Sin 10: Improper Use of SSL and TLS Summary

Previous page
Table of content
Next page

  • Do use the latest version of SSL/TLS available, in order of preference: TLS 1.1, TLS 1.0, and SSL3.

  • Do use a certificate allow list, if appropriate.

  • Do ensure that, before you send data, the peer certificate is traced back to a trusted CA and is within its validity period.

  • Do check that the expected hostname appears in a proper field of the peer certificate.

  • Do not use SSL2. It has serious cryptographic weaknesses.

  • Do not rely on the underlying SSL/TLS library to properly validate a connection, unless you are using HTTPS.

  • Do not only check the name (for example, the DN) in a certificate. Anyone can create a certificate and add any name they wish to it.

  • Consider using an OCSP responder when validating certificates in a trust chain to ensure that the certificate hasnt been revoked .

  • Consider downloading CRLs once the present CRLs expire and using them to further validate certificates in a trust chain.


Previous page
Table of content
Next page
19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
C++ GUI Programming with Qt 3
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy