In this blog post, you will learn what SSL Encryption entails, what it is, how it helps secure communication over networks you use.
Security issues bothering on confidentiality and privacy are some of the most significant problems we face today in our world of information and communications. Hackers who get hold of the login information of individuals can use the details to access sensitive data from their victims.
Increasing cybersecurity threats, combined with the constantly evolving technology behind such threats, give rise to security-related concerns.
So, online communications, including transactions, are currently under a lot of threat as a result of security issues. When you create online business apart from making profit from such a venture, you also want to create a safe, secure, and trusted environment where potential customers feel confident in making their purchases.
Generally, security challenges faced by online businesses and customers can be viewed as one or a combination of the following:
- Potential threats from people working within the company
- Security breaches from the Outside
- Breaches resulting from use of the Internet
SSL Encryption and Trust
SSL stands for Secure Sockets Layer. It is popularly known as SSL for simplicity, though it has since been updated to Secure Sockets Layer/Transport Layer Security. Now, I’m going to explain what SSL encryption is and why we can trust it.
SSL is the standard security technology you can use to establish a secure and encrypted link between two points or users on the Internet. For example, a web server (website) and a client (browser, mail server, and mail client).
SSL enables the secure forwarding of sensitive information from your customers like their social security numbers, login details, and credit card numbers. Usually, when browsers and servers communicate, the information transmitted is sent in plain text.
In this form, the transmission is vulnerable to “eavesdropping” from potential attackers. If an attacker can intercept all the data being transmitted, they can see and make use of this information for whatever purpose they deem fit.
Browsing the Internet is an activity most of us engage in every day. Using the SSL protocol, browsers can interact with secured web servers. To establish a secure connection for this interaction, the web browser and server need an SSL certificate. An SSL certificate creates an encrypted connection, and creates confidence.
Let’s simplify this using a real-life scenario.
Assume you go to a local bank to open an account. Because the teller you approach doesn’t know you, she will be reluctant to open one for you. Before she can open an account for you, you would have to provide some form of identification. You provide your passport, which contains your details like biometrics, date of expiry, etc. Your passport serves as a document that authenticates your identity.
Because your passport is an identifying document issued by a trusted authority (the government), you can proceed to open an account and get other benefits of having an account which the bank offers.
The same scenario plays out when you attempt to access a secure website. The website will require a trusted certificate from your client (computer) to establish your identity. This usually takes the form of an SSL Handshake, which is a back-and-forth communication to establish a connection before the web browser requests the information it needs. The SSL Handshake is hidden to the user and takes place instantaneously.
SSL Certificate: Establishing a Secure Connection
The SSL certificate, crucial for the SSL encryption, creates a basis for trust by establishing a secure connection. This kind of protection is one that website owners can purchase to increase the security of their site. When your site is secured using SSL, visitors can take the security measures in place through visual cues called EV indicators like a green padlock or a branded URL bar. These features assure them that their connection is secure.
To buy a certificate, you must create a Certificate Signing Request (CSR) on your server. This creates a private and your server’s public key. The CSR data file which you are sending to Certificate issuer (called a Certificate Authority or CA) contains the public key.
The CA uses this CSR data file to create a data structure to match your private key without compromising the key itself. CAs never see the private key.
You install the SSL Certificate on your server once you receive it. The instructions to mount and check the certificate usually differ depending on your server.
The three keys used to set up the SSL connection are;
- The Public Key
- The Private Key
- Session Keys
The public key is also known as Asymmetric Encryption; it is a method of encrypting data using two different keys, the public key available to anyone to use. The second key is the private key. Data coded with the public key can be decrypted only using the private key, and data encrypted using the private key can only be decrypted with the public key.
Since decrypting with public and private keys takes a lot of processing power to execute, these keys are only used during the SSL Handshake to create a symmetric session key.
The session is used to encrypt all transmitted data after the connection is made.
Here is how the SSL Handshake happens
- A browser connects to a web server via a website secured with SSL (https). The browser then requests that the server identify itself.
- The web server is sending out a copy of its SSL Certificate, including the server’s public key.
- The Brower checks the certificate root against a list of trusted Certificate Authorities (CAs) to ensure that the certificate is unexpired, non-revoked, and that its common name is valid for the website to which it is linked. If the browser is confident of the certificate, it will create, encrypt and returns the symmetric session key using the server’s public key.
- The server decrypts the symmetric session using its private key and returns an acknowledgment session key encrypted to start encrypted session.
- The session is now used to encrypt all transmitted data by the server and browser.
This is how SSL works when deployed on websites.
If you have some wares on your website for sale, customers will be required to enter their shipping details and payment information. On your secured SSL website, all this sensitive information is encrypted, so that the plain/readable text they entered will be encrypted into ciphertext (unreadable text or gibberish). This makes their shopping safe and secure.