Secure Socket Layer : It is the standard technology for creating an encrypted link between a web server and a browser that makes sure that the data passed between the web server and browser has remained private and protected. It was developed and released by Netscape in 1996 as a technology for security management. It is commonly used protocol for managing the security of the message transmission on internet. It is transparent protocol which requires little interaction from end user when creating a secure session. It is included as a part of both Microsoft and Netscape browsers as well as in most of the browsers. The “Sockets” part of the SSL (Secure Socket Layer) refers to sockets method of passing data between server and the browser or between the program layers in a same computer. In order to create a SSL connection a web server needs a SSL certification.
What is SSL Certificate?
A SSL Certificate is a way by which the web servers prove their identity to the web browsers, allowing a secure site to communicate privately with the browsers through http protocol. It is digitally signed by a certificate authority that most of the web browsers trust, there are many certification authorities including government agencies . A company can purchase a SSL certificate for its web server from certificate authorities which verify the company’s identity. It inspires trust as each certificate contains identification details and the browser can share the details and it would be private and secure. It is also a bit of coding on web server to provide security for online communication.
Why is it essential and important?
Most of the people wonder as what is the need to use SSL. For people who own sites or customer who wants to make banking or any private transaction it is very important. If you are not using SSL the data transmitted or submitted is not encrypted and if the data reaches the wrong hands it will create a problem. In order to be on safe side by using SSL data is encrypted and the information is safe.
How can you get a SSL Certificate?
For a SSL certificate first you need to create a Certificate Signing Request (CSR) on your server which creates a private key. Then the CSR should be sent to SSL certificate issuer also called as Certificate Authority or CA. CA will use CSR data files to create a public key that pairs with your private key, the CA will never see private key. After receiving the certificate, install it in your server. Also install intermediate certificates that create credibility for your SSL certificate by tying it with CA’s root certificate. Instructions for installing and testing your certificate will be different based on your server. The certificate contains organization’s identity details, time of validation of the certificate and the name of the CA that issued the certificate.
A browser trusts the certificates and comes out with a list of reputed CAs. The certificate issued by CA verifies that the organization’s identity is genuine. As the browser trusts the CA and the CA certifies your organization, automatically the browser will trust the organization. Then the browser lets know he user that the website is secure and the user will be safe and can share the personal details.
How does it work?
When a user requests for a website through a browser, the browser and the server create a connection through a process called “SSL Handshake”. This is not visible to the user and happens instantly. Mainly three keys are involved in setting up a SSL connection. They are a private key, a public key and a session key. The data encrypted by public key is decrypted by private key and vice-versa.
As the process of encrypting and decrypting the data using public and private keys takes a lot of processing power and time, these are only used at the time of SSL Handshaking to make an SSL connection and create a session key. Once the session key is created all the transmitting data is encrypted using this session key.
The process goes in five simple steps:
- A Browser connects to a web server and requests the web server to identify itself.
- SSL sends a soft copy of its SSL certificate to the browser.
- Browser checks the certificate and looks if the certificate issued by a CA is in the list of its trusted CAs which it already has and also checks if the certificate unexpired, unrevoked and has a common name that is asked for. If all the details are valid then it creates, encrypts a session key and sends it back to the server through server’s public key.
- Server decrypts the session key using its private key and sends back an acknowledgment encrypted using a session key to start the encrypted session.
- Now both the server and the browser transmit the encrypted data through symmetric session key.
Types of SSL Certificates
There are many types of SSL certificates. You need to know about the features of all the certificates before purchasing it. Different types of certificates are:
Extended Validation (EV) SSL Certificate: This type of certificate is designed to prevent phishing attacks. It takes few days to few weeks of time to receive this certificate but provides very high assurance. Before issuing this certificate the CA checks applicant’s right to use of the domain and also conducts thorough vetting of the organization. It verifies legal, physical and operational existence of the organization or the domain. Also it checks the identity matches with the organizations official records. If all these are satisfied then the EV Certificate is issued.
EV SSL Certificates are available for all kinds of businesses, may be a government or non-government organizations. A set of guidelines called EV Audit Guidelines must be followed before issuing EV SSL Certificates. The audits are repeated for yearly.
Organization Validation (OV) SSL Certificate: Before issuing this kind of certificate the CA checks applicant’s right to use of the domain and also conducts vetting for the organization. This certificate displays the owner of the domain, its validation and the name of the CA that issued this certificate. This is provides a good assurance to the browsers.
Domain Validation (DV) SSL Certificates: This is a low assurance SSL Certificate. It only displays the domain name but not the owner or the organization details. But authorities can easily know to whom the domain belongs to using “WHOIS”. These certificates are issued instantly and cheaper than others but provide low assurance to the customers.
Wildcard Certificate: This certificate can secure all the sub-domains under a domain name. For example if you have a wildcard certificate for *.domain.com then it secures www.domain.com, mail.domain.com etc. It will secure all the sub-domains with wildcard symbol (*).
SGC SSL Certificate: These certificates enable old browsers to connect to site using 128 bit encryption even the normal browsers have 40 bit. These cost significantly and are issued by only few vendors as there are strong arguments against SGC SSL Certificates.
Root Certificate and Chain or Intermediate Certificate: CA issues certificates in the form of tree structure. The highest is the root certificate that is, it is most trusted certificate. Certificate which is signed by the trusted root certificate is trusted. All the certificates below the root certificate inherit trustworthiness from the root.
The certificate that links your organization’s certificate with the root certificate is called Chain certificate or Intermediate Certificate. These certificates must be installed in your server so that the browsers can link your certificate to a trusted authority.
Scalable SSL Certificate: Most of the certificate authorities now are issuing this certificate. Here the encryptions can be varied from lowest 40 bit to higher rate depending upon what the browsers and servers support.
There are many advantages of using SSL Certificate:
- Server Authentication: The certificates protect your website. All the information of your site is stored in a server, using SSL digital certificates all your and customers information is protected.
- Private Communication: Your transaction conversations will be private and the SSL certificates encrypt any data that is transmitted, hence the customers feel safer and secure about their data.
- Customer Confidence: The main reason for which you would opt a SSL certificate is customer’s confidence. As the data will be encrypted the customers will feel that their information is safe and have confidence and faith in your site and feel free to share information.
Over so many advantages SSL also has disadvantages. They are
- Cost: This is the main disadvantage as cost for a certificate is really high.
- Performance: As the transmitting data is encrypted, more time is consumed and hjence it decreases the performance of the site.
With so many benefits the disadvantages can be overlooked. It is very much needed to use SSL Certificates especially if you are sharing personal information on sites. If your site is with SSL certificates, customers will trust your site and can share personal information.