Secure Sockets Layer

SecureSocketsLayer (SSL) protocol is used in most secured websites, especially where financial transactions are involved.

It is commonly used in browsers as a layer7 access mechanism through TCP port 443, although it is by no means limited to this.

A server certificate is needed from a certificate authority (e.g. Verisign), through a tedious Certificate Signing Request (CSR) process.

Typically asymmetric encryption mode is used for securing messages and a process exists to protect the key necessary to decrypt a secured message.

SSLv2 is still around but it is being phased out.

SSLv3 (or TLS) enables two-way roundtrip authentication. This is done by the client presenting a signed certificate to the web server, in addition to the certificate presented by the server to the client.

---

Applicability

It is said this is a superior mehanism for securing client-server WebApplications, because often pre-configured certificates on servers suffice without need for using client side certificates. This has simplified administration of InformationSecurity. See article in PublicKeyInfrastructure WebServices for details.

---

Readings material

• http://archive.devx.com/whitepapers/thawte/default.asp
• http://wasd.vsm.com.au/ht_root/doc/htd/htd_1700.html
• Intro material http://msdn.microsoft.com/msdnmag/issues/01/04/SSL/default.aspx
• Further details? http://publib.boulder.ibm.com/infocenter/wbihelp/index.jsp?topic=/com.ibm.etools.mft.eb.doc/aq01206_.htm
• sample chapter on SSL implementation http://shiflett.org/books/http-developers-handbook/chapters/18

---

CategorySecurity, CategoryEnterpriseComputingConcerns, CategoryWebDesign