[Owasp-infrastructure] FW: [Owasp-board] [GPC] OWASP.org SSL/TLS scan

Paulo Coimbra pcoimbra at owasp.org
Tue May 31 12:58:39 EDT 2011


Forwarding Raul's email.

- Paulo

Paulo Coimbra
OWASP Project Manager <https://www.owasp.org/index.php/User:Paulo_Coimbra>

From:  Raul Siles <raul at taddong.com>
Date:  Tue, 31 May 2011 13:15:36 +0200
To:  Jason Li <jason.li at owasp.org>, Paulo Coimbra <pcoimbra at owasp.org>,
Laurence Casey <larry.casey at owasp.org>, Matt Tesauro
<matt.tesauro at owasp.org>, Dinis Cruz <dinis.cruz at owasp.org>, Kate Hartmann
<kate.hartmann at owasp.org>
Subject:  Re: [Owasp-board] [GPC] OWASP.org SSL/TLS scan

Sorry to disturb you again. Please, could some of you forward my previous
e-mail (at the very bottom), plus this new clarification, to the owasp-board
(owasp-board at lists.owasp.org), owasp-infrastructure
(owasp-infrastructure at lists.owasp.org), and GPC (GPC
<global-projects-committee at lists.owasp.org>) mailing-lists.

As I'm not a list member, they were not accepted and most of the members
didn't receive it.

New clarifications:
>  You developed it so you should be able to have the glory and associated
> credit.
>  How does it compare to https://www.ssllabs.com/ ?

I have run a similar scan against owasp.net (I won't make it public) with
the same results, in case anyone is interested: no SSLv2 support, no NULL
ciphers, no weak ciphers (40 or 56 bit keys), several strong ciphers (AES
128 or 256 bit keys), and secure renegotiation supported. Both use the same
digital certificate, so same results there too.

The only issue is that it will generate an error when validating the
certificate on any browser as the hostname and certificate entity
(*.owasp.org) do not match.

TLSSLed does not try to be a replacement for the thorough tests performed by
Ivan's SSLLabs. However, there are a few scenarios when you need a
tool/script like this, such as when assessing the security of internal web
servers (not reachable from the Internet), or if you do not want to appear
on SSLLabs' recently scanned sites list.
>  We do pretty well with Ivan's SSLLabs scan.

Jeff, I'm pretty sure you do. Please, read above my response to Christian.

Raul Siles
Founder & Senior Security Analyst
raul at taddong.com | +34-639109172 | www.taddong.com

On May 31, 2011, at 12:33 AM, Raul Siles wrote:

>  Thanks everybody for looking into this! I though using owasp.org was the best
> way to demo the script and show the world at the same time that OWASP does
> what promotes (from a best practices point of view).
>  As a modest suggestion, I think it would help to define who within OWASP can
> provide this kind of authorizations for future similar requests.
>  Best regards,
>  ----
>  Raul Siles
>  Founder & Senior Security Analyst
>  Taddong
>  raul at taddong.com | +34-639109172 | www.taddong.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-infrastructure/attachments/20110531/11fb465d/attachment.html 

More information about the Owasp-infrastructure mailing list