Thursday, October 30, 2008

SSL is not everything

Secure Socket Layer (SSL) or Transport Layer Security (TLS - a standard protocol by IETF) is a cryptographic technologies used for the protection of data transmission streams by encrypting the communications streams between two end points (the client and the server). This provides confidentiality of the communication session, typically used in Web services such as online banking. The term HTTPS is commonly used to referred SSL/TLS implement on web services (which both maybe of different protocol).

Besides providing confidentiality (by having encryption and authentication), it also provide integrity, which ensure that no alteration to the data during transmission.

I wrote this posting is to share on the misconception on SSL/TLS by many people including IT professional. Below are some of the common misconception:

- "Web servers and their data are secure as long as they use SSL"

- "With SSL, applications and web servers are not susceptible to known exploits or vulnerabilities"

The fact is that using SSL don't protect you against systems and applications vulnerabilities. It only protects the data transmission. In fact, even SSL have vulnerabilities and exploits found on their previous versions. Don't blindly implement SSL and thinks that everything is secured.

Related Links:
- RFC2246 on TLS protocol

Wiki on TLS/SSL

1 comment:

Kishur Prabhakaran said...

Exactly, I use to get comments from the system engineer and application owners telling that their system is not possible to hack because they use SSL.