SSL and TLS (thing)
Return to SSL and TLS (thing)
SSL and TLS is a pretty specialized book - it covers how to implement and use the network security protocols SSL and TLS (which are essentially the same thing, actually) to help provide confidentiality, integrity, and [non-repudiation] though judicious use of [cryptography]. The author, Eric Rescorla, is co-chair of the [IETF|IETF's] TLS [working group] (in addition to being a member of the [Internet Architecture Board]), and has implemented the SSL/TLS protocol at least twice, so he knows the area pretty darn well.
The book is an excellent companion to the [RFC|RFCs] which describe the protocol, though at points it really seems like Eric just copied and pasted from the TLS specification ([RFC 2246]), especially in the protocol description, and added various annotations useful to implementors. That said, those annotations proved extremely useful when I was implementing the SSL protocol. However, not many people are actually going to be doing that, and the sections on coding using SSL libraries (his examples use [OpenSSL] and Eric's own Java implementation, [PureTLS]), and using HTTP/SMTP over TLS are pretty light in comparison to other books out there that focus exclusively on the topic. Your average system admin doesn't need to understand a whole lot in order to, say, enable TLS on a [Postfix] server, or [HTTPS] on [Apache], and what they need to know is going to be in the product documentation, not this book. The section on performance does have some good hints, but, again, unless you're an implementor (or someone willing to hack changes into a copy of your favored SSL library), they aren't of much practical value.
While it may provide a useful reference to those implementing SSL-based systems, or just anyone who is curious about how SSL/TLS works, at $45 I would have been happier with either a shorter (and cheaper) book that just covered implementation issues, or a book of the same size and price that removed the "applications" sections towards the end, and provided more implementation help. In particular, there are several common [design patterns] that occur in SSL implementations that have never really been documented, and end up either being rediscovered or reverse engineered from other implementations again and again; I would have liked to see those included.
Table of contents: