Whilst many e-commerce transactions and sensitive information handling website owners realise they need to have an SSL Certificate, there remains much confusion about what they actually do and how they work. It’s pretty common knowledge that an SSL Certificate adds a trust-emitting green padlock symbol and green ‘https’ in a web browser address bar, but how does SSL secure the connection between a visitor’s browser and the websites host server?
Why is SSL needed?
Much the same as how a telephone conversation can be tapped into, so can communications over the Internet. Without SSL, information sent between a browser and a web server is sent in plain text - if an eavesdropper intercepts this communication they can read everything as clear as daylight. Another issue with telephone communication which applies to Internet communication is, how do you know that you’re speaking with the real person? It now becomes clear the potential issues that exist when doing your banking online, buying a pair of shoes from an e-tailer or simply filling in a form with details such as your password on a website.
What does an SSL Certificate do?
An SSL Certificate does two main things:
- Verification and Authentication: An SSL Certificate contains identification details about the person, business or website in question, proving they are legitimate. Upon application for an SSL Certificate (Certificate Signing Request), a Certificate Authority will check everything from whether a person has authoritative control of a domain, the geographical location of a business and whether a company is legally registered, depending on the level of verification required by the particular Certificate. You can read information about a website with an SSL Certificate by clicking the green padlock, ‘https,’ or bar in your browser address bar.
- Encryption: An SSL Certificate enables encryption, transferring text into scrambled code or ciphertext which is completely meaningless to an interceptor. Using 256-bit encryption, as the SSL Certificates we offer are capable of, it would take literally trillions and trillions of years for a modern computer to crack the ciphertext with brute force. SSL uses asymmetric cryptography, in which the websites server has a public key for encryption (which - as its name suggests - is publicly viewable) and a private key for decryption (which only the server should know) that are mathematically linked.
How does SSL work in action?
Put simply, when you connect to a website with an SSL Certificate, an ‘SSL Handshake’ takes place between your browser and the websites server, which establishes a secure connection.
During this ‘handshake’ process:
- The server sends a copy of the signed SSL Certificate (including a public key) to the browser for identity review and authentication.
- Once approved, the browser uses the servers public key to create a random symmetric session key (this key can not be decrypted with the public key by a ‘middle-man,’ as the public key only encrypts).
- The server uses its private key to decrypt the random symmetric session key and sends the browser an acknowledgement encrypted with the session key, initiating the encrypted session.
- The server and browser use the session key to encrypt all transferred information.