[Owasp-topten] [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available
dennis.groves at owasp.org
Tue Feb 19 00:48:55 UTC 2013
On 18 Feb 2013, at 21:45, Tobias wrote:
> Hi all,
> thanks a lot for the update of the OWASP Top-Ten.
> I have to agree a bit with Dennis, that we should do more ("than
> potentially just repackaging the same thing all the time").
> And I am still not fully in line with the fact that we remove 2010.A9
> from the list as I believe that this risk is still a significant
> problem. Although we fixed part of it with RFC6797 (HSTS), and key
> pinning, this is far from over! And until all these things have been
> widely implemented (which could still take a while).
Although key pinning and the like are very good ideas, they really
depend on the Cert Authority model; which requires I fundamentally trust
people that I can not and do not trust. What is actually required is
that everybody have client certificates - an 'internet' drivers license.
But that I am certain will never happen. So my concern is that
eventually even key pinning and the like will eventually fail for other
as of yet unknown reasons…
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a
*This email is licensed under a [CC BY-ND
**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free
> The idea that some lives matter less is the root of all that’s wrong
> with the world. -- Paul Farmer
More information about the Owasp-topten