What are SSL and Digital Certificates?

Secure Socket Layer (SSL) is a protocol developed by Netscape in 1996 which quickly became the method of choice for securing data transmissions across the Internet. SSL is an integral part of most web browsers and web servers and makes use of the public-and-private key encryption system developed by RSA.

Secure Socket Layer (SSL) is a protocol developed by Netscape in 1996 which quickly became the method of choice for securing data transmissions across the Internet. SSL is an integral part of most web browsers and web servers and makes use of the public-and-private key encryption system developed by RSA.

Typically, digital certificates are signed by an independent and trusted third party to ensure their validity. The "signer" of a certificate is known as a Certification Authority (CA).

How SSL work

This is in short how it works.

• A browser requests a secure page (usually https://).
• The web server sends its public key with its certificate.
• The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
• The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
• The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
• The web server sends back the requested html document and http data encrypted with the symmetric key.
• The browser decrypts the http data and html document using the symmetric key and displays the information.

When should SSL be used and what can it secure?

There are two main online security problems that digital certificates solve:

• Authentication - proving a company's (or server's) identity online and in so doing create a sense of trust and confidence in using a website.
• Encryption - offering protection for the data submitted to a website (or between servers) so that in the event of interception, it will be unintelligible without the unique key used for decryption.

Solving these security problems allows online business to protect against the following scenarios:

• Spoofing - The low cost of website design and ease with which existing pages can be copied makes it all too easy to create illegitimate sites that appear to be published by established organizations. In fact, con artists have illegally obtained credit card numbers by setting up professional-looking storefronts that mimic legitimate businesses.
• Unauthorized Disclosure - when information is transmitted "in the clear", making it possible for hackers to intercept the transmissions and obtain sensitive information from customers.
• Data alteration - the content of a transaction can be intercepted and altered en route, either maliciously or accidentally. User names, credit card and social security numbers as well as currency amounts, indeed any information sent "in the clear" is all vulnerable to alteration.

So what are the practical applications of digital certificates

Firstly, looking at categories of data, the most common deployment is for securing transmission of financial information in ecommerce. However, with incidence of identity theft on the rise, protecting the transmission of a broad range of personally identifiable information is becoming ever more important. This category of data would include identity and social security numbers, e-mail addresses and demographic information as well as registration and login processes.