Isn’t the Internet great? You can send and receive emails, shop online with your credit card, exchange files, or log in and manage remote systems.
It would be not-so-great if all the confidential information in those cases were to be exposed to prying eyes, hackers, or cyber criminals.
SSL – Secure Sockets Layer – was invented to protect sensitive data in transmission. SSL is a security protocol designed to provide maximum security, while remaining simple enough for everyday use.
SSL, or the new generation version: TLS (Transport Layer Security), is responsible for keeping data private and ensuring it is transmitted between — and only between — the correct two end-points. SSL prevents the possibility that hackers positioned between the two end-points might siphon off or divert the data elsewhere.
An SSL Certificate is a small computer file that digitally combines a cryptographic key with an organization’s details. On a web server, for example, it allows secure connections to a web browser. Depending on the type of SSL Certificate being used by the organization, different levels of checks will be made by the Certificate Authority (CA) issuing the certificate. The CA itself holds a Root Certificate.
An SSL Certificate awarded to an organization is derived from the Root Certificate. The same Root Certificate must be present on the end user’s computer in order for the issued SSL Certificate to be trusted. Browser and operating system vendors work with Certificate Authorities, so the Root Certificate is embedded in their software.
End User and Organizational Points of View
For end users, SSL could hardly be simpler. Secure web addresses start with “https://” instead of just “http://”.
Users see a padlock symbol in their browser. And that’s about it.
By comparison, for organizations running email servers, ecommerce sites or hosting system administration resources, it’s a little more involved.
To authenticate themselves to users and customers, and prove to users they are working with the right entity, organizations need to acquire an SSL Certificate.
The Goal: Trusted Interactions Online
If the local Root Certificate and the remote-issued SSL Certificate are not correctly matched, the browser displays messages to the user concerning untrusted errors. If they are matched, the user can proceed with confidence.
The two parties (the local user’s browser and the remote web server) first exchange a symmetric encryption key. “Symmetric” means the same key is used to encrypt information that is transmitted and decrypt it on arrival at the other end. The “forward secrecy” built into the system ensures the short term symmetric key cannot be deduced from the long-term asymmetric key, for further protection against hacking.
Types of SSL Certificates
Three types of SSL Certificates exist.
1. Extended Validation (EV) SSL Certificates
These are issued only after the Certificate Authority has verified the exclusive right of the organization to use the domain name concerned and also a number of additional aspects:
- The legal, physical, and operational existence of the organization
- Consistency between the organization’s identity and official records
- Proper authorization by the organization of the issuance of the EV SSL Certificate
2. Organization Validation (OV) SSL Certificates
These include checking the right of the organization to use the domain name, and some, but not all, of the rest of the verification done in the case of the EV SSL Certificate above. End users can see additional information on the organization.
3. Domain Validation (DV) SSL Certificates
Finally, these limit verification to checking the right of the organization to use the domain name concerned. Consequently, end users will only see information about the encryption, not about the organization.
SSL certification can be doubly advantageous for an organization.
First of all, it can ensure the confidentiality of the information being transmitted. Secondly, it proves to others that they can trust both the security and the identity of the organization. Also, just to make sure everything is under control, the Certificate Authority itself must also be audited annually to ensure it is fit to issue SSL Certificates.
Photo Sources: theatlantic.com