Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cryptography in transit #4

Closed
vanderaj opened this issue Nov 17, 2014 · 1 comment
Closed

Cryptography in transit #4

vanderaj opened this issue Nov 17, 2014 · 1 comment
Assignees
@vanderaj
Labels
enhancement
Milestone
3.0

Comments

@vanderaj
Copy link
Member

Issue: the crypo in transit chapter is practically impossible to verify. It's very old school J2EE centric, which doesn't help modern applications.

Solution:

Use the SSL/TLS threat model and best practice guides from Mozilla, Microsoft and Qualys to ensure that we have a reasonable set of controls, with adequate guideance to test these empirically from either a configuration or code point of view, as well as a simple set of references for developers to follow that will end up with a reasonable outcome from an ASVS assessment.

Platform issues such as certificate pinning and so on should be considered, but only to note that this should be a platform issue, rather than a developer temporary fix.
@vanderaj vanderaj self-assigned this Nov 17, 2014
@vanderaj vanderaj added this to the 2.1 milestone Nov 17, 2014
@vanderaj vanderaj modified the milestone: 2.1 Nov 21, 2014
@vanderaj
Copy link
Member Author

Fixed with a major update.

@vanderaj vanderaj modified the milestones: 2.1, 3.0 Jul 10, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vanderaj vanderaj

Labels
enhancement
Projects
None yet
Milestone
3.0
Development

No branches or pull requests
1 participant
@vanderaj