How Internet Security and SSL Works to Secure the Internet

A look at how Internet Security and SSL certificates work to secure the internet and how the public/private key exchange system works.

Privacy issues have forced many bloggers, businesses, and even search engines to encrypt all communication over the Internet. Newbie site owners might be overwhelmed with the amount of technical information needed to understand what SSL is, so I put together this SSL for Newbies guide. The internet security techniques described here are greatly simplified, but serve to illustrate how the system works on the basic level.

What is SSL / Secure Certificate?

Secure Socket Layers (SSL) provide security for your website by encrypting communications between the server and the person visiting the website. This helps prevent eavesdroppers from listening in on your communication. To use SSL, you need to have an SSL certificate (also known as a Secure Certificate) installed on your server and a dedicated IP address.

Basic encryption for data transmission as we have seen is fairly easy to implement and also easy to hack. If you haven't read the article, it involves one or many methods for encrypting data and a password required to decrypt the data at the other end. A basic encryption algorithm is ROT13 where each letter of the alphabet is rotated 13 places (Hello becomes Uryyb). A more advanced system uses passphrase substitution, and this can only be cracked when you know (or defeat) the password.

SSL uses a far more complicated encryption protocol, and there are various levels of encryption. The higher the number of bits, the more secure it is. The number of bits is the key length and is analogous to passwords. A 128-bit key is analogous to a 128-letter password. There are also 256-bit, 512-bit, 1024-bit and 2048-bit certificates on offer. The number of possible key combinations for a 256-bit key is 2²⁵⁵ (lots) and would take the current world's fastest supercomputer (Tianhe-2 at the time of writing) 5.4⁵² years to crack. That's a lot longer than the age of the universe (1.38¹² years).

You can usually tell if a site is secure and running with an SSL certificate or not because there will be a padlock icon, or a green highlight on, or near the address bar in your browser. Clicking on this padlock will usually give you information about who issued the certificate and who it was issued to.

What is SSL Used For?

The primary purpose of SSL is to encrypt the information transmitted between the website visitor and the server. This encryption makes it difficult to intercept and alter the request or response. It should be understood that SSL does not verify or guarantee the identity of the remote server, only that the data transmitted between the two is encrypted and relatively secure from eavesdropping. The higher the key length the more secure it is.

Do I Need SSL On My Website for Internet Security?

✔If you are accepting credit card payments online via a merchant account, the credit card associations and networks require that you use SSL whenever you transmit credit card information, such as the card number, cardholder's name, expiration date, CVV code, etc. Without SSL these companies will not allow you to process transactions. If you are using a payment processor such as PayPal, Google Checkout or Amazon Payments, you do not need an SSL certificate, since you are not transmitting or storing credit card information.

✔SSL should also be used when transmitting personal information, such as names, addresses, account details, and passwords. So login forms, account settings, and user management forms should also use SSL.

✔Non-transnational websites, listings sites, sites with no user information and personal blogs do not currently require SSL. HOWEVER, there is a movement to phase out non-secure communications  entirely, forcing the entire web to become encrypted. This movement is supported by the likes of Google and Mozilla so there is a high chance of this happening.

Should this transpire, it is conceivable that every website will be required to use SSL for a web browser to show the site without warnings. SSL may also become an important SEO ranking factor (Update: It has now become an important factor).

SSL Performance Degredation

You may have already noticed that when clicking through to a login page, that page takes a little longer to load than the rest of the site. Adding a secure certificate and SSL to your website is adding an extra layer of security, but it is also an extra layer which needs to be processed at all levels. Initially, the client and the server will need to establish a "handshake" to identify each other and exchange keys (we'll see this later). The browser then needs to be able to decrypt and display the encrypted content, the server needs to encrypt and decrypt as well. These all have performance ramifications.

What Are the Different Types of SSL?

There are several different flavours of SSL certificates, each varying in cost, support and features.

• Self-Signed Certificates - The least secure, and should not be used in production environments. You can generate your own SSL certificate to use for development and testing. Most Internet Browsers will give warnings about self-signed certificates.
• Shared Certificates - Often installed on shared servers, you share a certificate with other users on the same server. Less secure.
• Domain Validated Certificates - Secure for websites, this certificate is tied to your domain name and can only be used on that one domain.
• Company Validated Certificates - Similar to domain validation, except that the issuing authority verifies the company requesting the SSL.
• Extended Validation Certificates - EV certificates provide secure connections, verify the business's identity, and help to prevent fraud through a thorough set of checks and validations. EV is the most secure, and also the most expensive.
• Wildcard Certificates - A Wildcard SSL Certificate enables SSL encryption on unlimited subdomains using a single certificate.
• Multi-Domain Certificates - Multi-domain certificates make it possible to secure up to 210 domains with a single certificate.

How Do I Obtain an SSL Certificate?

SSL certificates can usually be supplied through your hosting provider, or you can purchase directly from an issuing authority such as Comodo  or Verisign . There may be additional installation costs if you need your host to install the certificate for you.

How SSL Key Exchange Works

The problem with using this over the internet is that you have to transmit the encrypted data, and the key so that the person at the destination can decrypt the data. This is open to hacking as both encrypted data and the key are sent together. A secure way of doing this would be to send the encrypted data over the internet and send the key separately in a different format, such as in person on a USB stick or CD.

This wouldn't really work on the Internet for browsing your online banking or doing your shopping, would it? Every time you go to log on, you have to wait for a USB stick to arrive in the post.

The solution here is to use a set of public and private keys and have these exchanged securely.

An Example of Internet Security - Key Exchange

Let's have a look at how we might be able to send a secure key between two computers without eavesdropping or anyone stealing the secure key. This is a very simplified version of internet security.

In this example, we are trying to convey a copy of the blue key, which is our secure private key that nobody else must know about, to the receiver. We will do this by using two public locks, green and red. First, the blue secure key is placed inside a container which is then locked with the sender's red padlock. Only the red key can open this padlock.

The locked container is then sent to the receiver, who at this stage cannot open the container.

The receiver then puts their padlock (green) on the container, and sends the doubly locked container back to the sender.

When the receiver gets the container back, they then remove the red padlock using their red key and send the container back to the receiver again.

Now the receiver has a container which only has the green padlock on, which can be opened using the green key and thus the receiver now has access to the blue secure key. From now on all communication between the sender and receiver can be securely sent and received by locking with a blue padlock.

As I said, this is a greatly oversimplified example of internet security to illustrate how the system works. In reality, the systems use complex mathematical calculations and long encryption keys to secure data transmission. The simplified technique illustrates how secure keys can be transmitted over insecure lines without eavesdropping, snooping or hacking.

Internet Security Conclusion

Now that you've read this SSL for Newbies guide, I hope you now understand the importance and benefits of a secure connection. Whether you are the owner of a website, a marketer, or a developer, I wouldn't go rushing out to buy certificates if it is not essential for your site. I'll be waiting to see how the phasing out of HTTP and non-secure sites goes if anything happens at all, and is the cost of an SSL certificate on a personal blog worth the expense? Will companies start offering low-cost certificates?