CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.3  The Web            9  2.3.1  SSL/TLS (Secure Sockets Layer / Transport Layer Security)

2.3.1  SSL/TLS (Secure Sockets Layer / Transport Layer Security) 1 2 Transport Layer Security (TLS)

SSL vs. S-HTTP

Note that SSL is not the same as S-HTTP (Secure HyperText Transfer Protocol), which is designed to send individual messages securely, rather than set up and maintain a secure connection between two computers, as with SSL.

Typically, you will know that a site is using an SSL connection when you see a URL beginning “https:” rather than “http:”. If you want SSL communication to be passed through your firewall, traffic to the destination TCP port 443 should be permitted.

Because SSL can be processor-intensive (as with any encryption), there are “SSL appliances” which can handle SSL processing on a separate device, so that the web server itself does not have to incur the encryption overhead.

A detailed source for information on the history of SSL and TLS, and protocol specifics is Eric Rescorla’s SSL and TLS: Designing and Building Secure Systems.¹⁹⁴

It has been said elsewhere in this book to keep your patches updated. This includes SSL in your O/S ¹⁹⁵

2.3.1  SSL/TLS (Secure Sockets Layer / Transport Layer Security) 1 2 Transport Layer Security (TLS)