Application Layer Containment

In a typical web server environment, web content that is delivered over a HTTPS connection travels through several layers of software before it is encrypted. These layers may contain compromised or outdated software, and this has led to real-world vulnerabilities on public web sites.

The image below is a simplified illustration of the path that web content travels on a web server using traditional TLS/SSL. The red sections indicate which layers have access to content before it is encrypted, the yellow is the layer in which the encryption is applied, and the green indicates that the content has been encrypted.

Without Application Layer Containment


Dual SSL implements a new technique called Application Layer Containment to encrypt content soon after it is generated. The dynamic key generated by Dual SSL is encrypted inside of the main library, and then it is decrypted inside of the Dual SSL Key Server software. This changes the content path to something like this:

With Application Layer Containment


The concept can be taken even further by encoding both the web script and Dual SSL library into bytecode. I believe the ionCube Encoder is well-suited for this purpose. Since this encoder was developed to protect PHP-based web scripts from piracy, it is designed to protect the inner workings of PHP code from malicious users who may have full access to the web server's OS, or even physical access to the server itself. Assuming the encoding technology is secure, it is theoretically possible to achieve Full Application Layer Containment as illustrated below.

With Full Application Layer Containment


Please keep in mind that while you are permitted to use encoding on the Dual SSL library for your own use, you may only distribute the files in a way that is compliant with the license.


© 2015 Josh Abbott. All rights reserved.