:19, 14 May 2013
Insufficient Transport Layer Protection
Root Cause Summary
Not all traffic flowing between two endpoints is properly secured, which makes it possible for attackers to perform man-in-the-middle attacks.
Browser / Standards Solution
Implement HTTP Strict Transport Security in all browsers, which makes it possible to better enforce secure connections. Implement Certificate and Public Key pinning in browsers where applicable.
Perimeter Solution
- Make sure that SSL is properly configured on the server:
- Disable all weak SSL/TLS protocols (such as SSLv2)
- Disable all weak 'export' algorithms (such as DES, RC4-40, DHE-RSA-Export)
- Make sure that the minimum session key size is 128 bits
- Use a SSL certificate with a minimum key size of 2048 bits
- Do not offer MD5 as cryptographic hash algorithm
- Disable Anonymous Diffie-Hellman key establishment
- Enforce HTTP Strict Transport Security (HSTS)
- Redirect all HTTP request to HTTPS
Complexity: Low
Impact: High
Generic Framework Solution
None
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
- HTTP Strict Transport Security is at the entry-level maturity, a proposed standard. Not all browsers implement it (yet).
- The security of ciphers changes over time, so it's important to periodically review whether certain ciphers and minimum key sizes are still considered safe enough.
- Certificate and Public Key Pinning is a relatively new technique and not widely used or implemented. Google Chrome's browser is one of the first major browsers to use this technique.
References
Insufficient Transport Layer Protection (OWASP)
Insufficient Transport Layer Protection (WASC TC)
Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (NIST SP 800-52)
HTTP Strict Transport Security (IETF)
Certificate and Public Key Pinning (OWASP)
Google Chrome implements certificate pinning (Google)
