You’re welcome! Below are some other useful resources and tools dumped from my bookmarks.
# Docs / Config generation https://wiki.mozilla.org/Security/Server_Side_TLS <https://wiki.mozilla.org/Security/Server_Side_TLS> https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet <https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet> https://mozilla.github.io/server-side-tls/ssl-config-generator/ <https://mozilla.github.io/server-side-tls/ssl-config-generator/> # Webserver specific https://nginx.org/en/docs/http/configuring_https_servers.html <https://nginx.org/en/docs/http/configuring_https_servers.html> https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html <https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html> # Expiry Monitoring / Certificate Transparency https://certificatemonitor.org/ <https://certificatemonitor.org/> https://crt.sh <https://crt.sh/> # Testing / Benchmarking https://observatory.mozilla.org/ <https://observatory.mozilla.org/> (HTTPS Testing - most intensive, combines other tools like securityheaders.com <http://securityheaders.com/>, tls.imirhil.fr <http://tls.imirhil.fr/>, etc.) https://www.ssllabs.com/ <https://www.ssllabs.com/> (HTTPS Testing) https://de.ssl-tools.net/ <https://de.ssl-tools.net/> (HTTPS, SMTP Testing) https://tls.imirhil.fr/ <https://tls.imirhil.fr/> (HTTPS, SMTP, XMPP, SSH Testing) https://securityheaders.com/ <https://securityheaders.com/> (HTTP Header Testing) > Am 12.10.2018 um 18:14 schrieb Frank Thommen <[email protected]>: > > Thanks a lot. These documents are very helpful indeed. > frank > > > On 10/12/2018 06:07 PM, Dominic Schallert wrote: >> Hi, >> regarding TLS best practices, BSI TR-02102-2 (Version 2018-01) might be a >> good starting point; >> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf >> (Unfortunately in German only) >> NIST provides something similiar with SP 800-52 Rev. 2 (Draft); >> https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft >> Generally these kind of guidelines/documents tend to get outdated >> very quickly as technology moves forward very fast. >> Cheers >> Dominic >>> Am 12.10.2018 um 08:23 schrieb Frank Thommen <[email protected] >>> <mailto:[email protected]>>: >>> >>> Every one to two years seems fine to me as "consumer". Maybe with >>> emergency updates in-between when critical issues appear? >>> >>> Ideally the website would announce, that the document is regularly updated. >>> >>> frank >>> >>> >>> On 11/10/18 22:05, Susan E. Sons wrote: >>>> There are some corners of the guide that are out of date, but I haven't >>>> yet found a better resource to point operators to if they aren't >>>> familiar with these security concerns. >>>> I'm constantly coming across problems caused by even the software >>>> developers' "best practice" recommendations being completely wrong. For >>>> example, several major CMSes advise that all executable parts of the CMS >>>> be writable by the web server! Well-meaning admins follow these best >>>> practices guides not knowing that they are making their installations >>>> insecure by doing so. >>>> If there were an effort to update the existing material, however, I >>>> could probably chip in a small amount of effort from my staff at the >>>> Center for Applied Cybersecurity Research to assist with those updates. >>>> A new version every year or two may be the best we can do. >>>> Susan >>>> On 10/11/2018 01:14 PM, Frank Thommen wrote: >>>>> Hello, >>>>> >>>>> recently someone asked, if this (bettercrypto?) project is dead. My >>>>> impression is, that it is at least extremely passive. Not being a >>>>> security and network protocol expert I nevertheless think that the >>>>> "Applied Crypto Hardening" paper of 2016 >>>>> (https://bettercrypto.org/static/applied-crypto-hardening.pdf) is >>>>> probably very, very outdated and maybe even dangerous to rely on. >>>>> >>>>> Questions: >>>>> >>>>> a) Is there some kind of successor project/paper with up to date >>>>> copy-paste recommendations for good security settings as they >>>>> were published in this paper (which was fantastic at the time)? >>>>> >>>>> b) could/should the paper of 2016 not better be removed from the >>>>> website? >>>>> >>>>> >>>>> Cheers >>>>> frank >>>>> _______________________________________________ >>>>> Ach mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach >>> >>> _______________________________________________ >>> Ach mailing list >>> [email protected] <mailto:[email protected]> >>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ach mailing list [email protected] https://lists.cert.at/cgi-bin/mailman/listinfo/ach
