<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">You’re welcome! <div class=""><br class=""></div><div class="">Below are some other useful resources and tools dumped from my bookmarks.<div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class=""># Docs / Config generation</div><div class=""><a href="https://wiki.mozilla.org/Security/Server_Side_TLS" class="">https://wiki.mozilla.org/Security/Server_Side_TLS</a> </div><div class=""><a href="https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet" class="">https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet</a> </div><div class=""><a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/" class="">https://mozilla.github.io/server-side-tls/ssl-config-generator/</a> </div><div class=""><br class=""></div><div class=""># Webserver specific</div><div class=""><a href="https://nginx.org/en/docs/http/configuring_https_servers.html" class="">https://nginx.org/en/docs/http/configuring_https_servers.html</a></div><div class=""><a href="https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html" class="">https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html</a></div><div class=""><br class=""></div><div class=""># Expiry Monitoring / Certificate Transparency</div><div class=""><a href="https://certificatemonitor.org/" class="">https://certificatemonitor.org/</a> </div><div class=""><a href="https://crt.sh" class="">https://crt.sh</a> </div><div class=""><br class=""></div><div class=""># Testing / Benchmarking</div><div class=""><a href="https://observatory.mozilla.org/" class="">https://observatory.mozilla.org/</a>  (HTTPS Testing - most intensive, combines other tools like <a href="http://securityheaders.com" class="">securityheaders.com</a>, <a href="http://tls.imirhil.fr" class="">tls.imirhil.fr</a>, etc.)</div><div class=""><a href="https://www.ssllabs.com/" class="">https://www.ssllabs.com/</a> (HTTPS Testing)</div><div class=""><a href="https://de.ssl-tools.net/" class="">https://de.ssl-tools.net/</a>  (HTTPS, SMTP Testing)</div><div class=""><a href="https://tls.imirhil.fr/" class="">https://tls.imirhil.fr/</a>  (HTTPS, SMTP, XMPP, SSH Testing)</div><div class=""><a href="https://securityheaders.com/" class="">https://securityheaders.com/</a> (HTTP Header Testing)</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span><span><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span><span><span><span><span><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span><span><span><span><span><span><span><br class="Apple-interchange-newline" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">
</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></div>
<div><br class=""><blockquote type="cite" class=""><div class="">Am 12.10.2018 um 18:14 schrieb Frank Thommen <<a href="mailto:f.thommen@dkfz-heidelberg.de" class="">f.thommen@dkfz-heidelberg.de</a>>:</div><br class="Apple-interchange-newline"><div class=""><div class="">Thanks a lot.  These documents are very helpful indeed.<br class="">frank<br class=""><br class=""><br class="">On 10/12/2018 06:07 PM, Dominic Schallert wrote:<br class=""><blockquote type="cite" class="">Hi,<br class="">regarding TLS best practices, BSI TR-02102-2 (Version 2018-01) might be a good starting point;<br class=""><a href="https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf" class="">https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf</a><br class="">(Unfortunately in German only)<br class="">NIST provides something similiar with SP 800-52 Rev. 2 (Draft);<br class="">https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft<br class="">Generally these kind of guidelines/documents tend to get outdated<br class="">very quickly as technology moves forward very fast.<br class="">Cheers<br class="">Dominic<br class=""><blockquote type="cite" class="">Am 12.10.2018 um 08:23 schrieb Frank Thommen <f.thommen@dkfz-heidelberg.de <mailto:f.thommen@dkfz-heidelberg.de>>:<br class=""><br class="">Every one to two years seems fine to me as "consumer".  Maybe with emergency updates in-between when critical issues appear?<br class=""><br class="">Ideally the website would announce, that the document is regularly updated.<br class=""><br class="">frank<br class=""><br class=""><br class="">On 11/10/18 22:05, Susan E. Sons wrote:<br class=""><blockquote type="cite" class="">There are some corners of the guide that are out of date, but I haven't<br class="">yet found a better resource to point operators to if they aren't<br class="">familiar with these security concerns.<br class="">I'm constantly coming across problems caused by even the software<br class="">developers' "best practice" recommendations being completely wrong.  For<br class="">example, several major CMSes advise that all executable parts of the CMS<br class="">be writable by the web server!  Well-meaning admins follow these best<br class="">practices guides not knowing that they are making their installations<br class="">insecure by doing so.<br class="">If there were an effort to update the existing material, however, I<br class="">could probably chip in a small amount of effort from my staff at the<br class="">Center for Applied Cybersecurity Research to assist with those updates.<br class="">A new version every year or two may be the best we can do.<br class="">Susan<br class="">On 10/11/2018 01:14 PM, Frank Thommen wrote:<br class=""><blockquote type="cite" class="">Hello,<br class=""><br class="">recently someone asked, if this (bettercrypto?) project is dead.  My<br class="">impression is, that it is at least extremely passive.  Not being a<br class="">security and network protocol expert I nevertheless think that the<br class="">"Applied Crypto Hardening" paper of 2016<br class="">(https://bettercrypto.org/static/applied-crypto-hardening.pdf) is<br class="">probably very, very outdated and maybe even dangerous to rely on.<br class=""><br class="">Questions:<br class=""><br class="">  a) Is there some kind of successor project/paper with up to date<br class="">     copy-paste recommendations for good security settings as they<br class="">     were published in this paper (which was fantastic at the time)?<br class=""><br class="">  b) could/should the paper of 2016 not better be removed from the<br class="">     website?<br class=""><br class=""><br class="">Cheers<br class="">frank<br class="">_______________________________________________<br class="">Ach mailing list<br class="">Ach@lists.cert.at <mailto:Ach@lists.cert.at><br class="">https://lists.cert.at/cgi-bin/mailman/listinfo/ach<br class=""></blockquote></blockquote><br class="">_______________________________________________<br class="">Ach mailing list<br class="">Ach@lists.cert.at <mailto:Ach@lists.cert.at><br class="">https://lists.cert.at/cgi-bin/mailman/listinfo/ach<br class=""></blockquote></blockquote></div></div></blockquote></div><br class=""></div></div></body></html>