SSL or Secure Sockets Layer is an encryption-based security protocol for encrypting Internet traffic between websites and applications.
What is SSL?
SSL is a technology that helps protect your website and its users from being spied on. SSL stands for Secure Sockets Layer, and it's a security protocol that provides authentication and encryption of communications between a web server and a browser.
This means that the website is using a valid SSL certificate and that your communications with the website are encrypted.
If you're running a WordPress site, it's important to make sure that your hosting provider offers SSL support. Otherwise, your users' data may be at risk.
How does it work?
SSL is implemented in most modern browsers and websites. When your browser wants to communicate with a website, it tries to create a secure channel of communication.
Your browser and server have a list of algorithms they can use to encrypt information passing between them.
This usually defaults to the strongest algorithm supported by both parties but either one may choose an alternative for compatibility reasons.
To ensure your connection is secure, your browser sends a public key to the server. The server uses its private key to send a challenge message back. To decode this, your browser uses its public key and the challenge string it received from the website's private key.
If that answer matches what is expected by the browser based on the challenge sent by the web server, then you know it's using a proper security protocol. SSL can also be used to authenticate a website or web servers by checking the site's certificate.
What is it used for?
SSL (Secure Socket Layer) is a protocol that ensures privacy between communicating applications and their users on the Internet.
SSL uses cryptography to secure data communication over the Internet by encrypting data transmitted between computers, server computers, and browsers.
SSL certificates are files that contain keys of asymmetric ciphers used for the encryption/decryption process.
Public-key cryptography uses two keys for encrypting and decrypting information—a public key known to everyone and a secret (private) key known only to the recipient of the message.
When would I need SSL?
If you log in to your bank account or make purchases on Amazon, you're probably using SSL. So as to create a secure channel of communication.
Your browser and server have a list of algorithms they can use to encrypt information passing between them. This usually defaults to the strongest algorithm supported by both parties but either one may choose an alternative for compatibility reasons.
To ensure your connection is secure, your browser sends a public key to the server. The server uses its private key to send a challenge message back.
To decode this, your browser uses its public key and the challenge string it received from the website's private key.
If that answer matches what is expected by the browser based on the challenge sent by the web server, then you know it's using a proper security protocol. SSL can also be used to authenticate a website or server by checking the site's certificate.
Why is SSL important?
Today, more than ever before, SSL has become more of a necessary requirement for sites that handle sensitive information.
Organizations are routinely asked to provide proof of their digital certificate and the authenticity of all secure pages on their site. This is done with the intent of providing an added level of security for its customers or clients that connect to it online.
SSL is a protocol that was developed in 1994 by Netscape Communications Corporation. It is the successor to Netscape's Secure Sockets Layer (SSL) 3.0 and has been standardized as TLS 1.0, which itself has now evolved to become TLS (Transport Layer Security) 1.2 enhanced with features like AES-128 and SHA-256.
These security enhancements and others have made SSL one of the most important protocols for online security and authentication available today.
What is an SSL certificate?
SSL certificates provide a means to encrypt/decrypt data with a secret key known only to the SSL server and browser.
This secret key, encrypted by a public key belonging to a certificate authority or a company, provides verifiable proof that the website is who it claims to be.
SSL certificates are issued by what is known as a Certificate Authority (CA), which provides an added level of trust to secure communications using SSL technology.
Certificate Authorities must be able to validate not only their own credentials but also those of applicants before they issue certificates.
Since you're trusting the CA, they must use highly reliable methods for validation and authentication to ensure your identity is properly verified.
Who are Certificate Authorities?
There are thousands of Certificate Authorities around the world who are trusted by web browsers for the purpose of verifying the identity of an SSL website before establishing a secure connection with it.
VeriSign, Entrust, GeoTrust are examples of popular CAs whose certificates are automatically trusted by most browsers when encountering websites claiming to be using SSL.
What makes a trusted SSL certificate?
SSL certificates generally offer the same functionality but in different scopes, which in turn requires different validation procedures based on their validity period and level of assurance. You also install an intermediate certificate that establishes the credibility of your SSL certificate.
Entrust offers 5 different types of SSL certificates which are differentiated by their price, type of website they secure, and the level of trust they provide to their customers. This is known as a ‘certificate hierarchy' or ‘certificate chain'. Sites displaying a company name in the address bar in green have an Extended Validation SSL certificate for the most secure shopping experience.
How do I know if my site is using an SSL certificate?
If you are on a website claiming to be secured by an SSL certificate, you can identify this by the prefix ‘HTTPS://' instead of ‘HTTP://'. The lock icon on your browser means that your connection is encrypted with SSL as well. You can verify whether or not the site is actually using a trusted SSL handshake by clicking its padlock symbol and accessing information about the multi-domain SSL certificates.
If it is using a trusted SSL certificate issuer, it will show your browser the issuer of the certificate and its details including when it expires. This information should match up with what you expect for this site.
How long does a certificate last?
SSL secured websites are typically issued for one to two years. However, if you run your own certificate authority there is no limit on how many years you can issue certificates for yourself.
If you use a commercial certification authority they typically don't provide longer than one or two years.
What are some common ways that hackers exploit insecure sites?
The most common way to attack an insecure website is through phishing scams. Phishing scams occur when a hacker redirects you to a website they control instead of the legitimate site you are trying to access.
Some ways this can be done is by changing the link in an email, or by taking over another user's account and sending out spam emails from their address.
How does SSL prevent phishing attacks?
When you try to access a website secured by SSL, the browser checks that the domain name in the address bar matches what is shown on your SSL certificate.
If it does not match then an error will appear and alert you that this site has been hacked or is pretending to be something else. This check also ensures that nobody can intercept your connection to the secured site and inject forged or fake data.
Do SSL certificates offer any other security benefits?
Yes. They can be used to protect email as well as encrypt email servers utilizing the STARTTLS extension, which contains a negotiation protocol for securing communications over a TCP socket.
What are the drawbacks of SSL?
SSL is implemented by adding an extra resource.
SSL enhances security but it's required half of the CPU speed to encrypt the information.
SSL is not compatible with some devices and systems.
What are the advantages of SSL?
- It provides security for your hostname, domain name, websites, online shopping cart checkout pages, etc.
- It encrypts the information that passes from one host to another host in a network.
- SSL makes your data safe from cybercriminals.
- SSL protocol provides security for online banking and commercial transactions. – SSL provides security for login of social media websites, email accounts, and more.
What are the main features of SSL?
Encryption, authentication, and message integrity
Encryption is the process of turning data into unreadable form. Encrypting ensures that only authorized users can read sensitive information, such as credit card numbers or personal medical information.
Data encryption helps to secure credit card transactions, ATM transactions, and other forms of communication. The asymmetric key cryptographic system uses the same key for both encryption and decryption.
There are several ways to authenticate users, the simplest of which is a shared secret, such as a password or personal identification number (PIN). When you use your ATM card, you are authenticated by proving that you know the correct PIN for that card.
Public key cryptography does not require a shared secret. Authentication with public-key cryptography is based on each party's mathematically related, but still private and confidential, key pair.
Message integrity ensures that a received message or file has not been changed in transit and that it contains the original data as sent by the sender. Message integrity can be achieved through hash algorithms such as MD5 and SHA-1.
SSL is an acronym for Secure Sockets Layer. SSL has been used on web pages since 1995 to encrypt sensitive information, such as credit card numbers and log-in details. A padlock in your browser bar indicates that at least some of the data you're transferring is encrypted.
The Internet is rife with stories about hackers stealing passwords, credit card numbers, and other personal information. After all, it's pretty easy for anyone with an Internet engineering task force to visit a website and see what you're typing as you log in to your bank account or Facebook page.
There is a way, however, to make sure no one can listen in on private conversations between your computer and the server it is communicating with. That's what SSL TLS is about!
If you have a web browser, it probably has a padlock next to the address bar in the top right corner of the screen. That's a sign that information passing between your browser and a website is being encrypted using Secure Sockets Layer (SSL).