A properly configured user Web browser connected via SSL to a Web site allows the user to view the server certificate to verify the identity of the Web server. This provides protection for users against phishing or other attacks involving Web site impersonation.
"Man-in-the-middle" exploits occur when an attacker located somewhere between the user and the Web site is eavesdropping on or manipulating data in the connection. This might happen while a user is connected to a Web site via a public WiFi hotspot. Or, a well-placed attacker could initiate an attack while looking at home broadband or corporate LAN traffic. SSL provides protection against eavesdropping or undetected tampering of data in the connection between the user and the Web server.
Because SSL only allows users to verify the identity of the Web server and protect the data in transit, proper patch management and secure coding techniques must be applied to the Web server. Good patch management will help limit the risk of a publicly known vulnerability in the Web server being exploited by an attacker. Additionally, secure coding techniques such as strong input validation will help protect against server attacks such as cross-site scripting, SQL injection and buffer overflows. SSL is critical for protecting data in transit to the Web server, but other security measures are required to protect the end points of the connection against other types of attacks.
Why can't I just use SSL to protect my Web services?
When should I use WS-Security? What about SSL?
This was first published in May 2006