REVIEW - Network Security with OpenSSL - Cryptography for Secure Communications

Title:

Network Security with OpenSSL - Cryptography for Secure Communications

Author:

John Viega, Matt Messier, Pravir Chandra

ISBN:

9780596551971

Publisher:

O'Reilly (2002)

Pages:

386pp

Reviewer:

Christoph Ludwig

Reviewed:

February 2003

Rating:

★★☆☆☆

All programs that use network resources are potential objects of snooping, tampering, or other attacks. Even if you are familiar with cryptology, chances are your programs won't withstand sophisticated attacks unless you rely on established protocols like SSL and its successor TLS. OpenSSL is a highly regarded C implementation of these protocols. Unfortunately, there are plenty of subtle traps when using OpenSSL, giving you a false sense of security. Network Security with OpenSS ' aims to show you how to avoid such pitfalls.

It presumes that the reader already has a rough understanding of modern cryptology. The explanations given are too vague to serve as more than a reminder. The authors explicitly avoid the details since they do not have an immediate impact on the use of OpenSSL. They may have a valid point here, but I miss a comprehensive commented bibliography that allows the reader to look up details or further information.

The book does not explain the design of OpenSSL or give a complete reference of all available C functions. It's rather like a cookbook; it shows how to perform certain tasks like setting up an SSL connection with proper authentication of client and server or how to correctly use message authentication codes. However, simply adapting examples when developing security relevant parts of a program leaves an uneasy feeling. A more complete discussion of all possible options and how different parts of OpenSSL interact would have been helpful.

There are more or less complete OpenSSL bindings to other languages like Perl, Python and PHP. The book dedicated one chapter to these bindings, but I doubt whether 24 pages suffice to cover everything that you need to know in order to make efficient use of OpenSSL from other languages.

In summary, if you are going to use OpenSSL, then I recommend you have a look into this book. It will give you a good starting point, at least. However, it won't serve as your only reference, you will have to dig through the documentation shipping with OpenSSL and some textbook on cryptology anyway.


Book cover image courtesy of Open Library.