[Owasp-board] [GPC] OWASP.org SSL/TLS scan

Jason Li jason.li at owasp.org
Tue May 31 13:12:33 UTC 2011


FYI - from Raul.

-Jason

---------- Forwarded message ----------
From: Raul Siles <raul at taddong.com>
Date: Tue, May 31, 2011 at 7:15 AM
Subject: Re: [Owasp-board] [GPC] OWASP.org SSL/TLS scan
To: Jason Li <jason.li at owasp.org>, Paulo Coimbra <pcoimbra at owasp.org>,
Laurence Casey <larry.casey at owasp.org>, Matt Tesauro <matt.tesauro at owasp.org>,
Dinis Cruz <dinis.cruz at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>


Sorry to disturb you again. Please, could some of you forward my previous
e-mail (at the very bottom), plus this new clarification, to the owasp-board
(owasp-board at lists.owasp.org), owasp-infrastructure (
owasp-infrastructure at lists.owasp.org), and GPC (GPC <
global-projects-committee at lists.owasp.org>) mailing-lists.

As I'm not a list member, they were not accepted and most of the members
didn't receive it.

New clarifications:
--
> You developed it so you should be able to have the glory and associated
credit.
>
> How does it compare to https://www.ssllabs.com/ ?

Christian,
I have run a similar scan against owasp.net (I won't make it public) with
the same results, in case anyone is interested: no SSLv2 support, no NULL
ciphers, no weak ciphers (40 or 56 bit keys), several strong ciphers (AES
128 or 256 bit keys), and secure renegotiation supported. Both use the same
digital certificate, so same results there too.

The only issue is that it will generate an error when validating the
certificate on any browser as the hostname and certificate entity (*.
owasp.org) do not match.

TLSSLed does not try to be a replacement for the thorough tests performed by
Ivan's SSLLabs. However, there are a few scenarios when you need a
tool/script like this, such as when assessing the security of internal web
servers (not reachable from the Internet), or if you do not want to appear
on SSLLabs' recently scanned sites list.
--
> We do pretty well with Ivan's SSLLabs scan.

Jeff, I'm pretty sure you do. Please, read above my response to Christian.
--

Thanks,
----
Raul Siles
Founder & Senior Security Analyst
Taddong
raul at taddong.com | +34-639109172 | www.taddong.com



On May 31, 2011, at 12:33 AM, Raul Siles wrote:

> Thanks everybody for looking into this! I though using owasp.org was the
best way to demo the script and show the world at the same time that OWASP
does what promotes (from a best practices point of view).
>
> As a modest suggestion, I think it would help to define who within OWASP
can provide this kind of authorizations for future similar requests.
>
> Best regards,
> ----
> Raul Siles
> Founder & Senior Security Analyst
> Taddong
> raul at taddong.com | +34-639109172 | www.taddong.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110531/46289a65/attachment-0002.html>


More information about the Owasp-board mailing list