[Ach] Successor project/paper of "Applied Crypto Hardening"?

Dominic Schallert ds at schallert.com
Fri Oct 12 18:23:10 CEST 2018


You’re welcome!

Below are some other useful resources and tools dumped from my bookmarks.


# Docs / Config generation
https://wiki.mozilla.org/Security/Server_Side_TLS <https://wiki.mozilla.org/Security/Server_Side_TLS>
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet <https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet>
https://mozilla.github.io/server-side-tls/ssl-config-generator/ <https://mozilla.github.io/server-side-tls/ssl-config-generator/>

# Webserver specific
https://nginx.org/en/docs/http/configuring_https_servers.html <https://nginx.org/en/docs/http/configuring_https_servers.html>
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html <https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html>

# Expiry Monitoring / Certificate Transparency
https://certificatemonitor.org/ <https://certificatemonitor.org/>
https://crt.sh <https://crt.sh/>

# Testing / Benchmarking
https://observatory.mozilla.org/ <https://observatory.mozilla.org/>  (HTTPS Testing - most intensive, combines other tools like securityheaders.com <http://securityheaders.com/>, tls.imirhil.fr <http://tls.imirhil.fr/>, etc.)
https://www.ssllabs.com/ <https://www.ssllabs.com/> (HTTPS Testing)
https://de.ssl-tools.net/ <https://de.ssl-tools.net/>  (HTTPS, SMTP Testing)
https://tls.imirhil.fr/ <https://tls.imirhil.fr/>  (HTTPS, SMTP, XMPP, SSH Testing)
https://securityheaders.com/ <https://securityheaders.com/> (HTTP Header Testing)




> Am 12.10.2018 um 18:14 schrieb Frank Thommen <f.thommen at dkfz-heidelberg.de>:
> 
> Thanks a lot.  These documents are very helpful indeed.
> frank
> 
> 
> On 10/12/2018 06:07 PM, Dominic Schallert wrote:
>> Hi,
>> regarding TLS best practices, BSI TR-02102-2 (Version 2018-01) might be a good starting point;
>> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf
>> (Unfortunately in German only)
>> NIST provides something similiar with SP 800-52 Rev. 2 (Draft);
>> https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft
>> Generally these kind of guidelines/documents tend to get outdated
>> very quickly as technology moves forward very fast.
>> Cheers
>> Dominic
>>> Am 12.10.2018 um 08:23 schrieb Frank Thommen <f.thommen at dkfz-heidelberg.de <mailto:f.thommen at dkfz-heidelberg.de>>:
>>> 
>>> Every one to two years seems fine to me as "consumer".  Maybe with emergency updates in-between when critical issues appear?
>>> 
>>> Ideally the website would announce, that the document is regularly updated.
>>> 
>>> frank
>>> 
>>> 
>>> On 11/10/18 22:05, Susan E. Sons wrote:
>>>> There are some corners of the guide that are out of date, but I haven't
>>>> yet found a better resource to point operators to if they aren't
>>>> familiar with these security concerns.
>>>> I'm constantly coming across problems caused by even the software
>>>> developers' "best practice" recommendations being completely wrong.  For
>>>> example, several major CMSes advise that all executable parts of the CMS
>>>> be writable by the web server!  Well-meaning admins follow these best
>>>> practices guides not knowing that they are making their installations
>>>> insecure by doing so.
>>>> If there were an effort to update the existing material, however, I
>>>> could probably chip in a small amount of effort from my staff at the
>>>> Center for Applied Cybersecurity Research to assist with those updates.
>>>> A new version every year or two may be the best we can do.
>>>> Susan
>>>> On 10/11/2018 01:14 PM, Frank Thommen wrote:
>>>>> Hello,
>>>>> 
>>>>> recently someone asked, if this (bettercrypto?) project is dead.  My
>>>>> impression is, that it is at least extremely passive.  Not being a
>>>>> security and network protocol expert I nevertheless think that the
>>>>> "Applied Crypto Hardening" paper of 2016
>>>>> (https://bettercrypto.org/static/applied-crypto-hardening.pdf) is
>>>>> probably very, very outdated and maybe even dangerous to rely on.
>>>>> 
>>>>> Questions:
>>>>> 
>>>>>   a) Is there some kind of successor project/paper with up to date
>>>>>      copy-paste recommendations for good security settings as they
>>>>>      were published in this paper (which was fantastic at the time)?
>>>>> 
>>>>>   b) could/should the paper of 2016 not better be removed from the
>>>>>      website?
>>>>> 
>>>>> 
>>>>> Cheers
>>>>> frank
>>>>> _______________________________________________
>>>>> Ach mailing list
>>>>> Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>>>>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>> 
>>> _______________________________________________
>>> Ach mailing list
>>> Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20181012/5d3f3e2e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.cert.at/pipermail/ach/attachments/20181012/5d3f3e2e/attachment-0001.sig>


More information about the Ach mailing list