Reorder A04 "how to prevent" paragraph for clarity#912
Open
drwetter wants to merge 6 commits intoOWASP:masterfrom
Open
Reorder A04 "how to prevent" paragraph for clarity#912drwetter wants to merge 6 commits intoOWASP:masterfrom
drwetter wants to merge 6 commits intoOWASP:masterfrom
Conversation
* Also advice to deprecate RSA ciphers as browsers don´t necessarily need them anymore. Note (and related) the Bleichenbacher issue (PKCS \OWASP#1 1.5) should be removed at least as browser/server crypto is concerned. It's 8 years old, see https://robotattack.org/ . Don't know however whether this could be still an issue for developers (libraries). Anyone?
Also the thing with where to store crypto keys and similar is not easy to describe in1 to 2 lines. Sensitive keys and also passwords should not be longer stored in memory as needed: an administrative user can access memory and could harvest passwords or keys. So I would advise to at least release (or overwrite) the memory as soon as it is not needed anymore. At rest it should best never be stored. However it depends pretty much... On a classical web server you need the private key for the certificate to be on disk. OTOH e.g. in a cloud or shared hosting environment you don´t want refresh token, passwords in memory longer than needed.
now it's application later, OWASP#940
... as it is not aligned much with the audience. Kudos @HimasreeKolathur24 and @nealey
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note (and related) the Bleichenbacher issue (PKCS #1 1.5) should be removed at least as browser/server crypto is concerned. It's 8 years old, see https://robotattack.org/ . Don't know however whether this could be still an issue for developers (libraries). Anyone?