Technology‎ > ‎

SSL


The Art of SSL


The ins and outs of SSL. And everything in between.


Whether you're new to SSL or possess years of experience with the technology, it never hurts to familiarize yourself with the security standard of the Internet. We've compiled a collection of resources, tools and useful information that will help you understand the technology — and even help you make important purchasing decisions.

What Is SSL?

Secure Sockets Layer (SSL) technology is a security protocol that is today’s de-facto standard for securing communications and transactions across the Internet. SSL has been implemented in all major browsers and Web servers, and as such, plays a major role in today’s e-commerce and e-business activities on the Web. The SSL protocol uses digital certificates to create a secure, confidential communications “pipe” between two entities. Data transmitted over an SSL connection cannot be tampered with or forged without the two parties becoming immediately aware of the tampering. The newest version of the SSL standard has been renamed TLS (Transport Layer Security). You will often see these terms used interchangeably. Since the term SSL is more commonly understood, we will continue to use it throughout this paper.


The Secure Sockets Layer (SSL) (and Transport Layer Security (TLS)) is the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel between two machines operating over the Internet or an internal network. In today’s Internet focused world, we typically see SSL in use when a web browser needs to securely connect to a web server over the insecure Internet.


Technically SSL is a transparent protocol, which requires little interaction from the end user when establishing a secure session. For example, in the case of a browser, users are alerted to the presence of SSL when the browser displays a padlock, or in the case of Extended Validation SSL the address bar displays both a padlock and a green bar. This is the key to the success of SSL – it is incredibly simple experience for end users.

SSL - a Quick History

In the earlier days of the World Wide Web, 40 bit keys were used. Each bit could contain a one or a zero -- which meant there were 240 different keys available. That's a little over one trillion distinct keys.

Because of the ever-increasing speed of computers, it became apparent that a 40-bit key wasn't secure enough. Conceivably, with the high-end processors that would come available in the future, hackers could eventually try every key until they found the proper one, which would allow them to decrypt and steal private data. It would take some time, but it was possible.

The keys were lengthened to 128 Bits. That's 2128 keys, or 340,282,366,920,938,463,463,374,607,431,768,211,456 unique encryption codes. (That's 340 trillion trillion trillion, for those of you keeping track at home.) It was determined that if computers kept advancing in speed as they have in the past, these 128-bit codes would remain secure for at least another decade, if it not longer. DigiCert certificates don't stop there though. DigiCert SSL Certificates are also compatible with the new standard of RSA 2048-bit encryption.


How Can an SSL Certificate Help My Online Business?

As part of the process of issuing an SSL Certificate, a Certificate Authority (CA), such as Network Solutions, authenticates the purchasing company's identity. The CA verifies the purchaser's credentials using WHOIS database information, Dun & Bradstreet data, articles of incorporation, government-issued photo ID's and/or other credible sources. This comprehensive approach to identity validation ensures that an SSL Certificate is a reliable symbol of your company's trust worthiness. In turn, your SSL certificate shows customers that your business is legitimate and that it's safe to conduct business with you online.

How does SSL work?

You've heard of SSL, but do you know how it actually works? If not, we've gathered a comprehensive primer on the history of the technology and how it's used to secure encrypt online transactions and communication.

Some applications that are configured to run SSL include web browsers like Internet Explorer and FireFox, email programs like Outlook, Mozilla Thunderbird, Apple Mail.app, and SFTP (secure file transfer protocol) programs, etc. These programs are automatically able to receive SSL connections.

To establish a secure SSL connection, however, your application must first have an encryption key assigned to it by a Certification Authority in the form of a Certificate. Once it has a unique key of its own, you can establish a secure connection using the SSL protocol.

The Internet is your gateway to millions of potential new customers. Moving your business online provides the convenience and accessibility your customers and partners demand, helping you to stand out from the competition.

As organizations provide more services and transactions online, security becomes a necessity. Customers need to be confident that sensitive information such as a credit card number is going to a legitimate online business. Organizations need to keep customer information private and secure.

How Is SSL Encryption Strength Determined?

Although the information sent between the browser and the Web server is encrypted, it is a common misunderstanding that the certificate dictates the strength of the encryption. The strength of the SSL session is actually a function of the strength of the browser and the capabilities of the server. If the browser is limited to 128-bit encryption, then only a 128-bit session will be established, even if the Web server supports 256-bit sessions. If both the browser and server support 256-bit encryption, then a 256-bit session can be established.

Is Server-Gated Cryptography (SGC) Required?

At one time, the export of 128-bit browsers outside of North America was regulated. Prior to changes in these U.S. export regulations, the use of "step-up" encryption or Server-Gated Cryptography (“SGC”) was the only way for organizations dealing with consumers outside the U.S. and Canada to secure communications between Web browsers and Web servers using 128-bit encryption.
Because Microsoft and Netscape were restricted to only exporting 40-bit encryption browsers, enterprises with international customers were forced to purchase expensive “step-up” certificates in order to secure 128-bit encryption for their Web site users. Organizations want the highest level of security available today, but at a reasonable cost. If you are using SGC certificates, you should understand that, in the majority of cases, these certificates are no longer necessary.
Since 2000, U.S. export regulations have permitted the export of 128-bit encryption-enabled browsers and upgrades for existing browsers to all countries except those under U.S. embargo.
The primary browser version that would benefit from SGC is a non-updated installation of Internet Explorer 5.01. An update to 128-bit encryption has been available for many years on Microsoft’s Windows Update service, along with many other important security updates. Deployed browser statistics are contentious, but according to at least one source, as of April 2007, Internet Explorer 5.01 and Internet Explorer 4 have a combined total market share of .33 percent, and that does not take into account the number of IE 5.01 installations that may have updated to 128-bit encryption.
For high-traffic sites where even 0.3 percent of users represent a real concern, organizations need to consider the security ramifications of conducting secure transactions with a user who has not patched their browser or operating system for most of the 21st century.

256-Bit Encryption

Encryption is the process of changing data into a form that can be read only by the intended receiver. 256 Bit SSL is referred to as strong SSL security. The 256 Bit Encryption tells users that the size of the encryption key used to encrypt the data being passed between a Web browser and Web server is 256 Bits in size. Because the size of the 256 Bit key is large it is computationally unfeasible to crack and hence is known as strong SSL security.

Certification Authority

Certification Authorities (CA) are third-party verifiers that authorize and endorse the legitimacy of websites. Browsers inherently trust an SSL Certificate if it is current and is issued by a reputable CA since trusted CAs will only issue Certificates to websites after validating the legitimacy of that site.

Data Encryption

Encryption is the process of changing data into a form that can be read only by the intended receiver. To decipher the message, the receiver of the encrypted data must have the proper decryption key. In traditional encryption schemes, the sender and the receiver use the same key to encrypt and decrypt data. Public-key encryption schemes use two keys: a public key, which anyone may use, and a corresponding private key, which is possessed only by the person who created it. With this method, anyone may send a message encrypted with the owner's public key, but only the owner has the private key necessary to decrypt it. The 256 Bit tells users that the size of the encryption key used to encrypt the data being passed between a Web browser and Web server is 256 Bits in size. Because the size of the 256 Bit key is large it is computationally unfeasible to crack and hence is known as strong SSL security.