SSL and TLS: Theory and Practice [Hardcover]

Definitely worth reading, but you should be aware precisely what it is you are buying. This is an in-depth look at the SSL and TLS protocols -- their history, ideology, and function. Related topics are discussed only briefly. For example, if you are buying this book because you want to be an expert on SSL certificates, you may be slightly disappointed to learn that the subject is treated in only one chapter, at the end of the book. You will get a good foundational understanding of why certificates are important, and some details about how they work, but little will be said about practical subjects, such as how you create them, where you get them signed, what products are the best, and so forth. Likewise, the book purposefully avoids discussing details about specific implementations of SSL; so you won't learn much, for example, about the capabilities of various Web browsers, or how to set up OpenSSL on your Linux server.

Having said that, this book provides a very detailed description of the protocols, so you will gain a good working knowledge of all the terminology, as well as what happens during the actual encryption and authentication. This will give you a good conceptual context for reading elsewhere about subjects such as encryption cyphers, authentication procedures, HTTPS security, and SSL exploits.

The buyer should be aware that the author has a rather dry and condensed writing style, and that a lot of material in the book is couched in mathematical language. In chapter 2 especially, the basics of cryptography are explained almost entirely in set notation and are illustrated with austere block diagrams that really do not illustrate much. The author is also fond of overusing a number of quaint phrases: for example, he will frequently write "It goes without saying..." completed by some statement that you would never have known if he had not said it.

This book was pretty good. I knew next to nothing about cryptography or security when I started and now I feel I could implement SSL, TLS and half the crypto algorithms from scratch if I wanted to (albeit with wikipedia as a reference).

The good:
* It gives a good overview on the theoretical side and an insight into the minds of people who focus on security primarily (as opposed to techies like me who thought security summed up to picking an encryption method and off you go). This new perspective will change the way I do future designs.
* Great introduction into the world of cryptography. Covers many popular algorithms in use today.
* Covered SSL and TLS well and in detail.
* Practical examples with real data! Interesting algorithms are walked through step-by-step with real numbers. The raw bytes of an SSL conversation are demonstrated and dissected. Brilliant!

The bad:
* Most concepts and terms are covered before being used but there a handful that are explained chapters after being used, or just not explained (I noted 6 that stumped me).
* Presentation is a little odd and confusing at times. Diagrams in the wrong sections etc.
* Too much of a good thing with detail. I skimmed a lot of Ch 5 for example because it got to the point where it's stuff you only need to know if you're going to implement TLS from scratch, and a lot of information is repeated from ch 4.

Overall, great read. Served me well.

SSL and TLS Theory and Practice is a pick for any college-level computer library strong in Internet security. It provides a basic and thorough introduction to SSL and TLS protocols, covering their design, development, and comparing them to other Internet security protocols. Tips on how to employ these and configure security solutions make for a powerful technical survey any programmer's library needs.