[Ach] Successor project/paper of "Applied Crypto Hardening"?

Dominic Schallert ds at schallert.com
Fri Oct 12 18:07:04 CEST 2018


regarding TLS best practices, BSI TR-02102-2 (Version 2018-01) might be a good starting point;
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf <https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf>
(Unfortunately in German only)

NIST provides something similiar with SP 800-52 Rev. 2 (Draft);
https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft <https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft>

Generally these kind of guidelines/documents tend to get outdated
very quickly as technology moves forward very fast.


> Am 12.10.2018 um 08:23 schrieb Frank Thommen <f.thommen at dkfz-heidelberg.de>:
> Every one to two years seems fine to me as "consumer".  Maybe with emergency updates in-between when critical issues appear?
> Ideally the website would announce, that the document is regularly updated.
> frank
> On 11/10/18 22:05, Susan E. Sons wrote:
>> There are some corners of the guide that are out of date, but I haven't
>> yet found a better resource to point operators to if they aren't
>> familiar with these security concerns.
>> I'm constantly coming across problems caused by even the software
>> developers' "best practice" recommendations being completely wrong.  For
>> example, several major CMSes advise that all executable parts of the CMS
>> be writable by the web server!  Well-meaning admins follow these best
>> practices guides not knowing that they are making their installations
>> insecure by doing so.
>> If there were an effort to update the existing material, however, I
>> could probably chip in a small amount of effort from my staff at the
>> Center for Applied Cybersecurity Research to assist with those updates.
>> A new version every year or two may be the best we can do.
>> Susan
>> On 10/11/2018 01:14 PM, Frank Thommen wrote:
>>> Hello,
>>> recently someone asked, if this (bettercrypto?) project is dead.  My
>>> impression is, that it is at least extremely passive.  Not being a
>>> security and network protocol expert I nevertheless think that the
>>> "Applied Crypto Hardening" paper of 2016
>>> (https://bettercrypto.org/static/applied-crypto-hardening.pdf) is
>>> probably very, very outdated and maybe even dangerous to rely on.
>>> Questions:
>>>   a) Is there some kind of successor project/paper with up to date
>>>      copy-paste recommendations for good security settings as they
>>>      were published in this paper (which was fantastic at the time)?
>>>   b) could/should the paper of 2016 not better be removed from the
>>>      website?
>>> Cheers
>>> frank
>>> _______________________________________________
>>> Ach mailing list
>>> Ach at lists.cert.at
>>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> https://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20181012/63501bde/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.cert.at/pipermail/ach/attachments/20181012/63501bde/attachment.sig>

More information about the Ach mailing list