Web Security - Secure Socket Layer (SSL)

If you want to send your credit card details to web-server over internet, if you do not use Secure Socket Layer (SSL), any third party computer can grab your credit card details using hacker software. If you use SSL, it provides protection to your data and that your data is submitted to web servers securely.


SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.

The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer's web browser.

Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.

Let us understand how Secure Sockets Layer (SSL) works using above diagram

1. Web browser / client wants to submit / request access to a protected resource on web-server using https protocol
2. The client is presented with a server’s certificate
3. The client computer might try to match the server’s CA against the client’s list of trusted CAs. If the issuing CA is trusted, the client will verify that the certificate is authentic and has not been tampered with
4. If successful, the client sends its certificate to the server.
5. The server verifies the client’s credentials.
6. If successful, the server grants access to the protected resource requested by the client.

From now on, all traffic between the client and web-server will be encrypted and decrypted with the same key.

Thus, Secure Socket Layer (SSL) exists mainly for below reasons:

1. Encryption – It is all about hiding what is sent from one computer to another computer.
2. Identification – Making sure the computer you are speaking to is the one you trust.