SSL and TLS: Designing and Building Secure Systems

By Eric Rescorla

Yes. SSL and TLS: Designing and Building Secure Systems is exactly what the title promises. If I had already coded a rating system, I’d probably expand it for this this book.

  • Author: Eric Rescorla
  • Publisher: Addison-Wesley
  • ISBN: 0-201-61598-3
  • Published: 2000
  • Pages: 499

If you have to code an application that uses SSL or TLS — or if you have to code an SSL or TLS library, then this is the book you need. It certainly was the book I needed, and I needed it badly, when I was working on the secure messaging layer over JXTA for Tryllian’s ADK — agent development kit.

Sometimes, but all too seldom, one reads a book that simply exudes competence. This is one of those books. All through the book it is clear that Eric Rescorly indeed does know what he is talking about; he knows so well what he’s talking about that he never has to fudge, he never has to write obscurely to mask lack of knowledge, and thus he writes with complete authority. He manages to be crystal clear, surely an achievement when writing on a topic traditionally viewed as extremely obscure.

However, that is not the only commendable quality. SSL and TLS: Designing and Building Secure Systems is very well organized. Rescorla first discusses public key cryptography — the basis for SSL and TLS — with a practices ease. Then he continues to give the details of the SSL/TLS protocol in the second part. The third part shows how to use SSL or TLS in your application, using very clear example code, both in C and in Java.

An engaging feature is the clear division between general discussion and deep-down core details. Fortunately, there is no stint of either, and the core details are illustrated with dumps from Rescorla’s own packet dumper.

At all places where I needed a backreference to something discussed earlier, I found that Rescorla had anticipated my needs and added a quick ‘as discussed in chapter X, Y is needed for Z.’ — and made it possible to read the whole book in about three days.

Topics discussed are: security concepts, the SSL protocol, security issues, performance, application design, http over SSL and smtp over SSL. Two appendices complete the book.

In short: if you are working on an SSL application, and you don’t have this book, then you’re, in view of the importance of security, almost criminially negligent.