- Title: SSL and TLS: Designing and Building Secure Systems
- Author: Eric Rescorla
- Pages: 499
- Publisher: Addison Wesley
- ISBN: 0-201-61598-3
- List price: $44.99
- Summary: A good reference if you need to implement SSL or TLS,
but otherwise not terribly useful to most people.
SSL and TLS is a pretty specialized book - it covers how to implement and use the network security protocols SSL and TLS (which are essentially the same thing, actually) to help provide confidentiality, integrity, and non-repudiation though judicious use of cryptography. The author, Eric Rescorla, is co-chair of the IETF's TLS working group (in addition to being a member of the Internet Architecture Board), and has implemented the SSL/TLS protocol at least twice, so he knows the area pretty darn well.
The book is an excellent companion to the RFCs which describe the
protocol, though at points it really seems like Eric just copied and pasted
from the TLS specification (RFC 2246), especially in the protocol description, and added various annotations useful to implementors. That said, those annotations proved extremely useful when I was implementing the SSL protocol. However, not many people are actually going to be doing that, and the sections on coding using SSL libraries (his examples use OpenSSL and Eric's own Java implementation, PureTLS), and using HTTP/SMTP over TLS are pretty light in comparison to other books out there that focus exclusively on the topic. Your average system admin doesn't need to understand a whole lot in order to, say, enable TLS on a Postfix server, or HTTPS on Apache, and what they need to know is going to be in the product documentation, not this book. The section on performance does have some good hints, but, again, unless you're an implementor (or someone willing to hack changes into a copy of your favored SSL library), they aren't of much practical value.
While it may provide a useful reference to those implementing SSL-based systems, or just anyone who is curious about how SSL/TLS works, at $45 I would have been happier with either a shorter (and cheaper) book that just covered implementation issues, or a book of the same size and price that removed the "applications" sections towards the end, and provided more implementation help. In particular, there are several common design patterns that occur in SSL implementations that have never really been documented, and end up either being rediscovered or reverse engineered from other implementations again and again; I would have liked to see those included.
Table of contents:
- Security Concepts
- Introduction to SSL
- Basic SSL
- Advanced SSL
- SSL Security
- SSL Performance
- Designing with SSL
- Coding with SSL
- HTTP over SSL
- SMTP over TLS
- Contrasting Approaches
- Example Code (Appendix A)
- SSLv2 (Appendix B)