Book Reviews: Information Security Books and Product Reviews – SSL and TLS

Book Title: SSL and TLS

Subtitle: Theory and Practice

Author: Rolf Oppliger

Publisher: Artech House

Date of Publishing: Oct 2009

ISBN(13): 9781596934474

Price (UK&US price – full price, not discounted price): £60.00,   $89.00

URL of Publisher Site: www.artechhouse.com

URL of Amazon UK web page: SSL and TLS: Theory and Practice (Artech House Information Security and Privacy)

URL of Amazon US web page: Amazon.com

I’ve had a long “love affair” with SSL/TLS in its various guises – all the way from the early days when it was an emerging technology from Netscape.  I’ve lost count of the number of times I’ve used a network sniffer (especially Ethereal/Wireshark) to investigate issues with SSL/TLS, including incorrect implementation of the standard.  One of the most thumbed books in my library is SSL and TLS Essentials, written by Stephen Thomas and published by Wiley (a book I treasure as it was signed by the author, who I worked with a long time ago).  So, when I was asked to review this book, the standard I was comparing it against was that Wiley book.Firstly, let’s go through the structure and contents of the book: it is 257 pages in length and consists of nine chapters.  Chapter one introduces the OSI model and explains the various security services and mechanisms that could be implemented in the model.  This chapter doesn’t really add anything to the book (assuming, that is, you are already a security expert).  Chapter 2 is the usual cryptography primer, which any book on SSL/TLS should contain.  It is quite mathematical in places but should be accessible for any decent security practitioner with a technical background.  Chapter 3 introduces TLS and its placement in the TCP/IP protocol stack.  It also describes the evolution from Security Sockets Layer (SSL) 1.0 to the current IETF standard, TLS 1.2.  Chapter 4 describes the SSL protocol, going into the various sub-protocols used within SSL (e.g. handshake, change cipher spec).  This section also defines the various message structures used in the protocols.  Examples of traffic analysis of various messages are also provided showing hex dumps of a number of important messages.  The final section of chapter 4 summaries the security analysis performed by researchers on the variety of SSL iterations and the weaknesses that have been discovered.  Chapter 5 goes on to describe the TLS protocol and in particular goes through the differences between SSL 3.0 and TLS 1.x.  This chapter also brings the reader up-to-date with the latest version of TLS (1.2).  Chapter 6 introduces the Datagram Transport Layer Protocol (DTLS). The Wiley book did not cover this, as it was not part of the standard when that book was written.  Chapter 7 covers the issues of trying to traverse a firewall, examining both tunneling and proxying. Chapter 8 enters the world of certificates and PKI, a topic that anyone dealing with SSL/TLS must understand.  This chapter is actually a fairly lightweight treatment of the subject.  Anyone needing further information would be advised to buy a book on that subject rather than relying on this chapter.  The final chapter, Conclusions and Outlook, looks at a number of challenges faced by implementation people, including software deployment issues and protection against MITM attacks.So, is the book worth buying (compared to the Wiley book)?  In general, I would say yes.  The Wiley book was written just as TLS was emerging and certainly doesn’t cover TLS 1.1 or TLS 1.2.  So, if you want an up-to-date-book on the subject then this would be a good book to buy.  However, the book is not without its weaknesses.  In particular, I would have thought it would have benefited from having some Wireshark dumps of the message protocol examples – after all many practitioners use Wireshark to decode TLS/SSL traffic.  As I mentioned above, the PKI chapter is also weak; I would have liked to see more detail on the subject and how SSL/TLS pertains to server and client certificates, as well as the impact of using various certificate extensions (e.g. key usage.)  I also would have liked to see more discussion on deployment: IE, Firefox, IIS, Apache, OpenSSL etc. as well as Java implementations all have the nuances on how they handle different situations and the cipher-suites they support.  None of this is really explained.One notable point is that this book does have an excellent set of references at the end of each chapter.

At £60.00 this is quite an expensive manual, but if you are someone who needs to become familiar with SSL/TLS and struggle to understand the IETF RFC standards, then this is a book you should consider purchasing; it is targeted at anyone going to implement SSL/TLS based services and Security Architects.

This is an excellent resource for anyone trying to under the complexities of SSL/TLS and will bring the reader to date with the latest versions of TLS.  If you are a Security Architect I would recommend purchasing a copy.

Marks: 4 out of 5

****

You don`t have permission to comment here!

AllEscortAllEscortAllEscort