Chapter 15. SSL and TLS
When looking at a strategy to secure your application server infrastructure, it is important to examine several discrete elements:
Secure the actual server that the application is running on.
Ensure that only permitted users of the application are able to access the allowed functionality (and that all other users, including malicious attackers, are denied access).
Ensure that your users know they are connecting to the correct server, and, if required, secure traffic between the client and server.
In Chapters 13 and 14, we discuss many of the security options available with IIS 7.0. This chapter addresses security between the client and the server. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are industry standard technologies for authenticating machines (or users) and for encrypting traffic between two devices.
SSL is a technology originally developed by Netscape, with v2.0 being the first publicly available release. TLS is an IETF standard that is the successor to SSL, and the latest draft version is TLS v1.2. Currently, the terms "SSL" and "TLS" are used interchangeably in the popular press when discussing secured HTTP traffic. "TLS" is almost always used when discussing securing other protocols (such as FTP or SMTP).
TLS should be considered whenever there is a need to secure the transmission of data from eavesdropping attacks (including credentials) or to ensure message integrity (that data aren't altered in transit). Additionally, to ensure ...