Sin 10: Improper Use ofSSLandTLS

Overview of the Sin

The Secure Sockets Layer, SSL (along with its successor, Transport Layer Security, or TLS), is the most popular protocol in the world for creating secure network connections. Its widely used in browsers to secure electronic commerce. Many applications that dont use the Web still use SSL for network security. In fact, when developers think security, they often think SSL.

Note 

For brevity, well refer to SSL and TLS simply as SSL.

Programmer APIs that handle SSL generally replace traditional point-to-point TCP socket abstractions with a secure socket (hence the original name ). Along these lines, SSL encrypts data traffic, performs integrity checking, and offers the capability for each of the two communicating parties to authenticate the other.

SSL seems simple. To most programmers, it looks like a transparent drop-in for sockets, where you can just replace regular sockets with SSL sockets, add a simple login that runs over the SSL connection, and be done with it. But, there are several problems that could end up biting you, and some of them are pretty severe. The most important one is that proper server authentication doesnt usually happen automatically. In fact, it often requires writing a lot of code.

When server authentication isnt done properly, an attacker can eavesdrop, or modify or take over conversations, generally without being detected . And, its far easier to do this than you might think; lots of open source tools are out there for launching this kind of attack.



19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net