What Is SSL? A Beginners Guide

Published by Adrian in Guides

What Is an SSL certificate?A Beginners Guide

Most internet users don’t want to access websites without an SSL certificate. That’s right, not even those who don’t know the SSL meaning and its implications. Imagine you would see a red triangle with an exclamation point and the Not Secure message… Right when you’re trying to access a website. Would you continue browsing it?

Chances are you’ve seen at least one of those messages so far. It’s the not so pretty visual cue that Google Chrome has begun to label the HTTP websites with it. And it’s taking a toll on many online businesses that ignored the importance of the little “S” in their websites’ “HTTP”.

Statistically, around 60% of internet users rely on Google Chrome. And they are all notified when trying to access a website if it’s secure or not. For now, the main difference between Secure/Not Secure is given by the presence/absence of a reliable SSL certificate.

To stick to the visual cues, it’s the difference between seeing the URL bar:

  • Light up in green, with a padlock icon and the “Secure” message right before the URL address that starts with HTTPS://
  • Light up in red, with the “Not Secure” message right before the URL address that starts with HTTP://

Now…

Are you a simple internet user looking to know more about what is SSL and the difference between HTTP and HTTPS websites?

Are you running a business and heard that your website needs a certification but you’re clueless on what is SSL certificate and how do you get one?

In this beginner’s guide on what is SSL, we will walk you through all the basic details. From the actual meaning of the term to how it works and an overview of the options out there, you’re guaranteed to get a lot of useful information.

What does SSL stand for and what does it mean?

SSL is the abbreviation for Secure Sockets Layer. It defines a technology designed to keep private and secure whatever data is being sent between two systems over the internet. It is, to be more specific, an encryption technology.

It works by encrypting the information that is about to be transferred. And it only allows its decryption at the destination, following an identification process that makes sure it has reached the intended destination.

Most commonly, the SSL connection is set between a client and a server. But it can also be set between two servers or two clients. Anyways, the classic example of client-server connection is your web browser trying to access a shopping website.

As a client, you would use their website to log in with your username and password. And if you’re happy with what you find, you might proceed to share your credit card or PayPal information with that website. Because you want to pay for your order and have it delivered at your front door.

Say that shopping website doesn’t have an SSL protocol implemented?

All the personal details you’re typing on the website can be seen by… anyone. Anyone means any other computer sitting in between your web browser and the server where the shopping website is hosted.

The internet is, just like its other name suggests, a worldwide web made of gazillions of computers. When you’re trying to access the shopping website, the information you type doesn’t just flow up to the destination server. Before it gets to the computer where the website is hosted, it passes through other intermediary computers.

Say that there is an SSL connection in place?

Then it means that even though those intermediary computers will receive and send the information further away, it will be unintelligible to them.

What is SSL connection?

So far, we talked about the significance of the SSL technology. What it does and what purpose it has. But all that doesn’t cover the technical aspects that would clarify what this connection consists of.

That’s because, in practice, the SSL connection is established through a so-called “public key cryptography” process, one that has a lot to do with math. Like serious math, not the kind you’ve learned in high school and hated…

Coming up next, we will skip the math and stick to the essentials.

The SSL connection consists of two cryptographic keys (long strings of random numbers): one of them is public, therefore accessible to anyone, and the other is private, accessible only to its owner. With the two of them being mathematically related, it takes the corresponding private key to decrypt a public key and the other way around.

In our example from above, both your computer (the client computer) and the server (where the website is hosted) have their own set of public/private keys. When you want to send data to the server, your computer uses that server’s public key. It does so while knowing that the server is the only one capable to decrypt it using its private key.

The same goes for when the server wants to send information to your computer. It will use your public key to send the message, and your computer will use its private key to decrypt that message.

Between the two ends of communication, even if someone else will have access to the transmitted information, it won’t be able to decrypt it because it lacks the private key of the recipient.

As you can imagine, it takes a significant amount of processing power to encrypt and decrypt information with these public and private keys. Consequently, the process only takes place when the SSL connection is created for the first time. After that, a symmetric key is generated and used to encrypt all the web page data, without having to retake the above process every single time.

The 7 steps of setting up an SSL connection

Whenever you’re using your web browser to access a website, there is this back-and-forth exchange of information between your web browser and the web server where the page that you’re trying to access is hosted. Reduced to its essence, the process would consist of the following 7 steps that answer the question of how does SSL work:

  1. The web browser initiates the request to a secure page (one with an https:// URL);
  2. The web server where that secure page is hosted will send two essential pieces of information to the web browser:
    • its certificate
    • its public key
  3. The web browser will then check the certificate it received from the web server, making sure that:
    • it’s not expired
    • it hasn’t been revoked
    • it was, indeed, issued by a trusted authority
    • and, equally important, it has the same common name as the website that it is connected to
  4. When all information is checked, in response, the web browser will generate a symmetric key and send it to the web server;
  5. The web server will use its private key to decrypt the symmetric key received from the web browser;
  6. The web server will then use the symmetric key to send the page encrypted, back to the web browser;
  7. Finally, the web browser uses the symmetric key to decrypt the page received from the web server and displays that information to you.

The different types of SSL certificates available out there

Just to recap, SSL is an encryption technology. To be implemented, it requires setting up an SSL connection. Aside from the technicalities of generating the encryption keys, the involved parties must also have an SSL certificate. But it is the responsibility of the well-established Certificate Authorities (CA) to vet these parties and issue them reliable SSL certificates.

What are CAs and how do they work?

A CA is a legal entity specialized in issuing digital certificates to organizations and people. Their activity is legit and, even more importantly, falls under the incidence of law, given the huge responsibility that they take.

That is why these institutions must provide their own CPS, a Certification Practice Statement that clarifies the rules after which they verify applications. After all, different entities come to them and ask them certificates that would prove their good intention in practicing a business online.

Among the many Certificate Authorities out there, some are:

  • Private institutions that put quite hefty price tags on their services;
  • Institutions owned by governments;
  • But also, free Certificate Authorities.

Each one comes with its products, prices, specific SSL certificate features. But all in all, the CA will:

  • Look into the details of that company for anything related to:
    • Its web server
    • What the company is
    • Where it is located etc.
  • Verify all that data by going through public records, making sure that it is true and legit

Only after all that research and validation, it will create a certificate especially for that organization and sign it cryptographically, in a way that cannot be forged.

What does such a certificate contain? Is there more than one type of SSL certificate?

The certificate will include details like:

  • Version
  • Serial Number
  • Algorithm ID
  • Issuer
  • Validity (dates from – to)
  • Company details
  • Subject public key info (Algorithm and Key)
  • Identifier for issuer
  • Identifier for company
  • Signature algorithm
  • Digital signature

Simply put, all these SSL certificates that help to identify a person or an organization can fall under one of the following main categories:

  • Domain validated certificates – issued automatically, with very little validation, if proving that you own the domain;
  • Certificates with extended validation – issued after a detailed validation standard, usually much more expensive to obtain (see the EV SSL certificates);
  • Wildcard certificates – certificates that work not just for the main domain name, but also for all of its subdomains;
  • SAN certificates – similar to the Wildcard certificates, with the difference that you only get validation for a limited number of hostnames;
  • Code signing certificates – this one applies to signing applications or executable files, giving their users the confidence that they were developed by a trusted and well-known organization, proving that the code hasn’t been tampered with;
  • Self-signed certificates – these are the types of certificates that even you can create, for yourself; while it just shows that your website has a certificate, the web browser will make it clear for the users that the certificate is not to be trusted, since it is self-signed.

Knowing how SSL works, who needs it and why?

On top of ensuring that your private data stays private, an SSL connection also serves for a secure authentication and identification. How else can you be sure that you have reached the destination server?

How can you tell exactly when and for what server are you supposed to decrypt that sensitive data? Because yes, hackers can try to hijack your connection and trick you into believing you have reached the destination and it’s safe to decrypt your data when, in fact, it isn’t.

That’s where the authentication provided by the SSL connection comes in handy. And that’s also one of the big reasons why getting an SSL certificate from a reputable, trustworthy SSL provider is of the essence.

In a nutshell, if you have a website where users just come and “look” at the information you provide – whether it’s reading blog posts, watching videos, or a combination of these two – but they are not required to provide you with any information, having an SSL certificate may not be crucial to your business success.

But if you do ask for any kind of personal information from your website visitors, even if it is just a username and a password to log in and get access to more content, then you have the responsibility to protect that information.

Furthermore, if you are selling things to them, regardless whether you ask them to enter credit card information directly or you have implemented a third-party payment processor like Payoneer or PayPal, then it is mandatory that you have an SSL certificate in place!

Still not convinced that you could use one of these?

As a side note, having SSL is a factor in Google search ranking algorithms. So, Google will take this into account, among many other things, when deciding on what position to display your website in the search results, whenever someone is typing in a search query that relates to your website content. If you don’t want to miss out on this opportunity, you have yet another reason to go for it.

Last but not least, it can also be a matter of confidence. If users see the No Secure message next to your website URL in the address bar, they might leave. Even though they don’t need to type any data when using your website and they are not really at any risk by navigating your website.

So, if you want to be seen and trusted, you want to be seen as a secure place to go to. SSL will do that for your online presence. If you happen to be on the other side of the issue, just consider everything from above before you run away from a Not Secure website.