[Ach] Successor project/paper of "Applied Crypto Hardening"?
Frank Thommen
f.thommen at dkfz-heidelberg.de
Fri Oct 12 18:14:01 CEST 2018
Thanks a lot. These documents are very helpful indeed.
frank
On 10/12/2018 06:07 PM, Dominic Schallert wrote:
> Hi,
>
> regarding TLS best practices, BSI TR-02102-2 (Version 2018-01) might be
> a good starting point;
> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf
> (Unfortunately in German only)
>
> NIST provides something similiar with SP 800-52 Rev. 2 (Draft);
> https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft
>
> Generally these kind of guidelines/documents tend to get outdated
> very quickly as technology moves forward very fast.
>
> Cheers
> Dominic
>
>
>> Am 12.10.2018 um 08:23 schrieb Frank Thommen
>> <f.thommen at dkfz-heidelberg.de <mailto:f.thommen at dkfz-heidelberg.de>>:
>>
>> Every one to two years seems fine to me as "consumer". Maybe with
>> emergency updates in-between when critical issues appear?
>>
>> Ideally the website would announce, that the document is regularly
>> updated.
>>
>> frank
>>
>>
>> On 11/10/18 22:05, Susan E. Sons wrote:
>>> There are some corners of the guide that are out of date, but I haven't
>>> yet found a better resource to point operators to if they aren't
>>> familiar with these security concerns.
>>> I'm constantly coming across problems caused by even the software
>>> developers' "best practice" recommendations being completely wrong. For
>>> example, several major CMSes advise that all executable parts of the CMS
>>> be writable by the web server! Well-meaning admins follow these best
>>> practices guides not knowing that they are making their installations
>>> insecure by doing so.
>>> If there were an effort to update the existing material, however, I
>>> could probably chip in a small amount of effort from my staff at the
>>> Center for Applied Cybersecurity Research to assist with those updates.
>>> A new version every year or two may be the best we can do.
>>> Susan
>>> On 10/11/2018 01:14 PM, Frank Thommen wrote:
>>>> Hello,
>>>>
>>>> recently someone asked, if this (bettercrypto?) project is dead. My
>>>> impression is, that it is at least extremely passive. Not being a
>>>> security and network protocol expert I nevertheless think that the
>>>> "Applied Crypto Hardening" paper of 2016
>>>> (https://bettercrypto.org/static/applied-crypto-hardening.pdf) is
>>>> probably very, very outdated and maybe even dangerous to rely on.
>>>>
>>>> Questions:
>>>>
>>>> a) Is there some kind of successor project/paper with up to date
>>>> copy-paste recommendations for good security settings as they
>>>> were published in this paper (which was fantastic at the time)?
>>>>
>>>> b) could/should the paper of 2016 not better be removed from the
>>>> website?
>>>>
>>>>
>>>> Cheers
>>>> frank
>>>> _______________________________________________
>>>> Ach mailing list
>>>> Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>>>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
More information about the Ach
mailing list