What is SSL – The Protocol and Certificate
A brief explanation of SSL Certificates and why it’s no longer optional
What is SSL?
SSL – or Secure Sockets Layer – is the standard for establishing an encrypted connection between a web browser and a web server. The encrypted connection uses cryptography to obscure the data being sent between the two parties, so that the data remains private and untampered with. SSL is the only widely deployed solution for encrypting information in transit and is the result of years of collaboration between industry leaders. SSL is used by millions of people every day to secure website connections.
Why Do We Need SSL?
The importance of protecting your data is obvious once you realize the types of information we regularly send across the internet. When you make a purchase online, your credit card number, name and address are sent to a webserver, which could be anywhere across the globe. When you sign into a website, your login name and password are sent to a webserver, the same login and password that are used to access your most personal and important financial information. The list goes on and on.
How Does SSL Work?
SSL has two pieces: the protocol and the certificate. The protocol is the code and procedures which allows computers to handle the encryption. The protocol is open-source and free to use. This has allowed SSL to be widely adopted by all sorts of devices.
The second piece is the certificate, which identifies the specific webserver and works in combination with a unique code used for encryption - called the private key. Each SSL Certificate has a “Subject” which identifies who owns the certificate. This is always a domain name, and, if applicable, the company operating the website. To ensure SSL certificates are used properly, the subject listed in the certificate is always “validated.”
What is Validation?
Validation is a formal process handled by the companies who create and issue SSL certificates – known as Certificate Authorities (CAs). At ASKSSL, we offer a wide range of certificates from one of the largest trusted CAs – Symantec, GeoTrust, Thawte, RapidSSL and Comodo. [KG1]
The purpose of validation is to ensure that the server is properly identifying itself. SSL validation comes in multiple varieties [KG2] – but at the basic level, it ensures that the domain is owned by the party requesting the certificate. Premium certificates will validate the business that owns the domain.
This allows SSL to perform a technical function known as Server Authentication, which is the second function of SSL. Server Authentication and Encryption work together to ensure that your information is not only sent securely, but also being sent to the correct party.
To ensure security is maintained, all SSL certificates expire. When certificates expire, they must be validated again. This allows the CAs to check that the certificates are still being operated by the same people. All SSL Certificates expire within 1-3 years.
When your connection to a website is secured with SSL, various UI cues are displayed. We call these “Trust Indicators.” The most common ones are “HTTPS”, the Green Padlock, and the Green Address Bar.
All certificates display “HTTPS” and the Green Padlock. SSL certificates with higher levels of validation – known as Extended Validation (EV) – also prominently display the company name in a Green Address Bar next to the URL in browsers. This allows companies who are engaging in high-value industries to display their identity and security.
The Importance of SSL
There is nothing else out there quite like SSL. Every day, more and more websites are using SSL, and one day, all communications on the internet will be encrypted. There are several industry and browser initiatives[KG3] that are encouraging all sites to deploy at least basic SSL encryption.