Tuesday, March 17, 2009

Two common misunderstandings about SSL

SSL is an encryption layer used commonly to secure HTTP (HTTPS), IMAP (IMAPS) and POP3 (POP3S). It is a widely used protocol, but it is not very well understood.

SSL is an additional network layer

In the example of HTTPS, SSL is a layer between TCP and HTTP. That means SSL is not aware of the layer above it, HTTP. You can replace the HTTP data by IMAP, or anything else.

A common misunderstanding is that only the HTTP data is encrypted, not the HTTP headers. If you think of SSL as an OSI layer, it is clear that all of the HTTP content must be encrypted. Layers below HTTO do not recognize the difference between HTTP headers and data.

When the HTTPS session is established, the TCP sessions is created first, then the SSL session, followed by the HTTP session. In other words, the SSL certificate is sent by the server to the client, before any HTTP data is exchanged. If a server hosts several SSL certificates for different domain names, the server would have to send the correct SSL certificate before receiving the "Host" www.mydomain.com" header from the browser.

Since the server cannot decide which certificate to send based on the HTTP context, itmust rely the data from the layers below; namely TCP and IP. From these 2 layers, the TCP destination port and destination IP address are the most interesting.

A server with a single IP address can assign different ports to different certificates: certificate 1 (domain-1.net) to the default HTTPS port 443, certificate 2 (domain-2.net) to port 444, etc. In practice, this is not an elegant solution since any non-standard port has to be embedded in the url: for example https://www.domain-1.net/ vs. https://www.domain-2.net:444/.

The SSL certificate can also be chosen based on the IP address. If a unique server host 4 domains names, it needs 4 different IP addresses, each of them associated to a unique certificate. This is the solution commonly used.

SSL protects the data, not your web server or web application

SSL encryption does not protect against SQL injection, Cross-site scripting, DoS, etc, but it does offer protection against session hijacking, password stealing and other sensitive user information. SSL protects the data, it does not directly protect the application.

- Julien

No comments: