Thanks to Google and Facebook, awareness of Transport Layer Security (TLS), formerly known a Secure Sockets Layer (SSL) encryption technology, is now fairly high. In fact, adoption of TLS/SSL is so high among clients and Web servers that IT organizations are now starting to adopt TLS/SSL to secure communications between servers.
This week, Varnish Software moved to make it easier to add TLS/SSL encryption to a website by embedding support for it in the enterprise class edition of its open source Web caching software called Varnish Plus.
Varnish CTO Per Buer says rather than forcing IT organizations to add a TLS/SSL encryption from a third-party vendor, Varnish decided to include TLS/SSL support for both clients and servers in Varnish Plus. The goal is to not only make it simpler to deploy TLS/SSL, says Buer, but also reduce the number of vendors that IT organizations actually must engage. Buer says that the client edition of the TLS/SSL code is part of the core open source offering, but the company is charging for the server side implementation as part of Varnish Plus.
While TLS/SSL represents a security advance, Buer notes that because of its complexity, it’s easy to misconfigure. As a result, a website that deploys TLS/SSL might wind up actually being less secure than one that simply uses plain text to exchange data. The reason for that, says Buer, is that kits to hack TLS/SSL have already been developed, whereas plain text has the benefit of not being specifically targeted by a particular exploit.
In fact, Buer notes that even when TLS/SSL is present, it’s not too hard to figure out what content is being exchanged from the metadata being generated. Of course, there’s no such thing as perfect security, and Buer is not advocating that IT organizations shouldn’t use TLS/SSL. It’s just that in its current form, TLS/SSL encryption adds additional security at a fairly steep cost in terms of what it takes to configure it properly.