Welcome back to our blog. Today we are going to find out why do we actually need SSL and what is the benefit of having it enabled.
There are 2 protocol groups that provide secure communication over the Internet - SSL and TLS. For the sake of simplicity we are going to call them “SSL” as a group, but we actually mean both, so read it as “SSL/TLS”. Sometimes SSL is also called HTTPS, which is a different thing, but again for our discussion does not matter much.
In essence SSL provides just these three things:
- Two-way data encryption, so that no one can read your communication with the website you’re viewing
- Data integrity, so that no one can change what you send and what you receive from the website
- Server authentication, to ensure you’re talking to a genuine website and not to а website that just pretends to be the one.
The following table offers a short summary of the state of communication security while using SSL and when operating without it enabled.
|Without SSL, HTTP||With SSL, HTTPS|
|Communication is not encrypted, can be intercepted and read. This is tolerable if no sensitive user input is required (like email address or credit card information)||Communication between the client browser and the website is encrypted. Even if the data is intercepted, there is no way to read it since it’s encrypted|
|Communication can be intercepted and changed on the fly, which may result in impersonation or tricking the user to believe they are on some other page that they trust||Even if the communication gets intercepted, there is no way to change it, since it is practically unreadable in the first place|
|Due to a big variety of Man-in-the-middle attacks, it is possible to change the response of the server in such a way, that makes end-user believe they are served with genuine information, while looking at a falsified copy||SSL prevents Man-in-the-middle attacks from doing their thing because SSL is based on the PKI (Public Key Infrastructure) framework and its asymmetric cryptography.|
What is needed to make SSL work?
In order to establish secure connection between a web server and a browser, these 3 things are required on the server side:
- Private key
- Public key
- SSL certificate
Private and public keys on the web server are used to initiate secure connection session (TLS handshake). Those keys are not used for data encryption, this is something that’s done using session keys.
Session keys are temporary keys used only once (for the duration of the session), in order to encrypt and decrypt data; future conversations between the two parties would be encrypted with different session keys. A session key can be compared to a password that someone resets every time they log in.
What is an SSL certificate?
SSL certificate is simply a digital mean to confirm that there is a genuine relationship between the server’s public key and its domain name. This ensures that when you establish secure connection with a given website, it is that same website it claims to be.
SSL certificate is usually digitally signed by a certificate authority (CA). Such certificate authorities are known to all modern browsers, which is why browsers trust them.