[Ach] Successor project/paper of "Applied Crypto Hardening"?

Frank Thommen f.thommen at dkfz-heidelberg.de
Fri Oct 12 08:23:03 CEST 2018

Every one to two years seems fine to me as "consumer".  Maybe with 
emergency updates in-between when critical issues appear?

Ideally the website would announce, that the document is regularly updated.


On 11/10/18 22:05, Susan E. Sons wrote:
> There are some corners of the guide that are out of date, but I haven't
> yet found a better resource to point operators to if they aren't
> familiar with these security concerns.
> I'm constantly coming across problems caused by even the software
> developers' "best practice" recommendations being completely wrong.  For
> example, several major CMSes advise that all executable parts of the CMS
> be writable by the web server!  Well-meaning admins follow these best
> practices guides not knowing that they are making their installations
> insecure by doing so.
> If there were an effort to update the existing material, however, I
> could probably chip in a small amount of effort from my staff at the
> Center for Applied Cybersecurity Research to assist with those updates.
> A new version every year or two may be the best we can do.
> Susan
> On 10/11/2018 01:14 PM, Frank Thommen wrote:
>> Hello,
>> recently someone asked, if this (bettercrypto?) project is dead.  My
>> impression is, that it is at least extremely passive.  Not being a
>> security and network protocol expert I nevertheless think that the
>> "Applied Crypto Hardening" paper of 2016
>> (https://bettercrypto.org/static/applied-crypto-hardening.pdf) is
>> probably very, very outdated and maybe even dangerous to rely on.
>> Questions:
>>    a) Is there some kind of successor project/paper with up to date
>>       copy-paste recommendations for good security settings as they
>>       were published in this paper (which was fantastic at the time)?
>>    b) could/should the paper of 2016 not better be removed from the
>>       website?
>> Cheers
>> frank
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach

More information about the Ach mailing list