What is SSL
Home » SSL/TLS and HTTPS in a nutshell

SSL/TLS and HTTPS in a nutshell

por

When you land into a website and you take a look at the address bar up above, you’ll most likely see https instead of http, which is quite understandable now a days. There are many advantages of serving a website to visitors through a secure connection (go visit www.httpvshttps.com and see for yourself). You might be wondering, though, what the actual difference between both is. Well, HTTP is the Hypertext Transport/Transfer Protocol; the mechanism over which Hypertext documents (webpages) are transferred from a host machine (where the website lives in, aka the server) on the Internet right to your web browser (the client); whereas HTTPS simply indicates that the communication over HTTP has been settled to be secured; and in order to achieve this secure communication SSL/TLS comes in.

SSL/TLS (Secure Sockets Layer/Transport Layer Security) is an Internet Protocol for data encryption over the network. Yes, is all about encrypting data packages. One important thing to mention is that TLS replaced SSL as an encryption protocol in 1999, hence SSL is now considered deprecated.

SSL/TLS ensures that communication between server and client occurs through a “secure tunnel” where all the transported data across said “tunnel” is encrypted. By default SSL/TLS runs on port 443. You don’t have to type in www.google.com:443 on your browser’s address bar to tell the Google Server you want the secure version of its search engine homepage to load up; by default, the majority of the servers on the Internet redirect all HTTP requests to be served over HTTPS.

TLS Handshake in a nutshell

Protocol-wise, there are several steps that need to happen under the hood in order for the communication between the server and the client to be trusted and encrypted (The TLS Handshake). In a nutshell, here’s what happens:

  1. Session establishment

    Client (web browser) sends a ClientHello message (actually a data package) to the server using SSLv2 (SSL 2.0, typically). The server responds and sends back a ServerHello message (data package) that contains several parameters such as: the message itself, the protocol used (typically TLS 1.0), the Session ID, session ID length, the Cipher Suite to be used and some other details inside.
    SSL TLS data package

  2. Certificate Ready (ServerKeyExchange)

    Now the server’s actually going to send a certificate to the client so that the client could do some verification, including the server’s public key.

  3. Negotiation

    The ClientKeyExchange, which is conducted according ti the Cipher Suite agreed by both parties during the Session Establishment and is also crucial to the Encryption algorithm. Then, the ChangeCipherSpec client-server and server-client), which is a sort o notification sent to each other confirming that the data will be encrypted from there on using the agreed security suite and parameters.

  4. Encryption

    Everything going forward from here will be encrypted.

Certificate Authorities (CAs) and SSL Certificates

In order to establish the identity and authenticity of a website and use an encryption mechanism to protect the data that it sends over an SSL Certificate is required. This certificate is issued by a trusted authority: The Certificate Authority (CA).

When it comes to SSL Certificates, there are 3 different types:

SSL Extended Validation
  • Extended Validation (EV). To provide this type of SSL Certificate, the CA does a thorough vetting of the Organization to validate its business. Along with the OV type, the EV Certificate shows the Company information when the Secure Site Seal icon next to the address bar is clicked.
  • Organization Validation (OV). Sames as the EV; the OV displays the Company information when clicking on the Secure Site Seal icon, however, the CA conducts some vetting of the Organization, hence it is a less expensive type of SSL Certificate.
  • Domain validation (DV). The less expensive type of SSL Certificate (it all goes down to zero dollars to get one), where the CA only checks the right of the applicant to use a determined domain name. Since no Company identity investigation is required to acquire this certificate, no Company information is displayed when the Secure Site Seal icon is clicked.

Some of the most popular CAs on the Internet

  • GoDaddy
  • InstantSSL
  • RapidSSL
  • Let’s Encrypt

Conclusion

There’s no good reason today for any website to not use HTTPS. If you want to rank up on Google and other search engines, build up trust among your customers by protecting their confidential data and speed up site loading, you definitely should be considering acquiring an SSL Certificate for your website. Fortunately, this process has been eased up by Let’s Encrypt by encouraging Web Hosting companies to use an AutoSSL feature. AutoSSL is a feature built in the cPanel program of many Web Hosts that automatically installs and renews Let’s Encrypt SSL certificates for every assigned or parked domain on their accounts. Go check out all that this great free and open-source CA has to offer.

Artículos Relacionados:

ReDeYe - The Edge Of The World (Lyrics)
C# Extension Methods Tutorial and Example
JDBC: Connect to MySQL database using Java

1 comentario en “SSL/TLS and HTTPS in a nutshell”

  1. Pingback: Understanding the SOAP Protocol | ReadingInBits

Los comentarios están cerrados.