Download PDF SSL and TLS Designing and Building Secure Systems Eric Rescorla 0785342615982 Books

Product details Paperback 528 pages Publisher Addison-Wesley Professional; 1 edition (October 27, 2000) Language English ISBN-10 0201615983

SSL and TLS Designing and Building Secure Systems Eric Rescorla 0785342615982 Books Reviews

• Book is old, but still does a good job discussing SSL and TLS. Definitely worth your time and money if you have an interest (or need to know) this topic.
• This book has a good overview and considerable detail on its subject. The book is technically out of date, but can be purchased used at a very low price, and still provides most of the information most people would need.
• Love this book!
• This is a great book. Well written, good diagrams, very good overview as well as detailed data dump of the protocol. I highly recommend.
• "SSL and TLS" is an excellent introduction of what the issues are that drive the need for security and cryptography. Eric explains the issues concisely and in an interesting way, then shows how SSL/TLS address the needs. For one who needs to know what this area is all about before being thrown into a programming project, this is a great resource.
• Great book.
• I fully agree with the negative reviews, this book is not clearly written and the author fails miserably at producing a clear and usable technical explanation of the protocols. For instance, header field sizes are never mentioned. On top of that, the book is now 10 years old and is badly obsolete. Can in no way be recommended as a result.
• I was very, very impressed by this book. The author clearly knows what he's talking about (he's also the author of several RFC's, including RFC 2818 that specifies HTTPS). He knows SSL inside and out, and after reading this book, you will, too. This book examines SSL mainly from an implementor's/programmer's perspective (and includes code samples that integrate with OpenSSL and the author's own "PureTLS" library for java). Aside from just specifying the details of SSL as well as the details of how it's integrated with HTTP and SMTP as case studies, the author goes into fine detail on the pitfalls of SSL, what it's good at, what it's not so good at, how it could be improved, and why certain hard-to-understand features exist.
  
  I have only two complaints about this book. The first is that there is almost zero discussion on certificates. Although certificates are one of the most complex aspects of SSL (which relies heavily on them), this 400+ page book dedicates less than 10 pages to discussing certificates. Surely he could have sacrificed a few of the 40 pages he devoted to in-depth SSL performance statistics (does anybody really need that much detail?) to talk about how certificates are represented in SSL? He talks a bit about certificates, but in a fairly abstract way - you'll walk away knowing that they exist, and that you should a) check their distinguished name against the server domain name and b) limit your certificate chain depth to 1, but you won't really know how to do either of those things.
  
  The second is that he uses an (excellent) tool he wrote called 'ssldump' (similar to tcpdump) to show details on SSL's wire-level record formats, but doesn't go into any detail about how he got the tool to generate the displays in the book. I still can't figure out, for example, how to get ssldump to show the contents of a certificate (I can get it in hex format, but he shows it parsed in the book), or how to determine the private key from my own self-signed certificates to use for decrypting the output even after reading the (sparse) documentation provided with ssldump. A bit of detail on how the illustrations were generated would have been nice (perhaps even with samples of the openssl s_client and s_server programs used).
  
  Still, the book was excellent, and I can't imagine a better overview of SSL/TLS. I've slogged my way through RFC 2246 and come away with a muddied understanding of what SSL is all about - but after having read this book, I'm troubleshooting SSL problems from Apache logs.