Portcullis Labs » GPG

SSL Good Practice Guide

MWE — Fri, 11 Apr 2014 05:00:53 +0000

This document discusses a number of attack vectors for SSL and TLS, offering real world examples where it can.

It also offers advice on how to protect and correctly configure, with the goal of helping ensure that SSL services have a minimised attack surface.

SSLGPG-1.4.pdf
September 23, 2015
Version: 1.4

578.6 KiB
MD5 hash: f1d0976053e839a85dd19259ba26b0c0
Details

SSLGPG-1.2.pdf
April 10, 2014
Version: 1.2

584.5 KiB
MD5 hash: 1c660fa51cb46805ee76a515aa330005
Details

SSLGPG-1.1.pdf
April 1, 2014
Version: 1.1

578.0 KiB
MD5 hash: 47029e16f8d2ccf5f041d368722c40b7
Details

SSLGPG.pdf
September 20, 2013

576.1 KiB
MD5 hash: eb0599b73eb8f3ef5110d30e14acb32e
Details

The post SSL Good Practice Guide appeared first on Portcullis Labs.

New SSL recommendations

MWE — Tue, 01 Apr 2014 12:38:59 +0000

As previously mentioned in SSL: Light at the end of the tunnel, today is the day that our SSL recommendations officially change. From today onwards the Team recommend only TLS versions 1.1 and 1.2. Up until now the Team have accepted the need for SSLv3 and TLSv1 for compatibility reasons, however the time has come to cut the cord. The loss of compatibility should only affect legacy systems. If these systems cannot be updated to support the newer protocols, then weak SSL is likely to be the least of your security concerns!

The Team will continue to update the guide going forwards, and will highlight major changes on the blog. Whilst you’re checking out our updated recommendations, why not take a few extra minutes and look at our SSL Certificate Good Practise Guide?

The post New SSL recommendations appeared first on Portcullis Labs.

SSL Certificate Good Practice Guide

TMB — Mon, 03 Feb 2014 17:03:24 +0000

This document is not intended to be a definitive guide, but more of a review of the specific commonly identified issues resulting from the inappropriate deployment of SSL certificates on internal services within a corporate environment.

Whilst this document is not intended to be definitive, Portcullis believes that it should provide a high level summary of the issues that are typically present in such an environment, along with proposals as to how they can be mitigated.

SSLCGPG-1.2.pdf
September 24, 2015
Version: 1.2

543.4 KiB
MD5 hash: 5cb28138af43c817092f9d09dc548df6
Details

SSLCGPG.pdf
February 3, 2014

542.8 KiB
MD5 hash: 881c9e4e53d998379d7ee61cf6299f9a
Details

The post SSL Certificate Good Practice Guide appeared first on Portcullis Labs.

HTML 5 Good Practice Guide

TMB — Fri, 26 Apr 2013 17:54:06 +0000

This document is not intended to be a definitive guide, but more of a review of the specific security issues resulting from the use of HTML 5.

Portcullis was asked to provide consultancy in the form of analysis and good practice recommendations with respect to migrations from Flash to HTML 5.

Whilst this document is not intended to be a definitive guide, Portcullis believes that it should provide a high level summary of the pros and cons of the proposed migration.

HTML5GPG.pdf
April 26, 2013

383.1 KiB
MD5 hash: 419f5768fc2814c6e1eeaa774ba42148
Details

The post HTML 5 Good Practice Guide appeared first on Portcullis Labs.

Web Application Password Reset Good Practice Guide

KTC — Fri, 26 Apr 2013 17:53:01 +0000

Over the years of application testing we have seen many bad password reset implementations, so we have put together a good practice guide to help design a secure process for your applications.

This document aims to detail the key features of secure password reset procedures which can be used within web applications. As well as detailing these feature is gives examples of how the reset can be done.

PRGPG.pdf
April 26, 2013

355.9 KiB
MD5 hash: 7aeb675c0aad6501eddb10ba3fd125b3
Details

The post Web Application Password Reset Good Practice Guide appeared first on Portcullis Labs.