The Secure Sockets
Layer (SSL) is a standard protocol for both
authenticating users and encrypting data that is
then sent over ordinary sockets. That is,
implementations of SSL are conceptually similar to
CompressingSocket—they take data and
transform it before sending it over the wire. The
only difference is that
compresses, while SSL sockets
first authenticate (at the
beginning of a session) and then
SSL has three helpful features:
It’s a publicly defined protocol. SSL was first defined and implemented by Netscape. But the specification is publicly available and has been subject to intense public scrutiny.
It’s commonly used. Almost every language that can use sockets has at least one SSL library package already implemented for it. And it is easy to define a secure version of a protocol by simply specifying that the secure version is a layer on top of SSL instead of simply being defined over cleartext sockets. This, for example, is the way HTTPS (the secure version of HTTP) is defined. Thus, in almost any situation where sockets can be used, SSL can be used with minimal extra programmer overhead and very few code changes.
It’s good enough. While not absolutely secure, SSL meets the criteria for practical security in a wide variety of situations.
SSL has been around, in one form or another, since 1995. Currently, there are three versions in active use: SSL2, SSL3, and Transport Layer Security (TLS). SSL2 is the oldest version of the ...