This is the first in our series of insights which seek to explore and simplify the topic of SSL (and TLS) in the context of web application hosting.
What is SSL?
In the simplest terms, SSL and TLS protect communication between web browsers and web applications so third parties cannot view them.
To many, SSL can be further simplified as showing a padlock icon next to a website address in their web browser to know you have a secure communication.
Security through Privacy
The principle of using privacy to achieve security is wide-reaching, but in the context of SSL, the concepts align to focus on the following:
The information we exchange between our devices, such as web browsers, websites and web applications, is constantly increasing, and the sensitivity of that data is now all-encompassing. Encrypting the data during exchange between parties prevents malicious actors from reading and abusing it during transmission.
Protecting data transmission between devices and websites through encryption is fine, but how do you know the website you think you are talking to is really who they claim to be? By authenticating the other party’s identity using SSL certificates, we can reduce the risk of malicious actors masquerading as the intended recipient and abusing your data.
SSL ensures that the data sent between the server and the client is not altered or corrupted during transfer. This maintains the confidentiality and integrity of the information.
ELI5 SSL/TLS, Keys and Certificate Authorities
Imagine you’re in a classroom and want to exchange notes with your friend on the other side of the school without anyone else knowing what you’re sending.
The Special Lockbox (SSL/TLS Encryption)
We first create a special lockbox with two keys: a public key, which you distribute to all your friends, and a private key, which you keep secret. This mirrors the SSL/TLS online encryption system, where public key encryption ensures secure communication.
Receiving a Secure Note from a Friend (Decryption Process)
When one of your friends wants to send you a secret note, they write their message, place it in the special lockbox, and lock it using your public key. Since you’re the only one with the corresponding private key, only you can open this lockbox and read the note. This is similar to your friend encrypting their message with your public key and you decrypting it with your private key.
Replying Securely to Your Friend (Encryption Process)
To reply, you write your note, put it in the special lockbox, and lock it using your friend’s public key. Now, only your friend can open it with their private key.
Verifying Authenticity (Certificate Authority)
When your friend first receives the special lockbox, they check with the lockbox manufacturer (akin to a certificate authority in digital security) to verify it’s genuinely from you and not a fake. This step is crucial in SSL/TLS for confirming the identity of websites and ensuring secure connections.
Communicating with Different Friends (Separate Secure Channels)
Using the same system, you can have separate, private conversations with different friends. Each friend uses a unique lockbox for which only they have the key, ensuring confidential communication.
Limitations (Physical Security)
This system doesn’t prevent someone from physically confronting your friend and taking the note after the lockbox has been opened. This highlights a limitation of SSL/TLS: it secures data during transmission between endpoints but doesn’t protect against other forms of attack or theft post-reception on the endpoint itself.
General SSL Terminology
SSL vs TLS
In website security, we simplify be using the term “SSL” when discussing certificates and “TLS” when talking about communication.
The files and databases that make up your website are placed on an Internet-connected computer where web server software (Apache and Nginx being the most popular) listens for requests from other computers and sends the correct contents/files to the web browser.
When you request a website, you do so using web browser software (Chrome and Firefox being the most popular); it takes the files sent by the web server and displays them on your screen.
HTTP and HTTPS
HTTP is the protocol used for transmitting web pages on the internet, but it’s not secure. HTTPS is the secure version of HTTP, where ‘S’ stands for ‘secure’. HTTPS encrypts the transmitted data, making it more difficult for unauthorised people to intercept and read the information.
SSL Certificates are digital certificates that authenticate the identity of a website and enable an encrypted connection; they are typically installed on the web server.
A secret cryptographic key is used in conjunction with a public key to encrypt and decrypt data, ensuring secure communication and authentication in various internet protocols.
A session key is a temporary secret key used to encrypt data securely during a single communication session.
Certificate Authorities (CAs) are trusted entities that issue SSL certificates; they are typically installed into the Web Browser and used to verify the identity of an issued SSL certificate.
Server headers are informational lines a web server sends in its responses, containing details about the server, the requested resource, and how to handle it.
Web Browser <> Web Server Communication
Again, in simplified terms, when a user requests an HTTPS website in their web browser, the following process takes place:
- User: Asks the Web Browser for a https://URL.
- Web Browser: Asks the Web Server for a secure connection.
- Web Server: Responds with its SSL Certificate and Public Key.
- Web Browser: Checks if the SSL Certificate is valid (not expired and generated by a Certificate Authority it trusts).
- Web Browser: Creates a Session Key.
- Web Browser: Encrypts Session Key with the Web Server Public Key and sends it to Web Server.
- Web Server: Decrypts the Session Key using its Private Key.
The Web Browser and Web Server now have the same symmetric Session Key. The Web Server uses this key to encrypt the webpage content and sends it to the Web Browser. The Web Browser decrypts the content using the same key, allowing the user to see the information.
More in the Simplifying SSL/TLS series
- SSL Basics – What is SSL?
- SSL Certificate Terminology
- EV vs DV vs OV vs FREE SSL Certificates
- Certificate Authorities and The Signing Process
- TLS and Versions
- Web Server Headers
- Mixed Content Warning
- Testing & Tools
Pipe Ten Hosting Ltd is A leading web hosting company within the UK that has provided a wide range of web hosting and online infrastructure management services to its members since 2002. They are ISO/IEC 27001 certified, having achieved the internationally recognised accreditation for Information Security Management.