Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This page is aimed at giving a list of recommended protocols and also the one that we want to avoid. 

Introduction

All the communications between the applications should be encrypted, which is a part of the requirement in the CII badging itself. In ONAP we have multiple applications talking to one another. We will try and address all the scenarios. This is a work in progress, so if you think we are missing any scenario then please let us know.

Browser/Rest client

Scenario:

In case of using a rest client or a browser to access a client. Most of the applications will have a rest based API when communicating with an external client. 

Recommendations[]:

  • Use TLS, as SSL is no longer considered usable for security
  • All pages must be served over HTTPS. This includes css, scripts, images, AJAX requests, POST data and third party includes. Failure to do so creates a vector for man-in-the-middle attacks.
  • Just protecting authenticated pages with HTTPS, is not enough. Once there is one request in HTTP, man-in-the-middle attacks are possible, with the attackers being able to prevent users from reaching the secured pages.
  • The HTTP Strict Transport Security Header must be used and pre loaded into browsers. This will instruct compatible browsers to only use HTTPS, even if requested to use HTTP.
  • Cookies must be marked as Secure

To read more about the SSL and TLS please visit



ProtocolStatus
TLSApproved
SSLDo not use

Reference

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet


  • No labels