TABLE OF CONTENTS Secure communication doesn't just mean the use of cryptography during data transmission. To have completely secure communication, several steps must be performed, and in a specific order. The use of these methods ensures that a significant majority of hackers will not even be able to scratch the surface of your applications without your ability to know about it.
A secure session is one that uses cryptography and other monitoring and mitigation processes to make a session leak no information and to protect both the server and client from any exposure. We can't assert any of the protocol-level information so we must perform identification, authentication, and all other access-level decisions on the information that exists at the application level. All of the protocol level information should be logged for auditing purposes, but cannot be asserted.
If a network is used that is not trusted, hackers will and are currently seeing the packets and are actively attempting to hack the client and server both at the system and application levels. It is always important to protect against worst case.
SSL and TLS are protocols that encrypt the data part of a TCP packet. These application-level protocols were engineered to slap a band-aid onto HTTP communication that by default is absolutely insecure and offers no information security.
Here's how SSL and Web-based secure tunneling work:
The client connects to the server.
The server then sends the server's certificate to the client (the certificate should
