How Internet Security and SSL Works to Secure the InternetA look at how Internet Security and SSL certificates work to secure the internet and how the public/private key exchange system works.
This article is part of a series of articles. Please use the links below to navigate between the articles.
- An Introduction to Hacking and Cyber Security - Complete Guide
- An Introduction and Brief History of Cryptography and Codebreaking
- Online Privacy and Why it Matters in Today's Hyper-Connected World
- What Are Supercookies? The Web's Latest Tracking Device
- How to Spot Scam and Phishing Emails And Avoid Being Scammed
- How Internet Security and SSL Works to Secure the Internet
- What is Man in the Middle Hacking and Transport Layer Protection
- What is Social Engineering And How Is It Used To Hack Systems
- Cookie Security and Session Hijacking in Web Applications
- What is Cross Site Scripting? (XSS) How is it Used to Attack Websites
- What is Internal Implementation Disclosure?
- What is Parameter Tampering and How to Protect Against It
- What is SQL injection - With Examples & Prevention
Privacy issues have forced many bloggers, businesses, and even search engines to encrypt all communication over the Internet. Newbie site owners might be overwhelmed with the technical information needed to understand SSL, so I put together this SSL for Newbies guide.
The internet security techniques described here are greatly simplified but serve to illustrate how the system works on the basic level.
UPDATED: 10/10/2014 - SSL is now slowly becoming a requirement for websites, and Google have announced that SSL is now, unfortunately, an SEO ranking factor.
What is SSL / Secure Certificate?
Secure Socket Layers (SSL) provide security for your website by encrypting communications between the server and the person visiting the website. This helps prevent eavesdroppers from listening in on your communication. To use SSL, you must have an SSL certificate (also known as a Secure Certificate) installed on your server and a dedicated IP address.
Basic encryption for data transmission, as we have seen, is fairly easy to implement and also easy to hack. If you haven't read the article, it involves one or many methods for encrypting data, and a password is required to decrypt it on the other end. A basic encryption algorithm is ROT13, where each alphabet letter is rotated in 13 places (Hello becomes Uryyb). A more advanced system uses passphrase substitution, which can only be cracked when you know (or defeat) the password.
SSL uses a far more complicated encryption protocol, and there are various levels of encryption. The higher the number of bits, the more secure it is. The number of bits is the key length and is analogous to passwords. A 128-bit key is analogous to a 128-letter password. There are also 256-bit, 512-bit, 1024-bit and 2048-bit certificates on offer. The number of possible key combinations for a 256-bit key is 2255 (lots) and would take the current world's fastest supercomputer (Tianhe-2 at the time of writing) 5.452 years to crack. That's a lot longer than the age of the universe (1.3812 years).
You can tell if a site is secure and running with an SSL certificate or not because there will be a padlock icon or a green highlight on or near the address bar in your browser. Clicking on this padlock will usually give you information about who issued the certificate and to whom it was issued.
What is SSL Used For?
The primary purpose of SSL is to encrypt the information transmitted between the website visitor and the server. This encryption makes it difficult to intercept and alter the request or response. It should be understood that SSL does not verify or guarantee the identity of the remote server, only that the data transmitted between the two is encrypted and relatively secure from eavesdropping. The higher the key length, the more secure it is.
Do I Need SSL On My Website for Internet Security?
✔If you are accepting credit card payments online via a merchant account, the credit card associations and networks require that you use SSL whenever you transmit credit card information, such as the card number, cardholder's name, expiration date, CVV code, etc. Without SSL, these companies will not allow you to process transactions. Suppose you use a payment processor such as PayPal, Google Checkout or Amazon Payments. In that case, you do not need an SSL certificate since you are not transmitting or storing credit card information.
✔SSL should also be used when transmitting personal information, such as names, addresses, account details, and passwords. So login forms, account settings, and user management forms should also use SSL.
✔Non-transnational websites, listings sites, sites with no user information and personal blogs do not currently require SSL. HOWEVER, there is a movement to phase out non-secure communications entirely, forcing the entire web to become encrypted. The likes of Google and Mozilla support this movement, so there is a high chance of this happening.
Should this transpire, every website must use SSL for a web browser to show the site without warnings. SSL may also become an important SEO ranking factor (Update: It has now become an important factor).
SSL Performance Degredation
You may have already noticed that when clicking through to a login page, that page takes a little longer to load than the rest of the site. Adding a secure certificate and SSL to your website adds an extra layer of security, but it is also an extra layer which needs to be processed at all levels. Initially, the client and the server must establish a "handshake" to identify each other and exchange keys (we'll see this later). The browser then needs to be able to decrypt and display the encrypted content; the server needs to encrypt and decrypt. These all have performance ramifications.
What Are the Different Types of SSL?
SSL certificates have several different flavours, each varying in cost, support and features.
- Self-Signed Certificates - The least secure and should not be used in production environments. You can generate your own SSL certificate to use for development and testing. Most Internet Browsers will give warnings about self-signed certificates.
- Shared Certificates - Often installed on shared servers, you share a certificate with other users on the same server. Less secure.
- Domain Validated Certificates - Secure for websites, this certificate is tied to your domain name and can only be used on that one domain.
- Company Validated Certificates - Similar to domain validation, except that the issuing authority verifies the company requesting the SSL.
- Extended Validation Certificates - EV certificates provide secure connections, verify the business's identity, and help prevent fraud through thorough checks and validations. EVs are the most secure and expensive.
- Wildcard Certificates - A Wildcard SSL Certificate enables SSL encryption using a single certificate on unlimited subdomains.
- Multi-Domain Certificates - Multi-domain certificates make it possible to secure up to 210 domains with a single certificate.
How Do I Obtain an SSL Certificate?
SSL certificates can usually be supplied through your hosting provider, or you can purchase directly from an issuing authority such as Comodo or Verisign. There may be additional installation costs if you need your host to install the certificate.
How SSL Key Exchange Works
The problem with using this over the Internet is that you have to transmit the encrypted data and the key so that the person at the destination can decrypt the data. This is open to hacking as encrypted data and the key are sent together. A secure way of doing this would be to send the encrypted data over the Internet and send the key separately in a different format, such as in person on a USB stick or CD.
When browsing your online banking or shopping, this wouldn't work on the Internet. Every time you log on, you must wait for a USB stick to arrive in the post.
The solution is to use public and private keys and have these exchanged securely.
An Example of Internet Security - Key Exchange
Let's look at how we secure the keys between two computers without eavesdropping or anyone stealing the secure key. This is a very simplified version of internet security.
In this example, we are trying to convey to the receiver a copy of the blue key, which is our secure private key that nobody else must know about. We will do this by using two public locks, green and red. First, the blue secure key is placed inside a container and then locked with the sender's red padlock. Only the red key can open this padlock.
The locked container is then sent to the receiver, who, at this stage, cannot open the container.
The receiver then puts their padlock (green) on the container and returns the doubly locked container to the sender.
When the receiver gets the container back, they remove the red padlock using their red key and return it to the receiver.
Now, the receiver has a container that only has the green padlock on, which can be opened using the green key. Thus, the receiver now has access to the blue secure key. From now on, all communication between the sender and receiver can be securely sent and received by locking it with a blue padlock.
As I said, this greatly oversimplified example of internet security illustrates how the system works. The systems use complex mathematical calculations and long encryption keys to secure data transmission. The simplified technique illustrates how secure keys can be transmitted over insecure lines without eavesdropping, snooping or hacking.
Internet Security Conclusion
Now that you've read this SSL for Newbies guide, I hope you understand the importance and benefits of a secure connection. Whether you are the website owner, a marketer, or a developer, I wouldn't rush out to buy certificates if they are not essential for your site. I'll be waiting to see how the phasing out of HTTP and non-secure sites goes if anything happens. Is the cost of an SSL certificate on a personal blog worth the expense? Will companies start offering low-cost certificates?
