...
All the communications between the applications should be encrypted, which is a part of the requirement in the CII badging itself. In ONAP we have multiple applications talking to one another. We will try and address all the scenarios. This is a work in progress, so if you think we are missing any scenario then please let us know.
Browser(Webapp)/Rest client
Generally, in the past, we were using SSL as the to go protocol for HTTPS encryption, but because of the discovery of poodle attack all versions of SSL and TLS v.0 are no longer recommended and it is required that we follow TLS
...
Having TLS enabled only on certain pages does not accomplish what was intended, some of these are only applicable for the browser(webapp and not for API). For optimum results, these guidelines[1] should also be followed
- All pages must be served over HTTPS. This includes CSS, scripts, images, AJAX requests, POST data and third party includes. Failure to do so creates a vector for man-in-the-middle attacks[Web app only].
- Just protecting authenticated pages with HTTPS, is not enough. Once there is one request in HTTP, man-in-the-middle attacks are possible, with the attackers being able to prevent users from reaching the secured pages[Webapp only].
- The HTTP Strict Transport Security Header must be used and pre-loaded into browsers. This will instruct compatible browsers to only use HTTPS, even if requested to use HTTP[Both Webapp and rest client].
- Cookies must be marked as Secure[Webapp only]
Reference
- https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
- https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
- https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
...