[Ach] Successor project/paper of "Applied Crypto Hardening"?
Susan E. Sons
sesons at iu.edu
Fri Oct 12 20:44:44 CEST 2018
1-2 years plus the occasional urgent revision sounds right to me. The
open question is, what does the core team really want and have planned?
They tweeted back in April-ish that a revision is coming, but I haven't
seen anything since then.
On 10/12/2018 02:23 AM, Frank Thommen wrote:
> Every one to two years seems fine to me as "consumer". Maybe with
> emergency updates in-between when critical issues appear?
> Ideally the website would announce, that the document is regularly
> On 11/10/18 22:05, Susan E. Sons wrote:
>> There are some corners of the guide that are out of date, but I haven't
>> yet found a better resource to point operators to if they aren't
>> familiar with these security concerns.
>> I'm constantly coming across problems caused by even the software
>> developers' "best practice" recommendations being completely wrong. For
>> example, several major CMSes advise that all executable parts of the CMS
>> be writable by the web server! Well-meaning admins follow these best
>> practices guides not knowing that they are making their installations
>> insecure by doing so.
>> If there were an effort to update the existing material, however, I
>> could probably chip in a small amount of effort from my staff at the
>> Center for Applied Cybersecurity Research to assist with those updates.
>> A new version every year or two may be the best we can do.
>> On 10/11/2018 01:14 PM, Frank Thommen wrote:
>>> recently someone asked, if this (bettercrypto?) project is dead. My
>>> impression is, that it is at least extremely passive. Not being a
>>> security and network protocol expert I nevertheless think that the
>>> "Applied Crypto Hardening" paper of 2016
>>> (https://bettercrypto.org/static/applied-crypto-hardening.pdf) is
>>> probably very, very outdated and maybe even dangerous to rely on.
>>> a) Is there some kind of successor project/paper with up to date
>>> copy-paste recommendations for good security settings as they
>>> were published in this paper (which was fantastic at the time)?
>>> b) could/should the paper of 2016 not better be removed from the
>>> Ach mailing list
>>> Ach at lists.cert.at
Chief Security Analyst
IU Center for Applied Cybersecurity Research
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4159 bytes
Desc: S/MIME Cryptographic Signature
More information about the Ach