SecureBlackbox® - Why use SecureBlackbox
Why would one be interested in using SSL at all? Two main goals are (a) authentication and identification of the sides during data exchange and (b) integrity and security of the information being transferred. One might think that for his particular application information being sent is not interesting to anyone and it is not worth bothering to secure it. However this is not true. Negligence with information safeness can lead to all sorts of unexpected troubles. So adding SSL support to your network application is a very wise decision.
Currently Windows and Linux together make 99% of desktop market and about 95% of internet server market. So most likely, your application is for Windows or for Linux. What are your choices for SSL support on these platforms? There are several options available. You will find technical comparison for all of them here. However comparison chart is not very intuitive to understand. This is why we have read the following notes …
There are several packages that provide native SSL implementation. "Native" means that the package implements all encryption, hashing and supplementary algorithms used in SSL/TLS within its code and doesn't require external libraries (except OS support libraries like libc or kernel32.dll). In fact there are just 4 implementations: CryptoAPI + SChannel, OpenSSL, SecureBlackbox and StrSec II. StrSec II is Delphi-only solution so we will look at other three.
CryptoAPI is a [pseudo-free] library, included in Windows. While it does almost all that is necessary (besides some newest standards like AES or Camellia support in TLS 1), there are several limitations in it. First of all, CryptoAPI is a famous Microsoft Windows' security hole, well-known for constant problems. If you encounter a bug with it, there is a little chance that the bug will be fixed. And CryptoAPI library is full of bugs that can spoil your life. For example, CryptoAPI doesn't handle certain valid X.509 certificates, used in SSL. Imagine, that you get the certificate from Certificate Authority, and when trying to import it to system, you get a message about invalid format. Or another case: you sign a letter with your certificate, and your correspondent can't read the letter, because his Outlook Express doesn't recognize the certificate as valid. Or you get unexpected disconnection of your socket during SSL handshake … These are real examples of the bugs we encountered, reported to Microsoft and got no replies. Another problem is that CryptoAPI uses cipher suites in external libraries. This means that you are not guaranteed to have certain cipher suite on all systems. You might find out, that cipher suites you enabled for your application's SSL connection are not available on target system and your application won't work (or, even worse, SSL connection will silently degrade to non-SSL one). Comparing to this, complicated documentation and badly designed internal structure are minor annoyances.
OpenSSL is another free (and open-source, unlike CryptoAPI) library, available on a number of platforms. OpenSSL is much more stable and secure, than CryptoAPI, but also not without problems. The main two are lack of support from the vendor and complicated documentation and internal structure. As with most open-source projects, OpenSSL doesn't have a single developer who is able to provide qualified support. You can use newsgroups for support, but you are not guarantied to get an answer. Documentation for OpenSSL needs serious work too (most open-source developers believe that source is the best documentation). And all delays lead to wasted time and extra expenses.
There's a serious security flaw in using an external DLL for encryption. If you use DLL, the hacker can easily intersept the unprotected data by hooking the DLL API. Native call linkage is strongly recommended.
SecureBlackbox license provides free support for lifetime of the product. The help file (available both offline and online) will answer your immediate questions and newsgroup and e-mail support will help you in more complex situations.