Web Developer's Virtual Library: Encyclopedia of Web Design Tutorials, Articles and Discussions

WDVL Newsletter
Active Server Pages
JSP/Java Servlets
Microsoft SQL Server
Daily Backup
Dedicated Servers
Streaming Audio/Video
24-hour Support    
jobs.webdeveloper.com

Hiermenus

e-commerce
Partner With Us

Developer Channel
FlashKit.com
JavaScript.com
JavaScriptSource
Developer Jobs
ScriptSearch
StreamingMediaWorld
Web Developer's Journal
Web Developer's Virtual Library
WebDeveloper.com
Webreference
Web Hosts
XMLfiles.com

internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers


6.2 Secure Sockets Layer (SSL) - Page 2

Manning Publications Co.

June 28, 2002

Consider the problem of creating secure Internet protocols. One might want to create new protocols for secure HTTP, FTP, or SMTP email, but that would break programs that worked with nonsecure versions.

HTTP and the other protocols are layered on top of TCP/IP, the basic communication layer of the Internet. Most applications that speak TCP/IP do so via sockets, which were originally part of BSD Unix but have since been ported to everything from handheld computers to mainframes. Network programmers talk about TCP/IP and sockets almost interchangeably. When a web browser downloads a page from a server, it first opens a socket to the server, which accepts or refuses the connection. Having established communication via TCP/IP, the two then proceed to speak HTTP over the socket connection. 1

By replacing the regular socket library with a secure TCP/IP communication scheme we can leave HTTP alone and still safely transmit sensitive information to and from web browsers. That's the role of the SSL; if the browser and the web server are built with SSL, they can create an encrypted channel and exchange data without fear of snoopers. HTTP rides on top of the layer without additional programming.

SSL is a terrific boon to network applications, but gets surprisingly little use outside of web traffic. Some mail servers and clients support it, but few require it, which is odd, considering that POP and IMAP mail protocols require a username and password to gain access to a server. Those passwords are all being sent in plain text across insecure channels, just as they are for FTP and TELNET sessions (which is why you are using ssh instead). Bob and Carol's true feelings may be known to more people than they realize.

SSL is itself a protocol description with both commercial and Open Source implementations, including SSLeay, a free implementation created by Eric A. Young and Tim J. Hudson, and OpenSSL, which followed on from SSLeay and has become the standard security library for Open Source network products. OpenSSL's developers include members of the Apache Group, so it's no surprise that I'm going to recommend it for use with their server.

6.2.1 Legal issues

You may be aware that there are both patent issues and import/export restrictions on software that uses encryption. In the United States and other countries, commonly used encryption algorithms are patented and require licenses from their patent holders for use. Export restrictions are changing as (some) governments realize that the main effect of legislation is to move encryption development to other countries.

Still, these issues were enough to prevent most US-based sites from distributing encryption software in the 1990s. Distribution web sites generally have guidelines on where to download those libraries, but before doing so you should thoroughly investigate the legalities of their use in your locality.

As the disclaimer goes, I Am Not A Lawyer, but here is my understanding of the legal situation in the United States: the patent holder of the RSA public key encryption algorithm placed the algorithm in the public domain in September 2000 (shortly before the patent was due to expire), so it is no longer necessary to buy a license from RSA or to use the RSAREF implementation. It is legal to use encryption on a US-hosted web site that communicates with the world at large; it may not be legal to let others download your encryption library however.

For hosting in other countries (or browsing, for that matter), see summaries of the legal situation posted at http://www.openssl.org/ for more information although they too will warn you that you need to investigate this on your own.

1 Purists will point out that a socket doesn't have to use TCP/IP, and TCP/IP doesn't have to use sockets. The other common programming interface to TCP/IP is the Transport Layer Interface; interestingly the protocol that is set to supersede SSL is called Transport Layer Security.

Web Development with Apache and Perl
Web Development with Apache and Perl
6.3 OpenSSL and Apache - Page 3

Up to => Home / Authoring / Languages / Perl / Apache_Perl



Jupiter Online Media: internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and Jupiter Online Media

Jupitermedia Corporate Info


Legal Notices, Licensing, & Permissions, Privacy Policy.

Web Hosting | Newsletters | Tech Jobs | Shopping | E-mail Offers