Secure Sockets Layer (SSL) is one of the most common security protocols used on the Internet today. Most web developers have heard of the term before and know how to look for the “lock icon” or “green address bar”. Today, we’ll go over the basics of how SSL works and what your options are when securing your own web site.
How does SSL encryption work?
SSL allows you to encrypt the data, usually sensitive information like credit card numbers, sent from a visitor’s browser to your web server. This is necessary because data on the web is normally sent in clear text from computer to computer until it reaches its destination. Any computer that passes on the data can see that information. If an attacker is able to listen to the traffic on a computer between a visitor’s web browser and your web server, they can steal the sensitive information. This is called a man-in-the-middle attack.
Sending sensitive information without SSL is like writing it on the back of a postcard and letting every postman or attacker on the way to its destination make a photocopy of it.
The web browser and the web server establish the SSL connection using a fairly complex process called “public key cryptography” and a lot of math. Don’t worry; we won’t get into the math. Essentially, two pieces of data are used to set up an SSL connection: a public key and a private key. Anything encrypted with the user’s public key can only be decrypted with the private key and vice versa.
For example, if Bob sends Alice a message encrypted with Alice’s public key, then only Alice can open it, as only she has her private key. You can think of it like an envelope that anyone can seal but only Alice can open.
If Bob sends Alice a message encrypted using his private key, anyone can open it because everyone has access to Bob’s public key. Also, if you can successfully open the message, you know it came from Bob because only Bob has access to his private key. Just like an envelope that only Bob can seal, but which anyone can open.
Because encrypting and decrypting with private and public keys takes a lot of processing power, it is only used when the SSL connection is first created in order to create what is called a symmetric key. The symmetric key is then used to encrypt the web page data. This means using SSL only takes slightly more processing power than not using SSL.
This is a simplified outline of the process of establishing an SSL connection:
What is an SSL certificate?
Almost all Internet software including web browsers, web servers, email clients, VPN clients, etc. support SSL encryption out of the box. However, they require a certificate before SSL can be enabled. This is because the certificate contains the public key that identifies the server, a critical part of the process. The certificate also contains what is called the “subject”. This includes the identity of the certificate owner (organization name and location).
The most important part of an SSL certificate is that it is digitally signed by a trusted authority. Why is that? Well, anyone can create their own certificate in a matter of seconds. Just like making your own driver’s license, it doesn’t do much to prove your identity. But if you can ensure that the driver’s license you are looking at was created by your government, you can trust that is accurately identifies the person it was issued to. Your web browser contains a list of organizations called Certificate Authorities that are automatically trusted, just like your government would be trusted to create driver’s licenses. This means that a Certificate Authority can issue an SSL certificate identifying your organization and the certificate will be trusted by nearly all the computers in the world because they all
trust the certificate authority by default. It also makes it very difficult for an attacker to set up a phishing site to phish your visitors because a Certificate Authority won’t issue them a certificate for your website.
Using an SSL certificate from a trusted authority allows you to be authenticated, gain your customers’ trust and protect your site against phishing.
When do I need to use SSL?
Not all communication needs to be encrypted but you should seriously consider using SSL encryption in these situations:
- Encrypt any pages on your website that transmits financial information like credit cards
- Encrypt and pages on your website that transmits other personal or sensitive information like social security numbers or medical information
- Encrypt the login form on your website
- Encrypt your email server so that you can send messages to it securely
Different types of certificates
There are many varieties of SSL certificates and they all identify a person or organization in some way.
Domain Validated Certificates
Domain Validated Certificates are issued with very little validation (usually automated). You just have to prove that you own the domain by responding to an email or phone call using the information in the WHOIS record of your domain. This makes them cheap but less secure and not as valuable when trying assure your customers.
Extended Validation Certificates
EV SSL certificates are a newer type of certificate that provides the greatest assurance because there is a detailed validation standard that has to be followed to issue them. They are more expensive than other types of certificates, but they enable the “green address bar” in most browsers.
Most SSL certificates will only work on one specific domain name. For example, if you issue a certificate to secure.mydomain.com and then try to use it on www.mydomain.com, the web browser will complain that the name doesn’t match and will display a nasty warning. This is to prevent phishing. However, wildcard certificates can be used to secure an unlimited number of subdomains on a single domain name. For example, a certificate for *.mydomain.com will work on secure.mydomain.com, www.mydomain.com, mail.mydomain.com, etc.
SAN certificates also allow you to secure multiple hostnames but not an unlimited number. Each hostname is specified in the Subject Alternative Name section of the certificate. The hostnames can be internal and include several different domain names.
Code Signing Certificates
Code Signing Certificates are different from other types of SSL certificates. They allow you to sign an application or executable so that users know the identity of the organization that made the application and know that it wasn’t tampered with.
Self Signed Certificates
Self Signed Certificates can be created for free by yourself, but your users will receive a warning that the certificate is not trusted.
Does SSL completely secure my site?
No. It is important to remember that using SSL on your site is only one part of securing your website. You also need to make sure you implement other security measures including using proper password protection, keeping applications updated, writing secure code that isn’t vulnerable to cross site scripting and SQL injection, protecting your physical servers and the computers you use to access them, etc. Enabling SSL patches one of the security holes, but don’t let that make you overconfident and forget to take the other necessary security precautions.
How do I get an SSL certificate?
The process of ordering an SSL certificate goes something like this:
- Prepare by getting your server set up and getting your WHOIS record updated, etc.
- Generate the CSR on the server
- Find the right certificate and right SSL provider
- Submit the CSR and other info to the SSL provider so they can validate your domain and organization
- Install the issued certificate