280    Chapter 5 • Communication Security: Web Based Services

                  SSL, a good resource is the section of VeriSign’s Web site that addresses
                  many aspects of SSL at www.verisign.com/ssl/index.html.





             TLS

             As mentioned,TLS is the successor to SSL, and is a newer version that has minor
             differences to its predecessor. Like SSL, it provides authentication between clients
             and servers that require privacy and security during communications.The clients
             and servers that use SSL are able to authenticate to one another, and then
             encrypt\decrypt the data that’s passed between them.This ensures that any data
             isn’t subject to eavesdropping, tampered with, or forged during transmission
             between the two parties.
                 As you might expect, it is often used in situations where sensitive data is being
             sent between clients and servers.A common example would be online purchases,
             where credit card numbers and other personal information (such as the person’s
             name, address, and other shipping information) are sent to an e-commerce site.As
             seen in Figure 11.5,TLS and SSL is enabled in IE through the Advanced tab of
             Internet Options (which is accessed by clicking Start | Settings | Control
             Panel | Internet Options). By scrolling to the Security section in the Settings
             pane, you will see checkboxes for enabling SSL 2.0, SSL 3.0 and TLS 1.0). If they
             are checked, they are enabled, but if they aren’t checked, they are disabled. Because
             SSL 3.0 and TLS 1.0 have succeeded SSL 2.0, you will generally find that this older
             version is disabled.

             S-HTTP

             It is important not to confuse HTTP/S with Secure HTTP (S-HTTP).Although
             they sound alike, they are two separate protocols, used for different purposes. S-
             HTTP is not widely used, but it was developed by Enterprise Integration
             Technologies (ETI) to provide security for Web-based applications. S-HTTP is an
             extension to the HTTP protocol. It is a secure message-oriented communications
             protocol that can transmit individual messages securely (whereas SSL establishes a
             secure connection over which any amount of data can be sent). S-HTTP provides
             transaction confidentiality, authentication, and message integrity, and extends
             HTTP to include tags for encrypted and secure transactions. S-HTTP is imple-
             mented in some commercial Web servers and most browsers.An S-HTTP server
             negotiates with the client for the type of encryption that will be used, several types
             of which exist.

          www.syngress.com