I'm wondering what to do in the case of a customer asking for a second layer of encryption on top of SSL?

For example, I have an SSL tunnel, and the customer wants me to then use symmetric key encryption on data flowing through that tunnel. The symmetric key is session-based and sent from the server to the client over the original SSL tunnel.

I am failing to see how this is more secure. If the SSL tunnel is compromised, then in theory, so is the symmetric key that is sent from the server to do the symmetric encryption during the session.

Can anyone offer any different viewpoints on this situation? I'm sure that if there was a shared secret established before-hand (like a one-time password), that this would make things more secure, but since the secret is being passed across the session over SSL, I don't see how it's buying us any extra security.

What are your thoughts, and have you had any similar experience?

Thank you

Sounds like the "next great idea" of customers who think reading "My first Crypto" empowers them to reinvent the wheel in some fiendishly clever way :)

Such a thing is usually nonsense, ever more so because as you say the symmetric key is sent along.

However, I can think of one scenario where this might make sense - a lot of large companies or institutions have policies that forbid end-to-end SSL/TLS connections. They terminate incoming TLS at some point in order to be able to scan the plain text data for viruses etc. In such a case it might make sense to additionally encrypt the data on the application level to prevent internal eavesdropping.

But then again you're likely to break internal regulations...