SSL is a Concrete Sewer Pipe

Andrew Jaquith Andrew Jaquith Follow Jan 03, 2007 · 1 min read
Share this

My buddy Gunnar Peterson has recently been raging about the inadequacies of REST security, pointing out that RESTful folks who equate transport-level confidentiality (such as SSL provides) with “security” are only partly right. Gunnar makes some fairly involved references (Neal Stephenson) to make the point.

Of course, Gunnar is right.

When I speak with people about application security, I try to use a few snappy analogies to drive the point home. And with respect to the difference between transport-level security and message-level security, the analogy I use is to compare SSL to a concrete sewer pipe. You may not be able to break into it, but you sure as hell have no idea what’s flowing through it.

Andrew Jaquith
Written by Andrew Jaquith Follow
I’m Andrew Jaquith, a Managing Director in financial services. I have worked for JP Morgan Chase and Goldman Sachs. Previously, I was CTO SilverSky, and former analyst with Forrester and Yankee Group. My interests include security and risk, anything data-related, app development, visualization, good writing and spirited discussion.