Secure Socket Layer (SSL)

Updated: Wed, 20 May 2015 by Rad

Secure Socket Layer standard security technology for establishing encrypted connection between web server and browser. Industry standard, protects online e-commerce transactions, communication and prevents eavesdropping. Requires private and public key and SSL certificate - authenticated confirmation of server identity by issuing authority.

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. 

SSL is a security protocol. Protocols describe how algorithms should be used; in this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

Internet users have come to associate their online security with the lock icon that comes with an SSL-secured website or green address bar that comes with an extended validation SSL-secured website. SSL-secured websites also begin with https rather than http.

Digital Certificates are verifiable small data files that contain identity credentials to help websites, people, and devices represent their authentic online identity.

Netscape was first to implement SSL

The Secure Sockets Layer Protocol was adopted by Netscape in 1994 as a response to the growing concern over Internet security. Netscape's goal was to create an encrypted data path between a client and a server that was platform or OS agnostic.

Netscape also embraced to take advantage of new encryption schemes such as the recent adoption of the Advanced Encryption Standard (AES), considered more secure than Data Encryption Standard (DES).

Certification authority is very important

Certification authorities play a key role in establishing trust in online identities. Since a digital certificate is a statement of the identity of the entity or individual who wishes to be authenticated, a trusted third party is needed to validate the identity attached to the certificate. This third party is the certificate authority whose responsibility it is to deliver authenticated identity trust assurance for online entities.

Certificate authorities (CAs) sit at the apex of the root of trust that allows the secure web, email, and other connections that underlie commerce, government, online communities, and everything else to function without effective interception by outside parties.

There are three types of files associated with an SSL certificate key pair:

Private key file (.key) - The private key should never be distributed to anyone. It is used to decrypt the session that is encrypted by the public key.
Certificate request file (.csr) - Each time you create a certificatea certificate request file is also created. This file can be signed by the intermediate certificate authority such as GeoTrust, Verisign, or Thawte for signing.
Certificate file (.crt) - issued and signed by trusted Certificate Authority

The key to understanding how SSL works is to understand the elements that take part in the process. A key element of SSL is the SSL certificate. A public-key certificate, usually just called a certificate, is a digitally signed document that ties the value of the public-key to the identity of the Server service that holds the corresponding private key.

Typically, a certificate contains the following information:

Servers public key value, which the clients use to encrypt a session key. This public-key does not exist as a file, but rather is produced when a certificate and private key are created.
Server's identifier information, such as the name, e-mail address, common domain name, and other details.
Validity period (the length of time that the certificate is considered valid)
Issuer or signer identifier information
Digital signature of the issuer, which attests to the validity

There are many certificate types or standards, e.g. X.509, PKIX Certificate and various encodings, e.g DER, EPM, CRT, CER.

Some popular Certificate Authorities

Main browsers recognized Certificate Authorities (CAs) list * CA in Firefox * CA in Chrome * CA in Opera * CA in Microsoft * CA in iOS

SSL handshake process

The most important and complicated part of SSL is the SSL handshake protocol. This protocol allows both ends to connect each other, authenticating each other, negotiating encryption and exchanging packets. It contains a series of messages transferred between a server and client.

client sends hello
server sends hello
authentication and pre-master secret
decryption and master secret
generate session keys
encryption with session key

< back to glossary

Secure Socket Layer - from around the web

SSL Server Test - powered by Qualys
How the N.S.A. Cracked the Web - Times and the Guardian write that the N.S.A. and the G.C.H.Q. have "cracked much of the encryption" on the Web.
History of SSL certificate
SSL Certificate Reviews - SSL Certificate Reviews can help you choose one SSL certificate provider over another. Each SSL certificate provider has different products, prices, certificate features, and levels of customer satisfaction
How does SSL work? What is an SSL handshake?