SSL Part 2

This is a continuation of SSL Part 1. You can find it here

3. How does SSL(TLS) really work?

When you type a website address (yourdomain.com) into a browser, one of the first checks the browser does is to check for some security, SSL(TLS) is one of such. When it realises that the website(web server) got some kind of https in it, it would then try to verify that this digital certificate is genuine. The web server would then send a copy of the digital certificate to the browser. Once your web browser has confirmed that the copy is genuine and up-to-date, it sends an acknowledgment to the website(web server), hence the end-to-end encryption session begins. This means that if the web browser sends data to the website, it would be encrypted until it gets to the web server, the web server of course decrypts(open) the data because its got a key to decrypt the encrypted(locked) data. Similar thing happens when the web server serves the browser some data.

You may be wondering how a simple web browser on your device knows that a certificate from a web server is genuine.

Well, that is an interesting question. It is also very deep, I'd try to keep it sane and simple. Here we go! Before a digital certificate is assigned to a web server, it is usually issued by a Certificate Authority (CA) and signed by either a Trusted Authority of by a private entity. When a CA issues a digital certificate that is privately signed, it is referred to as 'self-signed'. What that simply means is that you generated your private key and sent it to the CA who approved it. When a CA signs your certificate it goes with more 'trust' since they are known by more people and more devices 'trust' them. This doesn't mean your self-signed certificate doesn't work. No they both work in same way. A simple analogy is this, a privately brewed wine may be of same quality like those brewed by the internationally recognized brands, but the difference now is that no one knows you and trying to market your private brand may be a hill to steep to climb.

Your devices and their browsers always have a list of trusted CAs embedded in firmware and browsers.Hence when a certificate is signed/issued by unknown entities, your browser/app(especially email clients) may refer to the url as unsafe. You can add to that list or remove certain CAs from the list if you so wish.

When your digital certificate is self-signed, it usually doesn't cost your anything except technical skills and some browsers/devices may not recognize your certificate. One such browser notorious for this Comodo's Dragon.

Does this mean that all CAs are trust worthy and without issues? Well history shows some can't be trusted. You may want to read more from here.

4. Why do people use SSL/TLS?

The following are the major reasons SSL/TLS are deployed.

• Encryption of data in transit(browser to web server[vice-versa], application to server[vice-versa])
• Authentication - this ensures that the server that your browser/app is connecting to is correct and trustworthy.
• Data integrity - ensures that whatever data is exchanged is correct and not tampered.
• Better Google ranking.

5. Difference between Free and Paid SSL/TLS

Both use same encryption technology. There differences lies in majorly two areas:

• Duration of validity. Free SSL usually has short validity period. They usually have a validity between 30 - 90 days. While Paid could go for up to and over a year.
• Extended validity. When the SSL is referred to as Extended validity(EV) that means your domain is properly verified by the CA and the SSL comes with a green coloured https, padlock and the name of the company who's website is protected. You can have a look at paypal.com, Look at the left side of the address bar and you would see the name of the company.

6. How do I see details of an SSL/TLS certificate?

There is actually a technical way to do so via a web browser, I won't bother you with that. Follow this link, enter the website you wish to check in the 'server hostname' form field and click 'check ssl'. Some details you would see includes, duration, issuer, serial number, signature algorithm and more.

These articles(SSL Part 1 & 2 are simply based on personal research and the contents can be verified independently). While the contents are true as at the time of writing, a change in technology may means some parts would require updates. I would always try to keep my articles up-to-date.

If you have questions, please don't hesitate to stop by.