Michael Coates, profile picture
Uploaded byMichael Coates
8,429 views

SSL Screw Ups

Michael Coates is a web security engineer at Mozilla who has contributed to several security projects. Some of the key problems with SSL/TLS usage that he discusses include usability issues for users in understanding SSL, insecure redirects and content that can allow attackers to exploit user sessions, and false assumptions that all SSL is equally secure.

Embed presentation

Downloaded 24 times
Michael Coates mcoates@mozilla.com michael-coates.blogspot.com
Who am I?   Web Security Engineer @ Mozilla   Contributor OWASP 2010 Top 10   Author OWASP TLS Cheat Sheet   Creator & Leader OWASP AppSensor   Security Blogger http://michael-coates.blogspot.com 2
SSL: Super Shiny Locks 3
Padlock != Secure 4
SSL Growth   > 1 Million SSL Certificates 5
The Good   Confidentiality   Integrity   Replay Protection   End Point Authentication 6
Problem: Usability 7
Problem: User Expectations   How did you get to the site?   Is HTTPS in the URL?   Are those 0’s or O’s?   Did you get any browser warning messages?   Did you click “ok” or “accept” to any popup boxes? 8
Scenario: Insecure Landing Page http://mybank.com   <form  method="POST"  action="https://mybank.com/login"  >      Username:  <input  type="text"  name="user">  <br>      Password:  <input  type="password"  name="pass">  <br>   </form>   9
Exploiting Insecure Landing Page mybank.com HTTP  REQUEST   GET  http://mybank.com   HTTP  Response   …   http://mybank.com   <form  method="POST"   action="https://mybank.com/ action="http://mybank.com/ login"  >   Steven …   Steven ******* ******* POST  http://mybank.com   user:Steven&pass:JOSHUA   10
Problem: Insecure Redirects http://mybank.com   https://mybank.com   11
Insecure Redirects – Behind The Scenes mybank.com Get  http://mybank.com   302  Redirect   Location:  https://mybank.com   Get  https://mybank.com   SSL   200  Found   12
Exploiting Insecure Redirects mybank.com Get  http://mybank.com   302  Redirect   Location:   http://mybank.com   https://phishmybank.com   http://malware.com   13
Insecure Redirects via Google   “Bank of America”   http://www.bankofamerica.com/   “Chase”   http://www.chase.com/   “Wachovia”   http://www.wachovia.com   Cookie set on HTTP response too!   “Wells Fargo”   http://www.wellsfargo.com/ 14
Scenario: Insecure Content mybank.com SSL   Request   Response   Request   Response   scripts.com Request   Response   15
Exploiting Insecure Content mybank.com SSL   Request   Response   Request   Response   scripts.com Request   Response   <script>BADNESS </script>   16
Scenario: HTTP after Login mybank.com SSL   Request   Response   Set  SessionID:  5593…   scripts.com Welcome!   Request   Response   Request   Update   Response   Profile   17
Exploiting HTTP after Login mybank.com SSL   Request   Response   Set  SessionID:  5593…   scripts.com Request   Welcome!   SessionID:  5593…   Response   Request   Update   SessionID:  5593…   Response   Profile   18
Problem: Cookie Forcing 19
Problem URL Leakage Transition   Expectation   Result   SiteA.com  to  SiteB.com   HTTP-­‐>HTTP   Referrer  Leaked   Referrer  Leaked   HTTP-­‐>HTTPS   Referrer  Leaked   Referrer  Leaked   HTTPS-­‐>HTTP   Referrer  Secure   Referrer  Secure   HTTPS-­‐>HTTPS   Referrer  Secure   Referrer  Leaked   20
Exploiting URL Leakage https://secure.com?sessionID=55769…   Viewing  Charlie’s  Profile   Favorite  Movie:  Sneakers     Favorite  Food:  spam   Personal  Blog:  Click  Here   <a  href=“https://charlieblog.com”>Click  Here</a>   21
Exploiting URL Leakage secure.com SSL   Request   Response   Viewing  Charlie’s  Profile   Favorite  Movie:  Sneakers     charlieblog.com Favorite  Food:  spam   Personal  Blog:  Click  Here   SSL   Request   GET  charlieblog.com  HTTP/1.0   Referrer:  https://secure.com?sessionID=55769…   22
Problem: False Internal Trust Internal  Network   SSL   mybank.com SSN,  Credit  Card,   Pin,  PII…   23
Problem: Not all SSL is equal FIPS Approved Ciphers   View Ciphers by ADH-AES256-SHA DHE-RSA-AES256-SHA Strength DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA openssl ciphers <strength> -v DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA   Test Server: AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA openssl s_client -connect site.com:443 - EDH-DSS-DES-CBC3-SHA cipher <strength> DES-CBC3-SHA   Test Client: LOW Strength Ciphers ADH-DES-CBC-SHA openssl s_server -www -cert cacert.pem - EDH-RSA-DES-CBC-SHA key cakey.pem EDH-DSS-DES-CBC-SHA DES-CBC-SHA DES-CBC-MD5 <strength>=NULL|LOW|MEDIUM|HIGH|FIPS 24
More Problems   MD5 Collision Rogue CA Creation   Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger   http://www.win.tue.nl/hashclash/rogue-ca/   SSLstrip   Null Prefix Attacks Against SSL/TLS Certificates   Moxie Marlinspike   http://www.thoughtcrime.org/software/sslstrip/   http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf 25
MD5 Collision   Attacker requests legitimate cert from CA   Exploits MD5 Collision to create legitimate CA   Issues legit certs from authorized CA 26
MD5 Collision Rogue CA Root  CA   Root  CA   CA   CA   CA   CA   SSL  Cert   amazon.com   27
MD5 Collision Rogue CA Root  CA   Root  CA   CA   SSL  Cert   MD5 Collision CA   CA   Attacker   CA   CA   SSL  Cert   amazon.com   28
Null Prefix Attack CA Verifies Root Domain Ownership www.foo.com www.blah.foo.com nonexistent.a.b.c.foo.com foo.com amazon.com0.foo.com Browser SSL Verification   Microsoft CryptoAPI - 0 is eos amazon.com == amazon.com0.foo.com 29
SSLstrip   MitM SSL Connections   ARP Spoofing   IP Tables   Auto Strip SSL -> HTTPS to HTTP   Execute Null Prefix Attack   Block Certificate Revocation Messages   OCSP Attacks 30
Is There Hope?   Average User == Not Technical   Most Deployments Vulnerable   Specialized Attack Tools Available 31
Doing It Right… The  Application      SSL  only        No  HTTP  -­‐>  HTTPS  redirects  :  HTTP  shows   “User  Education”  message      No  SSL  errors  or  warnings   The  User      Bookmark  the  HTTPS  page      Stop  if  any  SSL  warnings/errors  presented   The  Browser      Set  realistic  user  expectations      Support  STS/ForceTLS   32
Solution: Strict Transport Security   Server Side Option   Header tells browser to only send HTTPS requests for site   Blocks Connection w/any Errors HTTP/1.1  200  OK   Server:  Apache   Cache-­‐Control:  private   Strict-­‐Transport-­‐Security  :  max-­‐age=500;  includesubdomains   33
Resources – TLS Cheat Sheet Rule  -­‐  Use  TLS  for  All  Login  Pages  and  All  Authenticated  Pages   Rule  -­‐  Use  TLS  on  Any  Networks  (External  and  Internal)   Transmitting  Sensitive  Data   Rule  -­‐  Do  Not  Provide  Non-­‐TLS  Pages  for  Secure  Content   Rule  -­‐  Do  Not  Perform  Redirects  from  Non-­‐TLS  Page  to  TLS  Login   Page   Rule  -­‐  Do  Not  Mix  TLS  and  Non-­‐TLS  Content   Rule  -­‐  Use  "Secure"  Cookie  Flag   Rule  -­‐  Keep  Sensitive  Data  Out  of  the  URL   http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet   34
Resources - ssllabs.com (Ivan Ristic) 35
Resources – sslfail.com (Tyler Reguly, Marcin Wielgoszewski) 36
Questions? lobby -or- mcoates@mozilla.com -or- http://michael-coates.blogspot.com 37
38

More Related Content

PPTX
Top Ten Web Hacking Techniques of 2012
byJeremiah Grossman
 
PDF
Top Ten Web Hacking Techniques (2008)
byJeremiah Grossman
 
PPT
Web Aplication Vulnerabilities
byJbyte
 
PDF
WhiteHat Security "Website Security Statistics Report" (Q1'09)
byJeremiah Grossman
 
PDF
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
PPTX
Clickjacking DevCon2011
byKrishna T
 
PPTX
JSFoo Chennai 2012
byKrishna T
 
PPTX
Secure web messaging in HTML5
byKrishna T
 
Top Ten Web Hacking Techniques of 2012
byJeremiah Grossman
 
Top Ten Web Hacking Techniques (2008)
byJeremiah Grossman
 
Web Aplication Vulnerabilities
byJbyte
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
byJeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
Clickjacking DevCon2011
byKrishna T
 
JSFoo Chennai 2012
byKrishna T
 
Secure web messaging in HTML5
byKrishna T
 

What's hot

PPTX
Roberto Bicchierai - Defending web applications from attacks
byPietro Polsinelli
 
PDF
Sandboxed platform using IFrames, postMessage and localStorage
bytomasperezv
 
PPT
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
PPTX
Html5 security
byKrishna T
 
PPT
Top Ten Web Hacking Techniques – 2008
byJeremiah Grossman
 
PPTX
Browser Internals-Same Origin Policy
byKrishna T
 
PPT
4.Xss
byphanleson
 
PPT
Xss is more than a simple threat
byAvădănei Andrei
 
PDF
모바일/클라우드 시대를 준비하는 개발자들을 위한 안내서
by동수 장
 
PPTX
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
bySamvel Gevorgyan
 
PPTX
Million Browser Botnet
bySource Conference
 
PDF
New Insights into Clickjacking
byMarco Balduzzi
 
PPTX
Security Best Practices for Bot Builders
byMax Feldman
 
PDF
Grey H@t - Cross-site Request Forgery
byChristopher Grayson
 
PDF
Owasp eee 2015 csrf
byAurelijus Stanislovaitis
 
PDF
Bug-hunter's Sorrow
byMasato Kinugawa
 
KEY
Introduction to web security @ confess 2012
byjakobkorherr
 
PPTX
Client sidesec 2013 - script injection
byTal Be'ery
 
PDF
Blackhat11 shreeraj reverse_engineering_browser
byShreeraj Shah
 
PDF
CSRF Basics
byn|u - The Open Security Community
 
Roberto Bicchierai - Defending web applications from attacks
byPietro Polsinelli
 
Sandboxed platform using IFrames, postMessage and localStorage
bytomasperezv
 
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
Html5 security
byKrishna T
 
Top Ten Web Hacking Techniques – 2008
byJeremiah Grossman
 
Browser Internals-Same Origin Policy
byKrishna T
 
4.Xss
byphanleson
 
Xss is more than a simple threat
byAvădănei Andrei
 
모바일/클라우드 시대를 준비하는 개발자들을 위한 안내서
by동수 장
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
bySamvel Gevorgyan
 
Million Browser Botnet
bySource Conference
 
New Insights into Clickjacking
byMarco Balduzzi
 
Security Best Practices for Bot Builders
byMax Feldman
 
Grey H@t - Cross-site Request Forgery
byChristopher Grayson
 
Owasp eee 2015 csrf
byAurelijus Stanislovaitis
 
Bug-hunter's Sorrow
byMasato Kinugawa
 
Introduction to web security @ confess 2012
byjakobkorherr
 
Client sidesec 2013 - script injection
byTal Be'ery
 
Blackhat11 shreeraj reverse_engineering_browser
byShreeraj Shah
 
CSRF Basics
byn|u - The Open Security Community
 

Similar to SSL Screw Ups

PDF
Protecting Java EE Web Apps with Secure HTTP Headers
byFrank Kim
 
PDF
The top 10 security issues in web applications
byDevnology
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
PDF
Web Application Scanning 101
bySasha Nunke
 
PDF
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
PPTX
Cyber Security By Preetish Panda
byPreetish Panda
 
PPTX
Web Application Vulnerabilities
byPreetish Panda
 
PPT
Isys20261 lecture 09
byWiliam Ferraciolli
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
PPTX
Advance Web Vulnerabilities Chapter 3 to 5
byarjayVicencio
 
PPT
DC612 Day - Web Application Security: OWASP Top 10
bydc612
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
PDF
Web Security - Introduction
bySQALab
 
PDF
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
PPTX
Web application
byEve_Srithong
 
PDF
Evolution Of Web Security
byChris Shiflett
 
PDF
Ch 13: Attacking Users: Other Techniques (Part 2)
bySam Bowne
 
PPTX
Is your mobile app as secure as you think?
byMatt Lacey
 
PDF
HTTP cookie hijacking in the wild: security and privacy implications
byPriyanka Aash
 
Protecting Java EE Web Apps with Secure HTTP Headers
byFrank Kim
 
The top 10 security issues in web applications
byDevnology
 
DVWA BruCON Workshop
bytestuser1223
 
Web Application Scanning 101
bySasha Nunke
 
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
Cyber Security By Preetish Panda
byPreetish Panda
 
Web Application Vulnerabilities
byPreetish Panda
 
Isys20261 lecture 09
byWiliam Ferraciolli
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
Advance Web Vulnerabilities Chapter 3 to 5
byarjayVicencio
 
DC612 Day - Web Application Security: OWASP Top 10
bydc612
 
Web Security - Introduction v.1.3
byOles Seheda
 
Web Security - Introduction
bySQALab
 
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
Web application
byEve_Srithong
 
Evolution Of Web Security
byChris Shiflett
 
Ch 13: Attacking Users: Other Techniques (Part 2)
bySam Bowne
 
Is your mobile app as secure as you think?
byMatt Lacey
 
HTTP cookie hijacking in the wild: security and privacy implications
byPriyanka Aash
 

More from Michael Coates

PPTX
Self Defending Applications
byMichael Coates
 
PPTX
Security in an Interconnected and Complex World of Software
byMichael Coates
 
PDF
Devbeat Conference - Developer First Security
byMichael Coates
 
PDF
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
byMichael Coates
 
PPTX
2013 michael coates-javaone
byMichael Coates
 
PDF
Sf startup-security
byMichael Coates
 
KEY
Bug Bounty Programs For The Web
byMichael Coates
 
KEY
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
PDF
Real Time Application Defenses - The Reality of AppSensor & ESAPI
byMichael Coates
 
Self Defending Applications
byMichael Coates
 
Security in an Interconnected and Complex World of Software
byMichael Coates
 
Devbeat Conference - Developer First Security
byMichael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
byMichael Coates
 
2013 michael coates-javaone
byMichael Coates
 
Sf startup-security
byMichael Coates
 
Bug Bounty Programs For The Web
byMichael Coates
 
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
byMichael Coates
 

SSL Screw Ups

  • 1.
    Michael Coates mcoates@mozilla.com michael-coates.blogspot.com
  • 2.
    Who am I?  Web Security Engineer @ Mozilla   Contributor OWASP 2010 Top 10   Author OWASP TLS Cheat Sheet   Creator & Leader OWASP AppSensor   Security Blogger http://michael-coates.blogspot.com 2
  • 3.
  • 4.
  • 5.
    SSL Growth   >1 Million SSL Certificates 5
  • 6.
    The Good   Confidentiality  Integrity   Replay Protection   End Point Authentication 6
  • 7.
  • 8.
    Problem: User Expectations  How did you get to the site?   Is HTTPS in the URL?   Are those 0’s or O’s?   Did you get any browser warning messages?   Did you click “ok” or “accept” to any popup boxes? 8
  • 9.
    Scenario: Insecure LandingPage http://mybank.com   <form  method="POST"  action="https://mybank.com/login"  >      Username:  <input  type="text"  name="user">  <br>      Password:  <input  type="password"  name="pass">  <br>   </form>   9
  • 10.
    Exploiting Insecure LandingPage mybank.com HTTP  REQUEST   GET  http://mybank.com   HTTP  Response   …   http://mybank.com   <form  method="POST"   action="https://mybank.com/ action="http://mybank.com/ login"  >   Steven …   Steven ******* ******* POST  http://mybank.com   user:Steven&pass:JOSHUA   10
  • 11.
    Problem: Insecure Redirects http://mybank.com   https://mybank.com   11
  • 12.
    Insecure Redirects –Behind The Scenes mybank.com Get  http://mybank.com   302  Redirect   Location:  https://mybank.com   Get  https://mybank.com   SSL   200  Found   12
  • 13.
    Exploiting Insecure Redirects mybank.com Get  http://mybank.com   302  Redirect   Location:   http://mybank.com   https://phishmybank.com   http://malware.com   13
  • 14.
    Insecure Redirects viaGoogle   “Bank of America”   http://www.bankofamerica.com/   “Chase”   http://www.chase.com/   “Wachovia”   http://www.wachovia.com   Cookie set on HTTP response too!   “Wells Fargo”   http://www.wellsfargo.com/ 14
  • 15.
    Scenario: Insecure Content mybank.com SSL   Request   Response   Request   Response   scripts.com Request   Response   15
  • 16.
    Exploiting Insecure Content mybank.com SSL   Request   Response   Request   Response   scripts.com Request   Response   <script>BADNESS </script>   16
  • 17.
    Scenario: HTTP afterLogin mybank.com SSL   Request   Response   Set  SessionID:  5593…   scripts.com Welcome!   Request   Response   Request   Update   Response   Profile   17
  • 18.
    Exploiting HTTP afterLogin mybank.com SSL   Request   Response   Set  SessionID:  5593…   scripts.com Request   Welcome!   SessionID:  5593…   Response   Request   Update   SessionID:  5593…   Response   Profile   18
  • 19.
  • 20.
    Problem URL Leakage Transition   Expectation   Result   SiteA.com  to  SiteB.com   HTTP-­‐>HTTP   Referrer  Leaked   Referrer  Leaked   HTTP-­‐>HTTPS   Referrer  Leaked   Referrer  Leaked   HTTPS-­‐>HTTP   Referrer  Secure   Referrer  Secure   HTTPS-­‐>HTTPS   Referrer  Secure   Referrer  Leaked   20
  • 21.
    Exploiting URL Leakage https://secure.com?sessionID=55769…   Viewing  Charlie’s  Profile   Favorite  Movie:  Sneakers     Favorite  Food:  spam   Personal  Blog:  Click  Here   <a  href=“https://charlieblog.com”>Click  Here</a>   21
  • 22.
    Exploiting URL Leakage secure.com SSL   Request   Response   Viewing  Charlie’s  Profile   Favorite  Movie:  Sneakers     charlieblog.com Favorite  Food:  spam   Personal  Blog:  Click  Here   SSL   Request   GET  charlieblog.com  HTTP/1.0   Referrer:  https://secure.com?sessionID=55769…   22
  • 23.
    Problem: False InternalTrust Internal  Network   SSL   mybank.com SSN,  Credit  Card,   Pin,  PII…   23
  • 24.
    Problem: Not allSSL is equal FIPS Approved Ciphers   View Ciphers by ADH-AES256-SHA DHE-RSA-AES256-SHA Strength DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA openssl ciphers <strength> -v DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA   Test Server: AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA openssl s_client -connect site.com:443 - EDH-DSS-DES-CBC3-SHA cipher <strength> DES-CBC3-SHA   Test Client: LOW Strength Ciphers ADH-DES-CBC-SHA openssl s_server -www -cert cacert.pem - EDH-RSA-DES-CBC-SHA key cakey.pem EDH-DSS-DES-CBC-SHA DES-CBC-SHA DES-CBC-MD5 <strength>=NULL|LOW|MEDIUM|HIGH|FIPS 24
  • 25.
    More Problems   MD5Collision Rogue CA Creation   Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger   http://www.win.tue.nl/hashclash/rogue-ca/   SSLstrip   Null Prefix Attacks Against SSL/TLS Certificates   Moxie Marlinspike   http://www.thoughtcrime.org/software/sslstrip/   http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf 25
  • 26.
    MD5 Collision   Attackerrequests legitimate cert from CA   Exploits MD5 Collision to create legitimate CA   Issues legit certs from authorized CA 26
  • 27.
    MD5 Collision RogueCA Root  CA   Root  CA   CA   CA   CA   CA   SSL  Cert   amazon.com   27
  • 28.
    MD5 Collision RogueCA Root  CA   Root  CA   CA   SSL  Cert   MD5 Collision CA   CA   Attacker   CA   CA   SSL  Cert   amazon.com   28
  • 29.
    Null Prefix Attack CAVerifies Root Domain Ownership www.foo.com www.blah.foo.com nonexistent.a.b.c.foo.com foo.com amazon.com0.foo.com Browser SSL Verification   Microsoft CryptoAPI - 0 is eos amazon.com == amazon.com0.foo.com 29
  • 30.
    SSLstrip   MitM SSLConnections   ARP Spoofing   IP Tables   Auto Strip SSL -> HTTPS to HTTP   Execute Null Prefix Attack   Block Certificate Revocation Messages   OCSP Attacks 30
  • 31.
    Is There Hope?  Average User == Not Technical   Most Deployments Vulnerable   Specialized Attack Tools Available 31
  • 32.
    Doing It Right… The  Application      SSL  only        No  HTTP  -­‐>  HTTPS  redirects  :  HTTP  shows   “User  Education”  message      No  SSL  errors  or  warnings   The  User      Bookmark  the  HTTPS  page      Stop  if  any  SSL  warnings/errors  presented   The  Browser      Set  realistic  user  expectations      Support  STS/ForceTLS   32
  • 33.
    Solution: Strict Transport Security   Server Side Option   Header tells browser to only send HTTPS requests for site   Blocks Connection w/any Errors HTTP/1.1  200  OK   Server:  Apache   Cache-­‐Control:  private   Strict-­‐Transport-­‐Security  :  max-­‐age=500;  includesubdomains   33
  • 34.
    Resources – TLSCheat Sheet Rule  -­‐  Use  TLS  for  All  Login  Pages  and  All  Authenticated  Pages   Rule  -­‐  Use  TLS  on  Any  Networks  (External  and  Internal)   Transmitting  Sensitive  Data   Rule  -­‐  Do  Not  Provide  Non-­‐TLS  Pages  for  Secure  Content   Rule  -­‐  Do  Not  Perform  Redirects  from  Non-­‐TLS  Page  to  TLS  Login   Page   Rule  -­‐  Do  Not  Mix  TLS  and  Non-­‐TLS  Content   Rule  -­‐  Use  "Secure"  Cookie  Flag   Rule  -­‐  Keep  Sensitive  Data  Out  of  the  URL   http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet   34
  • 35.
    Resources - ssllabs.com (Ivan Ristic) 35
  • 36.
    Resources – sslfail.com (TylerReguly, Marcin Wielgoszewski) 36
  • 37.
  • 38.