What is SSL?
SSL is an acronym for Secure Sockets Layer, a global standard security technology adopted by Netscape in 1994. SSL is designed to establish encryption and identity assurance. It enables encrypted communication between a web server and a web browser. SSL ensures that all data passed between the web server and browser remains private and secure.
How SSL works
Processing transactions securely on the web means that we need to be able to transmit information between the web site and the customer in a manner that makes it difficult for other people to intercept and read. SSL works through a combination of programs and encryption/decryption routines that exist on the web server computer and in web browsers (like Netscape/Firefox and Internet Explorer) used by the Internet public
What is an SSL Certificate?
SSL certificates becomes the "passport" or the digital document that verify that the security and authenticity of the interaction.
The SSL certificate is installed on a web server to identify the business using it to encrypt sensitive data such as credit card information. SSL Certificates give a website the ability to communicate securely with its web customers. Without a certificate, any information sent from a user’s computer to a website can be intercepted and viewed by hackers and fraudsters. It is similar to the difference between sending a post card and a tamper proof sealed envelope.
SSL Certificate interaction with the Browser and the Server
(see diagram below)
- Browser checks the certificate to make sure that the site you are connecting to is the real site and not someone intercepting.
- Determine encryption types that the browser and web site server can both use to understand each other.
- Browser and Server send each other unique codes to use when scrambling (or encrypting) the information that will be sent.
- The browser and server start talking using the encryption, the web browser shows the encrypting icon, and web pages are processed secured. Interaction Between Web Server and Web Browser
How SSL Works to Secure Privacy
SSL protects confidential information using cryptography. Sensitive data is encrypted across public networks to achieve a high level of confidentiality. Primarily, PKI utilizes asymmetric cryptography that is considered more secure than symmetric cryptography.
Simply, asymmetric algorithms use one key for encryption of data, and then a separate key for decryption. Asymmetric algorithms are stronger than symmetric algorithms because even if the encryption key is learned in one direction, the third party still needs to know the other key in order to decrypt the message in the other direction.
The primary benefit of asymmetric encryption (also referred to as PKI) is that both sides can spontaneously initiate a transaction without ever having met. This is achieved by the use of a public and private key pair. The public key of the entity is public knowledge and is used for encryption, whereas the private key of the entity remains secret and is used for decryption.
Although PKI is more secure, it also is more expensive in terms of processing speed and encryption/ decryption (in PKI) can take up to 1000 times the processing than symmetric cryptography.
Public and Private Keys
SSL, generally speaking, takes advantage of the strengths of both public-key and symmetric-key encryption technologies. Public-key technologies both securely authenticate clients and servers and exchange trade secret symmetric keys used in the encryption sessions. SSL certificates in particular have a public key and a private key – a public key to encrypt information and the private key to decipher it. When a browser points to a secured domain, a secure sockets layer handshake authenticates the server and the client and establishes an encryption method and a unique session key. They can begin a secure session that guarantees message privacy and message integrity.
SSL Certificates help prevent someone from impersonating the server with a false key
In particular, SSL uses digital certificates that act as digital documents that will attest to the binding of a public key to an individual or other entity. They provide verification of the claim that a specific public key does, in fact, belong to the specified entity.
These certificates use X.509 standards to validate identities. X.509 certificates contain information about the entity, including public key and name. The role of the certificate authority then is to validate this certificate.