1. Provides a "secure" (i.e. encrypted connection) between the web-browser and the web-server so that the data cannot be sniffed. SSL is used primarily for HTTP, but can also be used for other protocols such as FTP or Telnet. SSL provides three key features: digital-signatures to verify the identity of both the client and server, encryption to prevent the eavesdropping of data, and hashing to protect the integrity of the data. Key point: Web servers have a certificate signed by a trusted certificate authority (CA). This certificate allows the client and the server to generate random keys for the session and to exchange them securely (to defend against man-in-the-middle attacks). The generated random key is used to encrypt the rest of the contents of the connection, usually using RC4. U.S. export controls attempts to limit products used abroad to only 40-bits of key length, which can easily be broken. Key point: In SSL, the server first authenticates itself with the client (a technique that makes it more likely that e-commerce vendors are reputable). Therefore, if you want to set up your own SSL-based web server, you need to get a signed certificate from a CA. Furthermore, if you are outside the U.S., you will find it difficult to find one for 128-bits, though the Chaos Computer Club in Germany manages nicely. Key point: The chief reason SSL isn't used more widely is because it creates a huge performance hit on servers. In particular, the biggest hit comes from handling the public keys in the certificate, though normal encryption/decryption also plays a role. Hardware acceleration for both the public key cryptography and symmetric cryptography are becoming more and more popular. History: SSL was originally developed by Netscape to promote e-commerce. It is also known under the IETF standard name of TLS (Transport Layer Security) and the URL https://. History: In 1996, Netscape's implementation was found to be deeply flawed (i.e. crackable) because of problems in the random number generator. It seeded the generator with the time in seconds and milliseconds as well as the PID (process ID) and PPID (parent process ID). Since these numbers are easy to guess, it gives the random symmetric session key a complexity of roughly 20-bits, which can be easily be brute forced. Subsequent sessions are not re-seeded, which means the discovery of the PRNG seed only needs to be discovered once. Point: SSL allows the encryption algorithm to be negotiated (also known as the "cipher"). Some possible ciphers for SSL are: RC2 with 40-bit keys. RC4 with 40-bit keys. RC4 with 128-bit keys. DES with 40-bit keys. DES with 56-bit keys. Triple-DES with 112/168-bit keys. IDEA with 128-bit keys. Fortezza with 96-bit keys. Point: SSL handshake details: Negotiate cipher Exchange keys Authenticate the server Authenticate the client Authenticate previously exchanged data. From Hacking-Lexicon