What is a Secured Socket Layer (SSL)?
A Secured Socket Layer, or SSL, is the usual way that a website creates a secure connection with a web browser. Whenever a web surfer visits a secure site that uses SSL technology, it creates an encrypted link between their browser session and the web server. SSL is the industry standard for secure web communication and is used to protect millions of online transactions each day.
What Does Encryption Mean?
Encryption simply means that the information that is going back and forth between an individual's computer and the website is scrambled so that no one else can understand it. A formula on each side is used to scramble the information before sending it and unscramble it upon receipt. If a hacker happens to intercept the personal information en route, it would be worthless to them.
What is a SSL Certificate?
The web server must have an SSL certificate before it can create an SSL connection. When someone activates SSL protocols on their web server, they are asked to answer questions that will establish their identity. The questions ask for information about both the website and the company. After the SSL certificate is requested, the web server creates two cryptographic keys, one is a Private Key and the other is a Public Key. These keys are used along with the encryption formula to create the secure link between the web server and browser sessions.
Public Keys vs. Private Keys
As the name implies, the Public Key is not kept secret. It is placed into the Certificate Signing Request (CSR) which is a data file that contains the website's details. The CSR is submitted to the SSL Digital Certificate group for validation as part of the SSL certificate application process. Once the details are validated, the SSL certificate is officially issued, and the website is allowed to use SSL. Next, the web server confirms that the SSL certificate matches the Private Key. This makes sure that SSL certificate is only used by the website that originally requested it. At this point, the web server is able to create safe encrypted links, or communication paths, between its website and a customer's browser.
What's in a SSL Certificate?
Most SSL certificates include the domain name (web address), company name, company address, the certificate's expiration date, and information about the certification authority who issued the certificate. Individuals are not usually allowed to possess a SSL certificate. In virtually all cases, SSL certificates are only issued to companies.
How Does SSL Work with My Browser?
The typical web user isn't required to understand the complex process behind the SSL protocol. A key indicator is processed by the web browser to indicate that it is protected by an SSL-encrypted session, and the browser will show a small lock icon in the lower, right-hand corner of the screen. If the lock is clicked, it will display the SSL certificate and all the details.
Behind the scenes, the browser retrieves the SSL certificate whenever it connects to a secure site. The browser check to make sure that the certificate has not expired, whether or not the issuing authority is one that the browser trusts, and that the certificate is being used by the same website to which it was issued. If either safety check fails, the browser will let the user know that the site is not secured by SSL through a warning message. The user has the choice of trusting the site or leaving.
Hypertext Transfer Protocol Secure, or HTTPS, combines standard HTTP with SSL for secure identification and encrypted communication of web servers. This standard is frequently used for online payments and other transactions that involve sensitive information. One way to instantly know if a site is using the HTTPS standard is to look at the address at the top of the page. If the address starts with "https" instead of the typical "http", the site is using HTTPS security measures. It's important to keep in mind that only a portion of the website may be using HTTPS, while the vast majority might be using simple HTTP. The idea behind HTTPS is to create a secure channel over a mostly unsecure network. For example, while it is critical that online banking uses HTTPS to secure a customer's account information, they would not need to go to that extreme to protect pages that simply tell the public how to apply for a new loan or credit card.