March 2008
Intermediate to advanced
838 pages
23h 16m
English
book
Professional IIS 7.0
by Ken Schaefer, Jeff Cochran, Scott Forsyth, Rob Baugh, Mike Everest, Dennis Glendenning
Content preview from Professional IIS 7.0Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Chapter 15. SSL and TLS
When looking at a strategy to secure your application server infrastructure, it is important to examine several discrete elements:
Secure the actual server that the application is running on.
Ensure that only permitted users of the application are able to access the allowed functionality (and that all other users, including malicious attackers, are denied access).
Ensure that your users know they are connecting to the correct server, and, if required, secure traffic between the client and server.
In Chapters 13 and 14, we discuss many of the security options available with IIS 7.0. This chapter addresses security between the client and the server. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are industry standard technologies for authenticating machines (or users) and for encrypting traffic between two devices.
SSL is a technology originally developed by Netscape, with v2.0 being the first publicly available release. TLS is an IETF standard that is the successor to SSL, and the latest draft version is TLS v1.2. Currently, the terms "SSL" and "TLS" are used interchangeably in the popular press when discussing secured HTTP traffic. "TLS" is almost always used when discussing securing other protocols (such as FTP or SMTP).
TLS should be considered whenever there is a need to secure the transmission of data from eavesdropping attacks (including credentials) or to ensure message integrity (that data aren't altered in transit). Additionally, to ensure ...