SecureSocketsLayer (SSL) protocol is used in most secured websites, especially where financial transactions are involved.
It is commonly used in browsers as a layer7 access mechanism through TCP port 443, although it is by no means limited to this.
A server certificate is needed from a certificate authority (e.g. Verisign), through a tedious Certificate Signing Request (CSR) process.
Typically asymmetric encryption mode is used for securing messages and a process exists to protect the key necessary to decrypt a secured message.
SSLv2 is still around but it is being phased out.
SSLv3 (or TLS) enables two-way roundtrip authentication. This is done by the client presenting a signed certificate to the web server, in addition to the certificate presented by the server to the client.
Applicability
It is said this is a superior mehanism for securing client-server WebApplications, because often pre-configured certificates on servers suffice without need for using client side certificates. This has simplified administration of InformationSecurity. See article in PublicKeyInfrastructure WebServices for details.
Readings material
- http://archive.devx.com/whitepapers/thawte/default.asp
- http://wasd.vsm.com.au/ht_root/doc/htd/htd_1700.html
- Intro material http://msdn.microsoft.com/msdnmag/issues/01/04/SSL/default.aspx
- Further details? http://publib.boulder.ibm.com/infocenter/wbihelp/index.jsp?topic=/com.ibm.etools.mft.eb.doc/aq01206_.htm
- sample chapter on SSL implementation http://shiflett.org/books/http-developers-handbook/chapters/18
CategorySecurity, CategoryEnterpriseComputingConcerns, CategoryWebDesign