Freelance I.T. Solutions LogoFreelance IT Solutions, Orlando, FLhome    applications    websites    wordpress    marketing
SSL/TLS Explained
SSL CertificationThe Basics

Normally, data sent between your browser (i.e. Firefox, Google Chrome, Safari, Edge) and the web server is plain text. This leaves it vulnerable – if the data is intercepted by an attacker, it can be easily read and used.

When you are viewing a normal page on a website, this is not a big deal. The data begin sent between the server and browser does not contain information that is sensitive. But, there are time when this data does include something you don’t want others to be able to easily read. For example, passwords, credit card information, social security numbers, maybe even your address and phone number are data you don’t want others to easily read. (Although your address and phone number are normally public information, you may not want them associated with other data being transmitted between the browser and server).

SSL (Secure Socket Layer) is a standard security technology that encrypts what is being sent between the server and the browser, protecting your data from would-be attackers.

There are many times when an SSL Certificate is required. Credit card companies like VISA, MasterCard, and American Express require some type of encryption when transmitting card information. In some states collecting information about children – names, ages, social security numbers, etc., requires an encrypted connection. But, acquiring the certificate is always the responsibility of the website owner. So, sometimes it’s not taken care of, maybe because the laws/requirements are not know, maybe because the owner wants to avoid the added expense.

All browsers have the capability to communicate with the server using SSL protocol. The SSL Certificate is needed to establish the secure connection between the server and the browser.

SSL or TLS?
The SSL Protocol has always been used to encrypt transmitted data. When a more secure version was released, the version number was changed – until version 4.0. With the new and more secure version of the SSL Protocol that would have been v4.0, it was renamed to TLSv1.0 – Transport Layer Security version 1.0. (The most recent version of TLS is 1.2).

Because the term “SSL” is so well known when referring to secure data transmission, certificate providers, web hosing companies and the general digital community still use it even though the new certificates are actually using the TLS Protocol.

A Little More Technical – How it Works

SSL Certificates have a key pair – a pubic key and a private key. The keys work together to establish an encrypted connection. Additionally, the certificate has a “subject,” which identifies the owner. The owner of the certificate is also the owner of the website. (Or sometimes the representative of the owner). The owner/representative applies for a certificate with the provider of their choice. Criteria have to be met before the certificate process begins. After the website’s owner and other criteria have been verified, the process of creating the certificate begins.

A Certificate Signing Request (CSR) is created on the server. This creates a private and a public key on the server. The CSR data file that containing the public key is sent to the SSL Certificate issuer (a.k.a., Certificate Authority or CA). The issuer uses the CSR data file to create a data structure to match your private key without exposing the key itself. The CA never sees the private key.

The SSL Certificate is then installed on the web server. Also installed is an intermediate certificate that establishes the credentials of the SSL Certificate by tying it to your CA’s ‘root’ certificate.

Although anyone can create a certificate, browsers have a list of trusted Certificate Authorities – companies that comply with and are audited against authentication standards. An SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party has authenticated that organization’s identity. The browser knows the trusted Certificate Authorities and so lets the user know that the site is trusted.

The Process
  1. The browser connects with the web server and requests the website data. It knows this should be a secure connection through the https protocol instead of the usual http. The browser requests that the server identify itself.
  2. The server sends a copy of the SSL Certificate, which includes the public key.
  3. The browser checks the certificate root against the list of trusted CAs. It also makes sure the certificate is not expired or revoked. If everything checks out, the browser creates and encrypts a session key and sends it back to the server using the server’s public key.
  4. The server decrypts the session key using its private key and sends back encrypted acknowledgment using the session key to start the encryption session.
  5. Now the browser and server share encrypted communications using the session key.
Should Your Site Have an SSL Certificate?

If you collect or include any sensitive information through your website, you should have an SSL Certificate. ‘Sensitive information’ includes credit/debit card information (numbers, expiration dates, CVV numbers, etc.), Social Security Numbers, any information that might be collected about children (for example, information collected by daycare and school organizations), driver’s license information, and private organization information. If your site keeps track of purchases made by visitors – even if it does not collect payment information, should use SSL to protect the end user.

Also, if your site has a membership section where a profile is used to identify the visitor, you should have an SSL to protect the members information and their identity.

One final note: Google has announced that they will start giving priority to sites that use SSL. Why? It is important to Google that sites provide or represent what they claim to provide or represent. Fraudulent sites will often ‘spoof’ or pretend to be other sites to get your to provide information or purchase products that are not real thing. In the process of getting an SSL Certificate, the site owner must prove their identity. This helps to insure the website’s authenticity.

If you host your website with us, we do offer SSL Certificates. Please contact us to discuss what type of certificate your site needs.