I've heard people say that SSL "sits" between the network layer and application layer? What does that mean?
This is a very good question, and I think the best way to answer it is to start by examining the purpose of a protocol. In the computing world, a protocol is a set of rules governing how data is transferred between two endpoints. The rules cover the syntax, semantics and synchronization of connection, communication and actual data exchange. Most communications and networking protocols don't function in isolation, however. They are layered together in what's called a protocol stack, a specific combination of protocols that work together, where each protocol in the stack performs specialized tasks.
Secure Sockets Layer, or SSL, is a standards-based cryptographic protocol that offers encryption and authentication services. It is widely used to provide secure communications over the Internet. By far the most common use of SSL is within Web browsers via an application-protocol hybrid known as HTTPS. SSL, however, is a transparent protocol, basically invisible to the user, and it is available to any TCP/IP-based application.
As you can imagine, trying to ensure that a protocol stack can actually fulfill its intended role, and that the different protocols all work together, is very complex. Various models have been developed to help engineers conceptualize protocol stacks, and each provides an abstract description of how network protocols should work. The OSI (Open System Interconnection) model is probably the best known and uses seven layers to group the services that a protocol can offer. An earlier model, the TCP/IP model, uses four or five layers. The layers near the top of both models are logically closer to the user, while those near the bottom are logically closer to the physical transmission of the data.
Under the OSI model, the application layer, Layer 7, performs common application services for the application processes; the network layer, Layer 3, solves the problem of getting packets from one place to another across a network. The SSL protocol is quite unusual, as it doesn't just operate at one layer. SSL is neither a network layer protocol nor an application layer protocol. It is one that "sits" between both layers.
Because of its position, SSL gives the client machines the ability to selectively apply security protection on individual applications, rather than set forth encryption on an entire group of applications. The procedure can be done without concerning Layer 3, the network layer. For these reasons, when SSL is used for encrypting network traffic, only the application layer data is actually encrypted. This differs from, say, the IPsec protocol, which operates at the network layer and encrypts all traffic data right down to the IP layer.
Dig deeper on SSL and TLS VPN Security
Related Q&A from Michael Cobb
A reported 43% of Microsoft XML users are running vulnerable versions of the software. Security expert Michael Cobb discusses how to mitigate the ...continue reading
Security expert Michael Cobb explains what Open Authorization or OAuth 2.0 is, its pros and cons, and how it is different from bring your own ...continue reading
While the fundamentals of securing an e-commerce website haven't changed in a few years, there are new threat vectors and security risks to be aware ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.