[Owasp-leaders] OWASP Top Ten

Dave Wichers dave.wichers at owasp.org
Tue May 16 11:37:33 UTC 2017


Larry,

I'm swamped right now. But I'll try to review and respond later this week
or this weekend. Thanks for your input!

-Dave


On Sun, May 14, 2017 at 7:09 PM, Larry Conklin <larry.conklin at owasp.org>
wrote:

> Dave and group hope you find this feedback on the Top Ten to be
> constructive.
>
> Feedback on candidate release OWASP TOP 2017
>
> A5- Security Misconfiguration.
>
>
>
> Stating that security misconfiguration in not enough. It does bring forth
> the issues for developers and security professionals that important
> security vulnerabilities exist in server and application configurations. It
> does not address some large common security misconfiguration. OWASP Top Ten
> cannot not address every misconfiguration and it shouldn’t. But I feel that
> somehow within the OWASP Top ten we should address major Security
> misconfigurations that are prevalent to web sites.
>
>
>
> Websites, mail servers, and other TLS-dependent services fall exactly
> within this gray zone. Right now we have a self-created crisis. Users are
> taught wrongly that https means safe and the green lock in the url means
> the web site is safe.  Yet evidence shows web sites are moving to TLS with
> misconfiguration settings.
>
>
>
> Some basic statistics. Per weak DH website. https://weakdh.org
>
>
>
>
>
> Protocol
>
> Vulnerable to Logjam
>
> HTTPS — Top 1 Million Domains
>
> 8.4%
>
> HTTPS — Browser Trusted Sites
>
> 3.4%
>
> SMTP+StartTLS — IPv4 Address Space
>
> 14.8%
>
> POP3S — IPv4 Address Space
>
> 8.9%
>
> IMAPS — IPv4 Address Space
>
> 8.4%
>
>
>
>  “The Logjam attack allows a man-in-the-middle attacker to downgrade
> vulnerable TLS connections to 512-bit export-grade cryptography. This
> allows the attacker to read and modify any data passed over the connection.
> The attack is reminiscent of the FREAK attack, but is due to a flaw in the
> TLS protocol rather than an implementation vulnerability, and attacks a
> Diffie-Hellman key exchange rather than an RSA key exchange. *The attack
> affects any server that supports **DHE_EXPORT** ciphers, and affects all
> modern web browsers. 8.4% of the Top 1 Million domains were initially
> vulnerable*."
>
>
>
>
>
> Vulnerable if most common 1024-bit group is broken
>
> HTTPS — Top 1 Million Domains
>
> 17.9%
>
> HTTPS – Browser Trusted Sites
>
> 6.6%
>
> IPv4 Address Space
>
> 25.7%
>
> %IKEv1 (IPsec VPNs) — IPv4 Address Space
>
> 66.1%
>
>
>
> “Millions of HTTPS, SSH, and VPN servers all use the same prime numbers
> for Diffie-Hellman key exchange. Practitioners believed this was safe as
> long as new key exchange messages were generated for every connection.
> However, the first step in the number field sieve—the most efficient
> algorithm for breaking a Diffie-Hellman connection—is dependent only on
> this prime. After this first step, an attacker can quickly break individual
> connections. This computation against the most common 512-bit prime used
> for TLS and demonstrate that the Logjam attack can be used to downgrade
> connections to 80% of TLS servers supporting DHE_EXPORT. *It has been
> estimate that an academic team can break a 768-bit prime and that a
> nation-state can break a 1024-bit prime*. Breaking the single, most
> common 1024-bit prime used by web servers would allow passive eavesdropping
> on connections to 18% of the Top 1 Million HTTPS domains. A second prime
> would allow passive decryption of connections to 66% of VPN servers and 26%
> of SSH servers. A close reading of published NSA leaks shows that the
> agency's attacks on VPNs are consistent with having achieved such a break.”
>
>
>
> One issue we have with these vulnerabilities if the risk level
> Nation-state resources are needed. After Shadow Brokers source code leak
> and WannaCry ransomeware outbreak we have to review what vulnerabilities
> actually require national-state resources.
>
> The question is how do we dissimulate this information? I feel that the
> breadth and reach of the OWASP Top Ten needs to have a layer beneath it on
> some items/topics such as A5 Security Misconfiguration. I realize that some
> topics like XSS have some many variables that we can’t reach the depth of
> discussion needed. But on a sub-topic like SSL in A5 Security
> Misconfiguration this can help OWASP Top Ten shine brighter and have a far
> reaching affect.
>
>
>
> Reference: https://www.trustworthyinternet.org/ssl-pulse/
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170516/4279a763/attachment.html>


More information about the OWASP-Leaders mailing list