SSL for Dummies

ssl

I don’t mean you are dummy… Just seemed like a catchy title. Besides, most of us are dummies when it comes to SSL.

SSL is one of those words that we hear being thrown around to imply security. You can identify a site with an SSL certificate because the website address starts with https and has a green padlock.

While SSL is just one of the many steps to keep a site secure, it is a fundamental one but what exactly is SSL?

What is SSL?

SSL is short for Secured Sockets Layer and refers to the technology that ensures that communication between a client (such as your laptop) and a server (such as where your website is hosted) is encrypted. This is to help protect you from what so-called Man in the Middle Attack (MITM). In this kind of attack, the attacker (for a lack of a better word) can see the communication between a client and a server and intercept this communication. This is definitely a big problem because the attacker can see your login details and other important information that should normally be known only to you.

It helps to ensure that the communication between the server and the client is understood only by the two of them. If anyone intercepts the communication, it is complete gibberish. So, imagine two people who are the only living souls that understand an ancient and complicated language talking in a crowded room. No matter how many people listen, they only hear blah blah blah.

How does SSL work?

Good question. When a browser first initiates a connection with a website that has SSL, it establishes an SSL connection using an SSL handshake. There are three keys required to set up an SSL connection – private, public and session keys.

Here is a description of what happens during the SSL handshake

  1. The browser connects to the web server (website), asking the web server to identify itself
  2. The web server sends a copy of its SSL Certificate and includes its public key.
  3. The browser checks the certificate root against a list of trusted Certificate Authorities (CAs) and confirms that the certificate is valid and that its common name is valid for the website that it corresponds to the hostname of the website. If all this checks out, the browser creates a session key, encrypting it with the server’s public key and sends it back.
  4. The server decrypts the session key using its private key and sends back an acknowledgment encrypted with the session key to start the encrypted session.
  5. Finally, both the server and the browser can now encrypt all transmitted data with the session key.

It takes a lot of processing power to encrypt and decrypt using public and private keys. This is why both browser and server agree on a session key that only the two of them know and use to encrypt and decrypt the communication. Note also that whatever is encrypted with the public key of the server can only be decrypted with the private key (which only the server knows). This ensures that communication remains private.

You would notice that an important element of establishing a secured communication is point 3, where the browser verifies the identity of the web server using an SSL certificate. We will discuss this next.

What is an SSL Certificate

To create a secure communication, however, we need to be sure that we are communicating with the right server. This is where SSL certificates come in. A valid SSL certificate is issued by a trusted Certificate Authority (CA) after the CA has verified the identity of the server and the domain that it hosts.

To get a certificate, the server generates a Certificate Signing Request (CSR) alongside a pair of public and private keys. The CSR contains the public key of the server and is sent to the CA. The CA then verifies that the domain the CSR was generated for is hosted on the server that owns the CSR, using DNS methods or by uploading a test file. When the CA verifies the server’s identity, an SSL certificate is issued and installed on the server.

In some cases, this process is completely automated. In some others however, you may need to generate the CSR manually. Contact your hosting provider to help you get started with this.

How much does an SSL certificate cost?

There are three major types of SSL certificates, and this determines how much you can get them.

Domain Validated (DV) SSL

This is the basic SSL certificate and it does exactly what we expect. It helps the browser identify that the connection is with the expected server and also helps with the encryption of the communication between both devices.

Thanks to Let’s Encrypt, you can get a DV SSL certificate absolutely free. Many hosting providers already offer this at no additional charge. You can give these guys a try.

Organisational Validated (OV)

The OV SSL does everything that a DV SSL does and more. An OV SSL is only issued after the Certificate Authority (CA) has also verified that the organisation that owns the website also exists. The CA performs background checks and requests for company registration documents and only issues a certificate once it is confident that the organisation is real and can be reached.

This kind of certificate is ideal for bigger organisations that want to assure site visitors of their legitimacy. This kind of certificate is available at a premium and is usually issued after a couple of days.

Extended Validation (EV)

The EV SSL, popularly called the green-bar certificate, is the highest level of validation. Like the OV SSL, it requires the CA to verify the existence of the organisation before issuing the certificate. Unlike the OV SSL however, the EV SSL, once installed, visually displays the name of the organisation on the address bar of the browser.

Screenshot showing an EV SSL certificate of a website

An EV SSL helps build trust and is largely used by financial institutions and organisations that require this additional verification of their identity. As you can imagine, it is the most expensive certificate of all, but quite worth the cost, for organisations that want their users to differentiate their site from counterfeits.

You can get any of these certificate types from here.

In summary, SSL helps in keeping our communications encrypted and private. If your website does not have an SSL certificate, get one today!

Comments

  1. Pingback: SSL for Dummies by Toba Obaniyi - WhoGoHost Blog

Leave a Reply

Your email address will not be published. Required fields are marked *