Ask the Expert

SSL protects data in transit, but not apps

I've been reading that Web sites need more than SSL. What does SSL protect and what else -- if anything -- should be used with it?

    Requires Free Membership to View

SSL provides certificate-based authentication as well as protection against man-in-the-middle attacks. SSL does not provide any protection against attacks on the applications running on the Web server. Cross-site scripting, SQL injection and buffer overflows are all feasible attacks against a server that is SSL-enabled.

A properly configured user Web browser connected via SSL to a Web site allows the user to view the server certificate to verify the identity of the Web server. This provides protection for users against phishing or other attacks involving Web site impersonation.

"Man-in-the-middle" exploits occur when an attacker located somewhere between the user and the Web site is eavesdropping on or manipulating data in the connection. This might happen while a user is connected to a Web site via a public WiFi hotspot. Or, a well-placed attacker could initiate an attack while looking at home broadband or corporate LAN traffic. SSL provides protection against eavesdropping or undetected tampering of data in the connection between the user and the Web server.

Because SSL only allows users to verify the identity of the Web server and protect the data in transit, proper patch management and secure coding techniques must be applied to the Web server. Good patch management will help limit the risk of a publicly known vulnerability in the Web server being exploited by an attacker. Additionally, secure coding techniques such as strong input validation will help protect against server attacks such as cross-site scripting, SQL injection and buffer overflows. SSL is critical for protecting data in transit to the Web server, but other security measures are required to protect the end points of the connection against other types of attacks.

More information:
Why can't I just use SSL to protect my Web services?
When should I use WS-Security? What about SSL?

This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: