What is SSL?
Disclaimer: We think it highly unlikely that most visitors to our website will need the information below. Come on, you all know what an SSL certificate is all about or you wouldn't be coming to buy one. However, just in case you are mentoring some poor new soul OR if you want to impress your boss with your ability to communicate complex technical items in language that bosses will understand, we have you covered.
SSL and its cousin TLS are two similar tools (actually, the formal term is "protocol", but remember that we want this to be simple) used to protect all of us from the dangers inherent in the structure of the Internet.
stands for S
ayer, while TLS
stands for T
ecurity. You may see the two terms used interchangeably or even together (i.e. TLS/SSL).
The Internet Engineering Task Force ("IETF") used SSL 3.0 as the foundation for developing TLS v1.0, so the two have many commonalities. The main difference between the two is that SSL assumes a secure starting point on the website's server, while TLS assumes that everything is insecure until something called a "handshake" has been completed. For purposes of this discussion, we are focusing on SSL, but both approaches provide equal levels of security.
So how does the SSL protocol protect us?
Essentially, using SSL ensures the following two things:
How do you know that SSL is being used to protect you while you are online?
The full answer depends on your browser and on the type of SSL certificate being used, but two things are constant:
- That the website you are connecting to is the one that you think it is/want it to be (i.e. your bank and not a fake site set up by those people who never seem to be able to spell things correctly); and
- That whatever you are sending to or receiving from that website is protected while in transit (i.e. nobody can see the credit card information you have entered to pay for that Maserati).
Having those two levels of assurance provides benefits from two different perspectives:
- The URL will always begin with https:// rather than http://; and
- You will always see a happy little lock at the far right of the address window on the top of your browser.
While secure communication channels are not something that is necessary if one is just viewing a website, when financial or personal information is being exchanged, it is better for both the company and its end customers to protect the information being exchanged. SSL makes that happen.
So how does SSL work? How do SSL certificates fit into the picture?
- Companies that want to have an online presence can do so in a way that protects their brand while also providing their end customers with a secure communication pipe between the customer's browser and the company's website.
- End customers benefit because they know that the information they are sharing with an SSL-protected website is contained within the secure pipe, safe from the random hackers or other nasty elements that could view or steal that data if the end customer was not interacting with an SSL-protected site.
To understand SSL, we have to start with a quick snapshot on a secret sauce used to protect lots of things: cryptography.
Everyone is familiar with cryptography (you had a magic decoder ring when you were a kid, didn't you?), though maybe not in the way that it is used for securing communications on the Internet.
Essentially, cryptography is the science of scrambling things or locking them so that only the intended recipient of a message or data can unscramble or unlock them.
Cryptography has been around for centuries, using different ciphers ranging from simple things like substituting a number for a letter to the more complex forms of ciphers that are used today.
The initial scrambling or locking of the message or data is called "encrypting", while the unscrambling or unlocking is called "decrypting". The item used to encrypt or decrypt the message or data is a "key".
The types of keys used vary, as do the algorithms used to scramble the data. The most important thing to remember, however, is that SSL is based on the use of Public Key Cryptography.
This means that every entity that is going to be identified in the SSL space will be given two keys: a) one that is Public and that will be shared, well, publicly; and b) one that is Private and that will only be known by the identified entity. This is where the SSL Certificate comes into the picture.
Any website that wants to be able to provide proof that it is indeed who it purports to be and that wants to provide its end users with surety that their information will be safe during transit, will need an SSL Certificate.
The website will establish what it wants its URL to be and then typically go to an external provider of SSL Certificates, known as a Certification Authority ("CA") as a next step.
The website will generate a Key Pair consisting of a Private and Public Key and submit the Public Key for certification to a CA.
The CA will verify the internet location (a.k.a Domain Name) and its control by the Company submitting the Public Key for certification.
Upon verification, the CA will issue the associated SSL Certificate that will bind the Public Key for the website (or one of the servers associated with the website) to the website Domain Name.
That SSL Certificate is then used to establish the secure communication pipe between the browser on an end user's computer and the website.
The diagram below provides a high level view of how the communication pipe, or SSL session, is established.
The SSL Certificate is what makes all of this possible. So buy one, buy two, buy three, and make your website more secure, more credible, and generally a better place to be.