...
MSC00-EX0: Because of the mechanisms that SSLSockets provide to ensure the secure transfer of packets, significant performance overhead may result. Regular sockets are sufficient if:
- The the data being sent over the socket is not sensitive
- The the data is sensitive, but properly encrypted. See SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary for more information.
- The the network path of the socket never crosses a trust boundary. This could happen if, for example, the two endpoings of the socket are within a local network and the entire network is trusted.
...
The general case of automated detection appears to be infeasible , as because determining which specific data may be passed through the socket is not statically computable. An approach that introduces a custom API for passing sensitive data via secure sockets may be feasible. User tagging of sensitive data would be a necessary requirement for such an approach.
Related Guidelines
CWE ID -311, "Failure to Encrypt Sensitive Data" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fad87241331fb45d-76cca288-472c4512-ad1f8258-fd51e1d5dc2fd1a3d87d89e6"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="db68da3693f22192-95306d70-4a3942f5-9550b8cf-b9a4fa094ceaac4f57c63b48"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | 11.3.3 "Securing RMI Communications" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1f05264621f68f77-92c49b8f-47794add-86768e00-9d03507b1bcd6b54e7e754d2"><ac:plain-text-body><![CDATA[ | [[Ware 2008 | AA. Bibliography#Ware 08]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...