Sunday, October 18, 2009

OWASP TLS Protection Cheat Sheet



I'm now officially launching the OWASP Transport Layer Protection Cheat Sheet. This cheat sheet joins the ranks of other successful OWASP cheat sheets such as the Cross Site Scripting Prevention Cheat Sheet.

The TLS Protection Cheat Sheet provides a quick but detailed explanation of the primary considerations when implementing TLS (e.g. SSL, HTTPS) for your web application.

Here's a taste:
  • Secure Server Design - How to do the login page correctly, Risks of HTTP to HTTPS redirects,"Secure" cookie, HTTPS referrer leakage
  • Server Certificate & Protocol Configuration - TLS vs SSL, Cipher selection, Certificate Authorities
  • FIPS 140-2 - Certified Cryptomodules
  • ...and more

Many thanks to the reviewers (Mike Boberski, Dave Wichers, Tyler Reguly). The cheat sheet wouldn't be where it is today without your help.

If you are attending OWASP AppSec DC I'll be speaking about several of the items within the Secure Server Design section during my power talk : Advanced SSL: The good, the bad, and the ugly.

Twitter? Use #TLSCheatSheet.


-Michael Coates