Document: Best Practices and Applications of TLS/SSL

Description

The most well-known example of the use of public key infrastructure has proven flexible enough to assist in authentication, encryption and data integrity in numerous applications throughout the enterprise.

Transport Layer Security or TLS, widely known also as Secure Sockets Layer or SSL, is the most popular application of public key cryptography in the world. It is most famous for securing Web browser sessions, but it has widespread application to other tasks.
TLS/SSL can be used to provide strong authentication of both parties in a communication session, strong encryption of data in transit between them, and
verification of the integrity of that data in transit. 

TLS/SSL can be used to secure a broad range of critical business functions such as Web browsing, server-to-server communications, email client-to-server
communications, software updating, database access, virtual private networking and others.
However, when used improperly, TLS can give the illusion of security where the communications have been compromised. It is important to keep certificates up to date and check rigorously for error conditions.
In many, but not all applications of TLS, the integrity of the process is enhanced by using a certificate issued by an outside trusted Certificate Authority (CA).
This paper will explore how TLS works, best practices for its use, and the various applications in which it can secure business computing.

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
What is TLS/SSL? . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
Authentication and Verification . . . . . . . . . . . . . . . . . . . 
Key Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  
Where TLS Works In the Stack . . . . . . . . . . . . . . . . . .
TLS vs. SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Networks Are Insecure By Default . . . . . . . . . . . . . . . . 
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Privacy and Integrity . . . . . . . . . . . . . . . . . . . . . . . . . .
Solutions .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 
Trusted Certificate Authorities . . . . . . . . . . . . . . . . . . . 
Trusted Roots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Does Not Prove Trust . . . . . . . . . . . . . . 
Extended Validation (EV) SSL . . . . . . . . . . . . . . . . . . 
Not Just For Web Browsers . . . . . . . . . . . . . . . . . . . 
Client Security with TLS/SSL . . . . . . . . . . . . . . . . . . .
Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Server-to-Server Security with TLS . . . . . . . . . . . . . . .
Web and Intranet Servers . . . . . . . . . . . . . . . . . . . . .
Common TLS Mistakes .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Hosted Service Security with TLS . . . . . . . . . . . . . . . .
Certificate Expiration . . . . . . . . . . . . . . . . . . . . . . . . . 
Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . 
Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . 
Certificate Management . . . . . . . . . . . . . . . . . . . . . .
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Reading . . . . . . . . . . . . . . . . . . . . . . . . . . 

Cover: Best Practices and Applications of TLS/SSL