Transport Layer Security

By Randall Degges

Any discussion of API security, and more broadly security online, has to start with an understanding of Transport Layer Security (TLS) and its cryptographic underpinnings. Transport security adds privacy and integrity for messages between two parties. In common usage, it's the ability to transmit data over a network without exposing that data to untrusted third parties.

Transport security is critical to modern internet infrastructure, where machines on the public internet exchange sensitive data such as passwords, personal information, financial transactions and classified material. Without efficient and effective transport security, these transactions would be tedious or impossible to complete over a shared network.

The rest of this book dives into detail about best practices for securing your APIs. This chapter focuses on the necessary first step of being able to communicate securely over a network. We'll also cover common pitfalls and best practices for securing your data in transit.

• A Brief History of Secure Data Transport
• How Key Exchange Works Today
• Acronym Party: HTTPS/SSL/TLS
• Establishing a SSL/TLS Session
• Exposed Data over SSL/TLS
• Server Certificates
• Certificate Verification
• Best Practices
• SSL Rating