SSL or Secure Sockets Layer is security technology. Today, it is also referred to as TLS or Transport Layer Security. It is a protocol that provides secure communications over links and computer networks. SSL or TLS provides data encryption, integration, and authentication. To enable encryption connections across websites etc, we need SSL certificates. SSL certificates are digital certificates that provide authentication for websites enabling the encryption connections.
Let’s dive in and know more about SSL and SSL certificates, their advantages, types of keys used, SSL handshakes, SSL certificates, types of certificates and its importance.
What is a Secure Socket Layer?
Secure Sockets Layer or SSL is an internet-based encryption security protocol. It is a deployed cryptographic protocol to provide security over the internet. It provides a secure channel between two devices/machines that are operating over the internet. Its main job is to establish authenticated and encrypted links between networked computers.
One of the most common examples of SSL is using it for a secure connection between the web browser and web server. The easiest way to understand this secure connection is the difference between HTTP and HTTPS. The ‘S’ in HTTPS stands for secure and also means that the website is encrypted. Any site implementing SSL has HTTPS in its URL. While HTTP is an insecure network to work on, it is also subject to attacks. The data transferred from the web browser to the webserver or any two endpoints in HTTP is plaintext and not encrypted. This means, that vital information such as credit card logins or even account logins can be attacked and accessed easily. On the contrary, the SSL enabled sites using HTTPS, ensures that all necessary information is safe, secure, and encrypted.
Advantages of using SSL
- First and foremost, no one can read or access any of your messages, or any of your other personal information. All the messages and other information is secure and encrypted.
- Secondly, no one can tamper or edit your messages or any other information input or saved.
- The communication and connection made is directly with the server/intended person.
Another major question that arises is how do we know or make sure that no one has read or tampered with our messages? The simple method is to Encrypt it and Sign it. Encryption makes the content unreadable and signing it gives the recipient the confidence that he sent the message and that it hasn’t been changed. These two processes require keys. These keys are generally 128-bit simple numbers that upon combination with the message in a particular algorithm either encrypt to sign the message.
Types of Keys
There are three types of keys that we use, namely – Symmetrical, Public and Private. Generally, most encryption method’s today use public and private keys, as they consider it to be more secure than the olden days symmetrical keys.
- Symmetrical Keys: These keys are like any other key we use in day to day life, like our door key. This means that the same key is used for encryption/signing and decryption of the message. The reason this isn’t as secure is that if the key is misplaced/leaked/lost, then all the information is directly accessible to whoever now possesses the key.
- Public and Private Keys: These come in a key pair that is mathematically linked with each other. We basically use two keys in this process that are different from each other but all the while linked. The public key encrypts the message, but this message cannot be decrypted with the same key. For decryption of the message, we require the private key. This method of encryption is much more secure and hence also used for most encryption methods today.
SSL Handshake
Another very important aspect of SSL is the handshake. Handshake is the authentication process in SSL. The handshake occurs between the two communicating devices. This ensures that both the devices are actually who they claim to be, making sure no fraud or scam is taking away the information.
An SSL handshake occurs when the user navigates to an HTTPS website and the browser begins queries with the original server of the website or when there is any sort of communication over HTTPS, which includes calling API keys and DNS.
Steps of an SSL Handshake
One very important thing to note here is that all SSL/TLS Handshakes use asymmetric encryption methods.
Step 1:
The first step is the Client Hello Message where the client starts the handshake by sending a message ‘hello’ to the server. The message gives information about the SSL/TLS version the client uses along with the cipher supported. It also includes a string of random bytes known as Client Random.
Step 2:
The second step is the Server Hello Message where the client message ‘hello’ is given a reply. The server’s SSL certificate and chosen cipher suite are sent to the server in the form of a message. Here, another string of random bytes known as Server Random is also generated.
Step 3:
The third step is Authentication. Here the server’s SSL certificate is verified by the client with the certificate authority that issued the SSL certificate. This step confirms the server’s identity is original, not fraud. It also confirms that the interaction taking place is with the actual owner of the domain itself.
Step 4:
The fourth step is The Premaster Secret. The premaster secret is another string of random bytes. This is encrypted with the public key and can only be decrypted with the private key which is with the server. The client gets this public key from the SSL certificate of the server.
Step 5:
The fifth step is the Decryption of the premaster secret. The message encrypted using the public key undergoes decryption here using the private key.
Step 6:
The sixth step is Creation of Session Keys. From the Client Random, Server Random and Premaster secret generated earlier, both the client and server generate session keys.
Step 7:
The seventh step, the Client Ready step involves the client sending a message ‘finished’ which is encrypted using the session key. This step gives the information that the client is now ready.
Step 8:
The eighth step, the Server Ready step involves the server sending a message ‘finished’ which is encrypted using the session key. This step gives the information that the server is now ready.
Step 9:
The last step, Handshake complete is the step where the handshake is complete. Now all the communication takes place using the session keys.
SSL Certificate
SSL Certificates are small files which cryptographically establish an encrypted link between the web server and the browser. This link ensures that all communication and connection is safe and secure. It is also referred to as Digital Certificate. It’s two most important functions are Authentication and checking the identity of the website, and encrypting the transmitted data.
To get this certificate, the first thing to do is create a Certificate Signing Request (CRS) on your server. Creating the CSR creates the public key and private key on the server. The SSL Certificate issuer is the CA or Certificate Authority. The CSR data file that we send to the CA contains the public key. The CA can never see the private key but it uses the CSR data file to create a data structure to match your private key that we use for decryption.
After receiving the SSL certificate, you are required to install it on your server. Another certificate you need to install is the intermediate certificate which establishes the credibility of your SSL certificate. This establishment takes place by tying your SSL certificate to your CA’s root certificate.
Types of SSL Certificates
Extended Validation (EV) SSL Certificate
This certificate shows not only HTTPS and business name in the address bar, but also the padlock and the business country so that it is not considered spam. The EV SSL is the most expensive SSL of them all but is equally valuable as it shows that the domain in the address bar is legitimate and legal. For setting up the EV SSL, one must ensure that they prove the authorization of their domain which in turn ensures the users that you are legally collecting any data. For anyone in need of identity assurance like businesses, this should be a priority.
Organization Validated (OV) SSL Certificate
This certificate verifies that the domain and organization are legal and real. OV SSL gives us medium level encryption. We achieve this encryption in two simple steps – First, the CA verifies the owner of the domain and checks if the organization is legal. Then, on the address bar, the users see a small green padlock following which is the company name. This can be an alternative to the EV SSL in case of a lack of financial resources.
Domain Validation (DV) SSL Certificate
DV SSL certificate offers a very low level of encryption. With the DV SSL, only a green padlock next to the URL is present. This doesn’t require much time or documents either. DV’s do not secure any subdomain. They secure only the domain. The verification occurs only when you add a DNS (Domain name system) to the CA. The only main criteria reviewed here is the right of the applicant to own the domain. DV does the basic work but unlike the EV SSL, DV does not have any identity data, hence we cannot find out who is receiving all the encrypted information.
Wildcard SSL Certificates
Wildcard SSL Certificates gives you the assurance that if we buy a certificate for one domain, we can use it for all subdomains as well. It comes under the category of Domain and Subdomain Number. This is a much more financially feasible option rather than buying or getting multiple SSL Certificates for a domain.
Unified Communications Certificates (UCC) SSL Certificates
UCCs, also known as Multi-domain SSL Certificates, allows us to have multiple domain names in the same certificate. This can very conveniently be used by an owner who owns more than one domain name. The address bar displays a padlock in the address bar to show the verification. If configured to show the green text and home country along with the padlock, it is as good as an EV SSL. In such a case, the only difference would be the number of domain names the certificate contains. UCC SSL Certificates can contain up to 100 domain names in one certificate. Also, using an option the Subject Alternative Name (SAN), the domain names can also be altered.
Single Domain SSL Certificate
The Single Domain SSL Certificate is used to protect only one domain. This certificate cannot be used to protect subdomains or even another completely different domain.
How does the SSL certificate create a secure communication?
Whenever the browser accesses a website secure by SSL, the browser and server undergo the process of SSL Handshake, hence establishing a connection. This Handshake happens almost instantly and is obviously invisible to the user. The process of encryption and decryption using keys requires extra power processing, therefore we use the public and private keys only during the handshake to create a symmetric session key. Only after the connection is secure, the session keys encrypt all the transmitted data.
First, the browser connects to the webserver with HTTPS and requests for the server identity. The server then sends a copy of the SSL certificate, which includes the server public key required for encryption as well. The browser then checks the root certificate with the CA list. If the browser trusts the certificate after checking if the certificate is unexpired and revoked, it encrypts and sends the session key. The server then decrypts the session key using the private key and sends back an acknowledgment. Finally, all the transmitted data undergoes encryption using the session key.
Why is SSL important?
From the above read, we obviously know that SSL is very important and equally required. The most important reason highlighting its importance would be the protection of the privacy of the user and providing security. By encryption of data, SSL ensures that any data transmitted between the user and server is just a mix of random characters which makes no sense. The original data can now be viewed and accessed by the authorized personals. By authentication of the web servers, SSL also protects us from multiple types of cyberattacks possible. The attackers who try to set fake websites to steal/hack into our data now cannot do the same as easily. Also, SSL ensures that our data cannot be tampered with by any outsider/attackers.
Hence, Socket Secure Layer or Transport Layer Security is very important.