What is SSL encryption?

Overview

Secure Socket Layer (SSL) is an encryption security protocol used by most modern websites to encrypt packets sent over the internet. It is implemented on top of the HTTP protocol, so the websites using this protocol have an "S" after the HTTP in their URL, and a padlock beside it which indicates the connection with the website is encrypted from end-to-end.

Background

In 1995, Netscape released SSL version 2.0 after making some modifications to the theoretically flawed first version. Then in 1999, the Internet Engineering Task Force released SSL version 3.0 and termed it TLS (Transport Layer Security). After that, SSL and TLS were used synonymously to refer to SSL version 3.0.

Methodology

SSL uses digital certificates that are signed using the owner's private key, ensuring authentication and data integrity by the protocol. These certificates are used to verify a public key belongs to a particular party to be contacted. After validating the certificate, this key is used to encrypt data shared with the owner of the certificate. This encrypted data can only be decrypted using the certificate owner's private key.

Protocol

The protocol is initialized with a handshake between the client browser and the server, which is contacted by the browser. A typical TLS handshake involves:

• Exchange of version preferences for SSL/TLS.
• Exchange of cipher specifications.
• Authentication of the server using its SSL/TLS certificate.
• Exchange of a shared secret (AES) key for encrypting messages.

By the end of this handshake, both the devices have derived the shared secret key, which they can use to encrypt all their communication. Unless the encryption protocol hasn't been broken already, the only parties that can see the contents of the packets being exchanged between the two devices are themselves. They're the only ones who have access to the shared secret key.

Modern browsers ship with 200+ valid certificates.

Types of certificates

• Individual Validation (IV):
• For a person requesting a certificate for a domain.
• Domain Validation (DV):
• Cost-efficient. It can be issued within minutes.
• Validation requires proof of ownership for that domain.
• Organization Validation (OV):
• For organizations that have public websites.
• Validation requires proof of ownership for the domain and evidence of being a legally registered business.
• Extended Validation (EV):
• Like OV, it is issued to organizations with legal companies.
• Provides a higher level of trust.
• Validation requires human interaction. A specialist confirms the validity of the organization.

The X.905 certificate

The X.905 certificate is a digital certificate that defines the PKI format (Public Key Infrastructure). It specifies the information about the certification required to validate it, encryption specifications, and the information of the certificate authority which issued the certificate.

Ideally, a client (browser) should only establish a connection with a website if the browser has validated the certificate.

Where do certificates come from?

Certificate authorities (CAs) issue certificates. Some prominent certificate authorities are Verisign, GoDaddy, GeoTrust, Comodo, DigiCert, and so on.

Efficiency and scalability

Given the protocol's measures, the need for additional computation power and more memory may arise. However, most recent versions of TLS have functionalities that speed up the handshake process to save up time and computational power.

Why use SSL?

Websites that do not use secure protocols should be avoided. More people are concerned about the safety of their private information on the internet. Developers and organizations can quickly obtain certification through services that provide SSL certificates for free and others that charge a certain fee.