BKSSLTLS.RVW 20010607 "SSL and TLS", Eric Rescorla, 2001, 0-201-61598-3, U$39.95/C$59.95 %A Eric Rescorla ekr@rtfm.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2001 %G 0-201-61598-3 %I Addison-Wesley Publishing Co. %O U$39.95/C$59.95 416-447-5101 fax: 416-443-0948 %P 499 p. %T "SSL and TLS: Designing and Building Secure Systems" The preface states, quite clearly, that this is a work for designers, programmers, and implementors. In other words, it's a very technical book. Even the preface, though, is written with a clarity that is unusual, and refreshing, in technical literature. Chapter one provides some background to communications security and encryption. The material is demanding, and is definitely not a primer. A number of items are glossed over, but the persistent reader should be able to glean some very solid explanations of important concepts. The "family tree" of SSL (Secure Sockets Layer) is given in chapter two, with a description of the development steps along the way. Chapter three outlines the basic, or most common, mode of SSL, and then provides details about specific aspects of the algorithms and data structures used at different points. Various options and extensions, for a number of functions, are described in chapter four. The security of the SSL system itself, as opposed to the security it provides for transactions, is thoroughly examined in chapter five. Chapter six is an examination of performance issues, and the ways in which execution can, and can't, be improved. SSL is, of course, only a protocol and not a full application. Design considerations for effective use within a system are detailed in chapter seven, and sample C and Java code for effecting the operations is given in eight. SSL was designed for, and is most widely used with, HTTP (HyperText Transfer Protocol), and chapter nine details the requirements and difficulties of using the system to secure Web communications. Chapter ten uses SMTP (Simple Mail Transfer Protocol) as an example of the use of SSL to protect other communications operations. Finally, Rescorla compares SSL to the major competing systems of IPsec, S-HTTP (Secure HTTP), and S/MIME. (It is nice to see that the author identifies his own potential bias in the debate.) This book is aimed at a technical audience, and members of that group will undoubtedly welcome it. However, the lucid presentation, and range of security concepts covered make this a useful reference for many others. Those involved in online commerce and the necessity to secure transactions over insecure links will find solid discussions addressing those issues. Security analysts and practitioners may be challenged to look into the internals of systems generally examined only at a superficial level. And anyone interested in the security of the Internet will find a clear and fascinating review of its underpinnings. copyright Robert M. Slade, 2001 BKSSLTLS.RVW 20010607