Frequently Asked Questions

Insufficient Transport Layer Protection

Print this Article
Last Updated: June 1, 2011 3:46 PM

Sensitive data, such as credit card numbers or other personal information, must be secured with strong encryption during transit from a visitor's browser to the Web server. If the data isn't encrypted, a malicious user might intercept and view the information.

SSL certificates help prevent insufficient transport layer protection by encrypting everything into an undecipherable format that can only be deciphered with the correct decryption key, which is installed on the website.

For example: The site coolexample.com uses an SSL to secure the primary log-in page, but does not use SSL to secure all access-restricted pages.

A malicious user monitoring network traffic, such an open wireless network, discovers a session cookie with information for coolexample.com's logged-in user.

The malicious user could use this cookie to take over the user's session.

While an SSL certificate helps secure data during transit, sensitive data might still be vulnerable if it's not installed properly or it doesn't secure all sensitive data. Consider securing your entire website with an SSL certificate. If that's not possible, secure all access-restricted pages, and cookies or session information that could contain sensitive details.

To learn more about insufficient transport layer protection and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.