[Owasp-topten] [Owasp-leaders] OWASP Top Ten

Dave Wichers dave.wichers at owasp.org
Mon May 22 14:47:36 UTC 2017


Larry,

Thanks again for your input. I want to make sure I understand the point of
your comment. Is it that we should try to emphasize that getting your
SSL/TLS configuration right is one of the important aspects of A5? If so, I
certainly agree. And I see now that we basically say nothing about this in
A5, and we should.

Assuming so, how specifically would you recommend we change A5 to help
emphasize this point?

We could certainly reference:
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet. And
seems like we should have at least one example or bullet in the 'Am I
Vulnerable', 'How Do I Prevent', or 'Example' boxes (ideally 1 in each to
give this topic emphasis). But which existing bullets in each of these
should we drop or shorten to make room? And what should we add.

The ideal way to provide such suggestions is to actually edit a copy of: OWASP
Top 10 - 2017 *Release Candidate* which is in PowerPoint
<https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pptx>,
to make sure your additions/deletions actually fit. Space constraints are
one of the key drivers of any edits made to the T10 unfortunately.

Great feedback and I'm sure we can make some improvements in this area.

-Dave

p.s. I did not address any of the subsequent comments to Larry's message
because they really are on a different topic. I have on my todo list to go
through all the older T10 comments that I haven't responded to and respond
to them, but I've been swamped with work, personal, T10, and Benchmark
things I'm working on and haven't had the time to be as responsive as I'd
like. But a big work project got done last week so hopefully I'll have time
to catch up on a lot of that this week and also work on preparing for the
T10 sessions at the OWASP Summit in 3+ weeks.


On Sun, May 14, 2017 at 7:09 PM, Larry Conklin <larry.conklin at owasp.org>
wrote:

> Dave and group hope you find this feedback on the Top Ten to be
> constructive.
>
> Feedback on candidate release OWASP TOP 2017
>
> A5- Security Misconfiguration.
>
>
>
> Stating that security misconfiguration in not enough. It does bring forth
> the issues for developers and security professionals that important
> security vulnerabilities exist in server and application configurations. It
> does not address some large common security misconfiguration. OWASP Top Ten
> cannot not address every misconfiguration and it shouldn’t. But I feel that
> somehow within the OWASP Top ten we should address major Security
> misconfigurations that are prevalent to web sites.
>
>
>
> Websites, mail servers, and other TLS-dependent services fall exactly
> within this gray zone. Right now we have a self-created crisis. Users are
> taught wrongly that https means safe and the green lock in the url means
> the web site is safe.  Yet evidence shows web sites are moving to TLS with
> misconfiguration settings.
>
>
>
> Some basic statistics. Per weak DH website. https://weakdh.org
>
>
>
>
>
> Protocol
>
> Vulnerable to Logjam
>
> HTTPS — Top 1 Million Domains
>
> 8.4%
>
> HTTPS — Browser Trusted Sites
>
> 3.4%
>
> SMTP+StartTLS — IPv4 Address Space
>
> 14.8%
>
> POP3S — IPv4 Address Space
>
> 8.9%
>
> IMAPS — IPv4 Address Space
>
> 8.4%
>
>
>
>  “The Logjam attack allows a man-in-the-middle attacker to downgrade
> vulnerable TLS connections to 512-bit export-grade cryptography. This
> allows the attacker to read and modify any data passed over the connection.
> The attack is reminiscent of the FREAK attack, but is due to a flaw in the
> TLS protocol rather than an implementation vulnerability, and attacks a
> Diffie-Hellman key exchange rather than an RSA key exchange. *The attack
> affects any server that supports **DHE_EXPORT** ciphers, and affects all
> modern web browsers. 8.4% of the Top 1 Million domains were initially
> vulnerable*."
>
>
>
>
>
> Vulnerable if most common 1024-bit group is broken
>
> HTTPS — Top 1 Million Domains
>
> 17.9%
>
> HTTPS – Browser Trusted Sites
>
> 6.6%
>
> IPv4 Address Space
>
> 25.7%
>
> %IKEv1 (IPsec VPNs) — IPv4 Address Space
>
> 66.1%
>
>
>
> “Millions of HTTPS, SSH, and VPN servers all use the same prime numbers
> for Diffie-Hellman key exchange. Practitioners believed this was safe as
> long as new key exchange messages were generated for every connection.
> However, the first step in the number field sieve—the most efficient
> algorithm for breaking a Diffie-Hellman connection—is dependent only on
> this prime. After this first step, an attacker can quickly break individual
> connections. This computation against the most common 512-bit prime used
> for TLS and demonstrate that the Logjam attack can be used to downgrade
> connections to 80% of TLS servers supporting DHE_EXPORT. *It has been
> estimate that an academic team can break a 768-bit prime and that a
> nation-state can break a 1024-bit prime*. Breaking the single, most
> common 1024-bit prime used by web servers would allow passive eavesdropping
> on connections to 18% of the Top 1 Million HTTPS domains. A second prime
> would allow passive decryption of connections to 66% of VPN servers and 26%
> of SSH servers. A close reading of published NSA leaks shows that the
> agency's attacks on VPNs are consistent with having achieved such a break.”
>
>
>
> One issue we have with these vulnerabilities if the risk level
> Nation-state resources are needed. After Shadow Brokers source code leak
> and WannaCry ransomeware outbreak we have to review what vulnerabilities
> actually require national-state resources.
>
> The question is how do we dissimulate this information? I feel that the
> breadth and reach of the OWASP Top Ten needs to have a layer beneath it on
> some items/topics such as A5 Security Misconfiguration. I realize that some
> topics like XSS have some many variables that we can’t reach the depth of
> discussion needed. But on a sub-topic like SSL in A5 Security
> Misconfiguration this can help OWASP Top Ten shine brighter and have a far
> reaching affect.
>
>
>
> Reference: https://www.trustworthyinternet.org/ssl-pulse/
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170522/74bd0212/attachment.html>


More information about the Owasp-topten mailing list