Page 293 - StudyBook.pdf
P. 293

Communication Security: Web Based Services • Chapter 5  277

                 such as social security numbers or credit cards numbers. In a public domain such as
                 the Internet, and even within private networks, this data can be easily intercepted
                 and copied, thereby violating the privacy of the sender and recipient of the data.
                 We all have an idea of how costly the result of information piracy is. Companies go
                 bankrupt; individuals lose their livelihoods or are robbed of their life savings as a
                 result of some hacker capturing their information and using it to present a new
                 technology first, to access bank accounts, or to destroy property.At the risk of
                 causing paranoia, if you purchased something via the Web and used a credit card on
                 a site that was not using SSL or some other strong security method, you are
                 opening yourself up to having your credit card information stolen by a hacker.
                 Thankfully, nowadays most, if not all, e-commerce Web sites use some form of
                 strong security like SSL or TLS to encrypt data during the transaction and prevent
                 stealing by capturing packets between the customer and the vendor.
                    While SSL is widely used on the Internet for Web transactions, it can be uti-
                 lized for other protocols as well, such as Telnet, FTP, LDAP, Internet Message Access
                 Protocol (IMAP), and Simple Mail Transfer Protocol (SMTP), but these are not
                 commonly used.The successor to SSL is TLS, which is an open, Internet
                 Engineering Task Force (IETF)-proposed standard based on SSL 3.0. RFC’s 2246,
                 2712, 2817, and 2818.The name is misleading, since TLS happens well above the
                 Transport layer.The two protocols are not interoperable, but TLS has the capability
                 to drop down into SSL 3.0 mode for backward compatibility, and both can provide
                 security for a single TCP session.

                 SSL and TLS

                 SSL and TLS provide a connection between a client and a server, over which any
                 amount of data can be sent securely. Both the server and the browser generally
                 must be SSL- or TLS-enabled to facilitate secure Web connections, while applica-
                 tions generally must be SSL- or TLS-enabled to allow their use of the secure con-
                 nection. However, another trend is to use dedicated SSL accelerators as virtual
                 private network (VPN) terminators, passing the content on to an end server.
                    SSL works between the Application Layer and the Network Layer just above
                 TCP/IP in the Department of Defense (DoD) TCP/IP model. SSL running over
                 TCP/IP allows computers enabled with the protocol to create, maintain, and
                 transfer data securely, over encrypted connections. SSL makes it possible for SSL-
                 enabled clients and servers to authenticate themselves to each other and to encrypt
                 and decrypt all data passed between them, as well as to detect tampering of data,
                 after a secure encrypted connection has been established.




                                                                              www.syngress.com
   288   289   290   291   292   293   294   295   296   297   298