[OWASP-Raleigh, NC] TLS/SSL cheat sheet from OWASP

Steve Pinkham steve.pinkham at gmail.com
Tue Oct 20 10:47:37 EDT 2009


Hey all,
OWASP put this TLS cheat sheet out in the last week that relates to what 
we talked about at the last meeting, so I thought I'd pass it along.
http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

BTW, If anyone does decide to do tests for or convert to pure SSL, I'd 
be interesting in any metrics you come up with.  It's easy to test the 
pure encryption overhead of SSL, but the latency overhead of the SSL 
handshake also effects both the initial resource load time and server 
load and those are harder to quantify in the lab.  We have customers who 
do pure SSL, but so far don't have reports from people who have switched 
as to what the overhead is.

Vaguely related, very high SSL usage can lead to depletion of randomness 
pools.  I've been testing one of these for a bit: 
http://www.entropykey.co.uk/ and they're cheap and so far have held up 
to my abuse and testing.  I use it mostly for generating DNSSEC keys for 
testing, but that's another month. ;-)

Steve
-- 
  | Steven E. Pinkham                      |
  | Security Researcher, Maven Security    |
  | http://www.mavensecurity.com           |
  | GPG public key ID CD31CAFB             |


More information about the Owasp-raleigh mailing list