Difference between revisions of "SSL Best Practices"

From OWASP
Jump to: navigation, search
m
(16 intermediate revisions by 8 users not shown)
Line 1: Line 1:
==Introduction and Contents:==
+
== Status ==
 +
This guide is out of date and incomplete. Please see [[Transport Layer Protection Cheat Sheet]] for information on TLS/SSL configuration and best practice.
  
*What is SSL
+
==What is SSL==
*How SSL is implemented in J2EE
+
*HTTPS best practices in general
+
*HTTPS best practices in J2EE
+
*Examples with Tomcat
+
*Examples with JBoss.
+
  
==What is SSL:==
+
SSL is the abbreviation of Secured Socket Layer. It is a protocol enabling to settle a secured communication between two hosts. The origin host is viewed as an SSL client and the destination host as an SSL server.
 
+
SSL is the abreviation of Secured Socket Layer. It is a network level protocol enabling to settle a secured communication between two hosts. The origin host is viewed as an SSL client and the destination host as an SSL server.
+
  
 
SSL has also been normalised as the TLS (Transport Layer Security) protocol.  
 
SSL has also been normalised as the TLS (Transport Layer Security) protocol.  
  
'''SSL is used on top of a transport level protocol''' like HTTP or FTP in order to secure them.  
+
'''SSL is used on top of a transport level protocol''' like HTTP or FTP in order to secure it.  
  
 
SSL enables :  
 
SSL enables :  
Line 21: Line 15:
 
* data integrity checking through hashing.
 
* data integrity checking through hashing.
  
SSL relies on two types of encryptions :
+
SSL relies on two types of encryption :
 
* public key encryption in the initiation phase, where authentication takes place
 
* public key encryption in the initiation phase, where authentication takes place
 
* secret key encryption when a session has been established and data is sent between two peers which trust each other.
 
* secret key encryption when a session has been established and data is sent between two peers which trust each other.
  
 
'''SSL only secures the communication between two endpoints''' : in the origin and destination points, data is in clear text, unless it is encrypted by another means, at the application level.
 
'''SSL only secures the communication between two endpoints''' : in the origin and destination points, data is in clear text, unless it is encrypted by another means, at the application level.

Revision as of 18:04, 2 September 2011

Status

This guide is out of date and incomplete. Please see Transport Layer Protection Cheat Sheet for information on TLS/SSL configuration and best practice.

What is SSL

SSL is the abbreviation of Secured Socket Layer. It is a protocol enabling to settle a secured communication between two hosts. The origin host is viewed as an SSL client and the destination host as an SSL server.

SSL has also been normalised as the TLS (Transport Layer Security) protocol.

SSL is used on top of a transport level protocol like HTTP or FTP in order to secure it.

SSL enables :

  • authentication of the destination host for the origin host or mutual authentication of both the origin and the destination hosts
  • data confidentiality through encryption
  • data integrity checking through hashing.

SSL relies on two types of encryption :

  • public key encryption in the initiation phase, where authentication takes place
  • secret key encryption when a session has been established and data is sent between two peers which trust each other.

SSL only secures the communication between two endpoints : in the origin and destination points, data is in clear text, unless it is encrypted by another means, at the application level.