An SSL (or Secure Socket Layer) is the standard method for creating an encrypted link between a web browser and a web server. This secure link ensures that data passed between the browser and the web server are private.
Every single day 100s of terabytes of data are being transferred across the internet. In fact, based on Intel’s 2012 report, nearly 640K GB of data is transferred every single minute. That’s more than 204 million Emails, 47,000 app downloads, 1.3 million YouTube videos watched and 6 million Facebook views. We’re talking about a seriously massive amount of data here. So, how do we know if that data is being transferred securely? Enter the SSL/TLS protocols.
What is SSL/TLS?
This is the most commonly used method for securing traffic between a website and a browser and includes the use of the secure SSL/TLS technology. This scheme allows the transfer of data securely. The term SSL stands for Secure Sockets Layer and was developed in the early ’90s by Netscape. The original goal of an SSL was to provide an API that closely resembled the socket protocols of the time to securely transfer data.
Since its first stable release in 1996, this standard has undergone many changes and improvements. As time passed, security issues were found and patched causing the protocol to evolve over time.
While still commonly referred to as SSL, the replacement is not actually compatible with the current SSL protocols. The proper name for the SSL replacement is called the Transport Layer Security, or TLS. The differences between TLS v1.0 and SSL v3.0 were minimal, however the subtle changes were enough to prevent interchangeability. The primary goals essentially remained the same though; transfer data from a server to your browser in a secure and encrypted manner.
Why Do I Need an SSL?
This is an excellent question! Why go through all the trouble and why do you care if your websites content is transferred securely? The most important, and perhaps simplest reason is, that it protects your users. No matter where you or your users are located it’s always important to keep them in mind.
When we create a website, we want people to visit and be engaged. By providing SSL/TLS support for our website, you are signaling to our clients that we care. It says that we are concerned with keeping the data and information safe from prying eyes.
This idea is especially important when our pages accept (or provide) sensitive information from your users. In this case, sensitive information can be login or account credentials, personal information, or even financial information. These are all critical pieces of a users private data, and they must be kept secure at all costs.
So, How Does SSL/TLS Work?
While the actual process is quite technical, we can provide a fairly simplified example detailing exactly how a connection over SSL/TLS is initiated. To illustrate this concept, we’ll use Google as an example. So, if you open your browser and type in https://www.google.com/, we know this connection is going to be using SSL/TLS since we see https and not http in the URL. What happens then?
- Your browser establishes the initial connection to the Google servers. (Connection Established)
- Your browser and the server negotiate connection options & details. (Begin Negotiation Phase)
- At this point the browser and server compare their support ciphers to find which ones they share and have in common.
- The server will respond, telling the browser the most secure cipher that they both support.
- The server sends the browser its SSL Certificate for verification with the browser. (Server Certificate Negotiation)
- The server will send both the public SSL certificate and that severs key exchange to the browser.
- This step in the process may vary slightly depending on the cipher chosen in the previous step.
- The client verifies the server Certificate is valid and then sends a client key to the server. (Client Certificate Negotiation)
- Similar to step 3, this step will vary depending on the cipher chosen in step 2.
- This step requires a bit of two-way communication as the Client (browser) and Server negotiate the keys exchanged.
- The client sends a “Looks good, everything from here out will be authenticated and encrypted” message to the server. (Connection Secured!)
- After the certificates have been properly negotiated a ChangeCipherSpec message is sent to the server.
- The client now sends an encrypted “Finished” message telling the server that the process is complete.
Once completed the messages (data) exchanged between your server and end users will be encrypted and secured.
After enabling SSL/TLS support on your server it will no longer be possible for prying eyes to see the information being exchanged. The only requirement for providing this extra layer of security is for us install an SSL Certificate on our server.