
Q: What level of security does Secure Sockets Layer (SSL) provide against Web
application attacks?
A: Almost none. SSL provides two functions, the first of which is that it authen-
ticates a domain name to an entity.That is, it certifies that www.bigbank.com
actually belongs to Big Bank. Second, SSL creates a “secure” encrypted
tunnel to the server so that all communication back and forth is highly
encrypted and not subject to “eavesdropping.” When properly implemented,
SSL is very effective at that. However, SSL provides absolutely no assurances
regarding the messages sent across that tunnel; it merely ensures that they
cannot be read by a third par ...