Preventing eavesdropping and message replay

A commonly accepted way to prevent message replay in web applications using HTTP is by requiring communication to be carried out via the Secure Sockets Layer (SSL).

By using SSL in non-anonymous mode, you can protect your application from being instructed to replay messages back to the application server. If you do so, you also prevent HTTP request and response contents from being exposed to anyone listening in as an eavesdropper. Your guess is as good as mine as to whether SSL will also prevent message tampering.

It is recommended that web applications use SSL in non-anonymous mode.

When connecting to a server through SSL, this is essentially how SSL works. A client checks that the identity of the server it is connecting to is correct by verifying that the server URI is the same as the hostname that is found in the SSL certificate.

There are times when a client may not have a certificate that may be used to verify the server. There are also times when a server uses protocols for SSL that do not have to have server identification. In both these instances, the SSL is being used in an anonymous mode.

You can choose, as you see fit, to configure anonymous SSL on some, but not other, web servers.

It must be noted that when one party poses as another during a client-server connection, then anonymous SSL cannot protect your application from spoofing threats or message replay. However, anonymous SSL can protect you from eavesdropping and tampering.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.138.154.12