SSL is the generic term for a series of protocols used to secure online communications by encrypting information passed between a client and a server. Its use is important for websites accepting online payments in particular, and for maintaining browsing and email privacy in general. There has, in recent years, been a push to begin securing all online communications. Google, for example, is now including website security as part of its search ranking algorithm, meaning that those websites using SSL receive a ranking boost compared to those that don’t.
“SSL” stands for Secure Sockets Layer and was first developed by Netscape in the early 90s. There have been a number of versions released in the years since, each improving on the security of its predecessor. The current version is TLS 1.2, with 1.3 being drafted at the time of this writing. “TLS” stands for Transport Layer Security, but “SSL” remains the umbrella term for these protocols within the web hosting industry.
The purpose of SSL is twofold. First, it is meant to ensure that the server that you (or your browser, or your email client) are communicating with is who it says it is. Second, by encrypting all information passed between you and the server, it ensures that a third party who might be eavesdropping in the middle (known as a man-in-the-middle attack) can’t make sense of communications being passed back and forth. It is worth discussing each of these purposes in turn.
In any cryptographic context, trust between communicants is necessary. Trust here only means that the identity of the server you are communicating with is authentic — that it’s not some other server pretending to be a server it’s not. The way that trust, or authenticity, is established is by way of an already-trusted third party known as a Certificate Authority. Certificate Authorities (CAs) are organizations that sign and issue SSL certificates (or SSLs, for short) to, for example, website owners. CAs themselves undergo yearly security audits to ensure that their trust is not compromised.
In order for a website owner to acquire a certificate, something called a key pair must be generated on the web server. This key pair consists of a private key, which is always kept secret, and a public key, which can be given out. Any message that is encrypted using the public key can only be decrypted using the private key. The website owner then gives this public key to the CA, who in turn validates that the owner, in fact, owns the domain name in question either by sending a verification email to the owner’s email address or by having the owner create a special DNS record. Upon ownership validation, a certificate that is cryptographically signed by the CA is issued.
Most web hosts provide a tool to automate much of this process.
Certificates themselves contain certain crucial information that is necessary for the establishment of trust, including the dates of the certificate’s issuance and expiration, the domain name it is to be used for, the organization that owns the domain, and the public key generated on the web server.
Once a certificate is installed and configured on a website, that site will present its certificate to any browser visiting the site. The browser will then check a list of trusted CAs that either comes shipped with your operating system (such as OS X or Windows) or else is shipped with the browser itself. (You can find the list of CAs used by Firefox, for example, here.) If the website’s SSL certificate was signed by a CA in the list, then the browser trusts that the identity of the website is authentic. A padlock (typically green) will be displayed in the browser’s address bar.
With trust now established, the server and browser negotiate an encryption method to use and then exchange messages that each in turn verify can be correctly decrypted. Communication can then proceed securely.
Secure communication between browser and server ensures that information being passed back and forth — like credit card information or Social Security numbers — is indecipherable by a third party who might be listening on the line. Any e-commerce business accepting card payments must use an SSL certificate in order to be PCI compliant.
Even if you aren’t accepting payments through your website, using an SSL is a good security policy in general because it helps maintain browsing privacy, and protects account login information as it is transmitted to your server. Compromised login credentials can compromise websites in part or in whole. Given that many people tend to use the same credentials everywhere, including email, Facebook, and even online banking, the possible impact of compromised accounts is quite high.
Internet users have become much more security conscious within the last several years. Installing an SSL certificate on your site is a good way of establishing a reputation of trust with your visitors. And now you’ll even receive a bump in search engine results, too.