...
MSC00-EX0: Because of the mechanisms that SSLSockets provide to ensure the secure transfer of packets, significant performance overhead may result. Regular sockets are sufficient if:
- The the data being sent over the socket is not sensitive
- The the data is sensitive, but properly encrypted. See SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary for more information.
- The the network path of the socket never crosses a trust boundary. This could happen if, for example, the two endpoings of the socket are within a local network and the entire network is trusted.
...
The general case of automated detection appears to be infeasible , as because determining which specific data may be passed through the socket is not statically computable. An approach that introduces a custom API for passing sensitive data via secure sockets may be feasible. User tagging of sensitive data would be a necessary requirement for such an approach.
Related Guidelines
CWE ID -311, "Failure to Encrypt Sensitive Data" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="51ef6ad9f650bcf0-841cef66-4cc345fc-b33085c6-618f18066fbe49e128355123"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1651586630ff0f03-23310abc-432b4699-952b9304-48990531f051e478ea913b03"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | 11.3.3 "Securing RMI Communications" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="77795191aac1ebac-9dad7831-48c740b9-8df09d1f-bb9e207d79d9e1be278eb369"><ac:plain-text-body><![CDATA[ | [[Ware 2008 | AA. Bibliography#Ware 08]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...