SSL Basics

Share:

What is SSL?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are industry-standard protocols used to protect communication over the Internet. TLS and SSL make use of public-key and symmetric cryptography to allow end users to be sure of a web server’s identity, and keep private all interactions between the end user and the web server. These protocols are most commonly used to provide privacy for sensitive information that end users send to web servers, like passwords or credit card numbers.

ssl-250TLS and SSL require the web server to have a digital certificate (most often obtained from a Certificate Authority) assigned to it. The initial communication between an end user and a web server is referred to as the “SSL handshake.” In that handshake, the web server sends its certificate to the browser. The browser verifies the validity of the certificate and the legitimacy of the web server. If all is valid, a secure connection is established between the parties. The presence of “https://” in a link or a browser’s address bar means that TLS or SSL is being used. The terms TLS and SSL are often used interchangeably.

What do Certificate Authorities do and why does it matter to me?

A Certificate Authority is a trusted third party whose role is to validate information about a web server, including the server’s domain name, its public key, and optionally the name of the company that runs it. Once this and other information is validated, the CA creates a TLS or SSL certificate with the information and digitally signs it using the CA’s private key. The public keys of many CAs (known as “root certificates”) are embedded in user agent software like browsers, enabling the browser to trust any TLS or SSL certificate that cryptographically chains up to one of those trusted roots.

After web server certificates are issued, CAs provide up-to-date status of those certificates so that if one needs to be revoked for whatever reason, browsers can be alerted to the change. Certificate status information is provided either via Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP).

CAs are an integral part of the trust model used by browsers and web servers, performing validation of web server details on behalf of end users. This model has permitted secure, authenticated Internet communication between billions of users and millions of web sites.

What’s behind the padlock?

When you see the padlock in or next to the browser’s address bar, you can be sure that a comprehensive set of security operations has been successfully performed:

  • The web server sent its TLS or SSL certificate to the browser
  • The browser and web server exchanged information to cryptographically prove that the web server is in fact the one named in the SSL certificate
  • The browser cryptographically verified that the web server’s certificate was indirectly signed by a CA whose root certificate is trusted by the browser
  • The browser verified that the web server’s certificate is valid and unexpired
  • The browser and web server agreed on a cryptographic algorithm and key to use to protect all communication between the parties

You’ll also see “https://” at the beginning of the address in the browser’s address bar. Some browsers display additional information about the organization that owns the web server and the CA that issued it. And if the web server’s certificate is a special Extended Validation (EV) certificate, the browser will indicate that usually by displaying green in the address bar or other visual cues. That’s your assurance that the owner of the web server has undergone much more extensive validation checks.

If any of these security checks fail, the browser will warn the user, but may allow the user to proceed to the web site.

Note that if you see a padlock somewhere in the web page itself, you can’t be sure if your connection is protected by TLS or SSL. Many sites add such graphics to appear more trustworthy, but that graphic (like all other graphics in the web page) are not based on the security of your connection.