Category:WASS Secure Channel

Establish a secure communication channel.
The default communication mechanism for web applications and client browsers to communicate is HTTP, a plain text protocol. However, HTTP can be “tunneled” over a secure point-to-point connection via Secure Sockets Layer (SSL) to protect against interception and/or tampering of data in transit. Additionally, SSL provides limited assurance about the authenticity of end-hosts. Following steps should be taken while negotiating a HTTP over SSL (HTTPS) connection to avoid weak or untrusted connections from being established.


 * 1) Ensure that a valid certificate is used to identify the web server. Certificates should...
 * 2) match the server address where it resides
 * 3) be signed by a valid root Certificate Authority
 * 4) be valid for the length of time the audit is certifying the application for (i.e. should not expire for a minimum of 3 months if reviews are quarterly)
 * 5) must reference a certificate revocation list
 * 6) be an SSL certificate only (code signing certificate etc not allowed)
 * 7) utilize a strength of at least 128 bits
 * 8) perform key exchange through a channel protected by a strong cipher scheme (as specified in ssl specifications)
 * 9) SSL version 3.1 (TLS version 1) should be used for secure communications