Everything you need to know about SSL but were afraid to ask
Domain Security Value
You have probably noticed the shift of many website URLs going from HTTP to HTTPS over the past decade, in particular, the last half-dozen years. There’s an interesting wiki article on the timeline if you’re keen on more specifics.
So what is it that makes HTTPS so good?
A WordPress HTTPS site makes your online business more trustworthy to visitors. From the moment your site loads in their browser, they see a visual cue that their personal information will be highly guarded in your corner of the world (wide web).
You’ll also get an SEO boost, as search engines favor HTTPS websites. According to Google Webmaster Trends Analysts, SSL is part of Google’s search ranking algorithm.
Being rewarded with improved page load times is another awesome part of the package. Who doesn’t want performance gains?
HTTPS, aka end-to-end encryption, can help prevent all types of online attacks, including the big baddies known as APTs and MitM attacks. Here’s a quick rundown on these:
- APTs (Advanced Persistent Threats) are attack campaigns in which intruders use continuous, clandestine, and sophisticated techniques to gain access to a system, and remain inside for a prolonged period of time. These have potentially destructive consequences.
- MitM (Man in the Middle) attacks are when a cybercriminal gains access to an unsecured or poorly secured Wi-Fi network to intercept and read transmitted data, capturing login credentials, banking information, and other personal information. The attacker might also impersonate the person or entity you think you’re talking to, in order to steal information.
Sadly, these cyber attacks don’t seem to be slowing down.
While not completely fool-proof, having HTTPS on your website will greatly improve your defenses against APTs, MitM attacks, malware, direct hacker attacks, and a host of other vulnerabilities.
Next, let’s look at how encryption actually works.
HTTP (Hypertext Transfer Protocol) allows communication between different systems―like your browser to a web server―so you can view web pages or transfer data. HTTP moves data in plain text, but is unsecured/readily available for anyone to read.
HTTPS (Hypertext Transfer Protocol Secure) is HTTP with an added layer of security. It uses SSL (Secure Sockets Layer) certificates to encrypt the information flowing between your browser and the server, protecting sensitive information from being stolen.
When a website is secured, HTTPS appears in the URL through an SSL certificate. This is indicated by a lock symbol in the browser bar.
You can click on that little lock to see the certificate information, which provides more details, including who the cert is issued to (website owner), who it’s issued by (the certificate authority), and the valid from/to dates.
The extra layer of security in HTTPS comes from TLS (Transport Layer Security) protocol. TLS is just an updated, more secure version of SSL. Nine times out of ten you will hear security certificates referred to as SSL, mostly because it’s the term people are used to.
In a nutshell… a browser reaches out to a server, and a “handshake” connection is made. During the handshake, the server sends an SSL certificate that has an asymmetric public key to the client, and a private key that is stored at the webserver (self) end. This ensures that all data in the stream is encrypted.
HTTPS uses two types of end-to-end encryption, which we’ll now examine in finer detail.
Asymmetric encryption is known as public-key cryptography. A public key is used to encrypt the data, while a private key is being used to decrypt the data. The two keys are connected and are actually very large numbers with certain mathematical properties. If you encode a message using a person’s public key, they can decode it using their matching private key.
Symmetric encryption is when only one key is being used to encrypt and decrypt the data. The entities will share the same key during communication for encrypting and decrypting the data.
Both TLS and SSL use an asymmetric PKI system. Data encrypted by a public key can only be decrypted by private key or the other way round.
Private keys should be kept very securely and never distributed or made accessible to anyone other than the website owner.
Public keys can be distributed to anyone who needs to decrypt information that was encrypted with the private key.
The client will create a session key based on algorithms. This session key will be encrypted using the public key. Then it will be sent to the server.
The server will use the asymmetric private key to decrypt the encrypted session key and will get the session key. The browser will use the session key for encrypting and decrypting the data for the session.
Now the data is secured as the session key will be known by the client and server. Once the session has expired, the process will be repeated again, since the session key will no longer be valid.
Today we use the AES encryption algorithm, which was adopted and published as the federal standard by The National Institute of Standards and Technology (NIST).
Advanced Encryption Standard (AES) uses a single key as a part of the encryption process. The key can be 128 bits (16 bytes), 192 bits (24 bytes), or 256 bits (32 bytes) in length. Given that the fastest computer would take billions of years to run through every permutation of a 256-bit key, which is valid for such a short time, hijacking the session key is extremely difficult. That’s why AES is considered an extremely secure encryption standard.
SSL stands for Secure Sockets Layer, and is the standard technology for keeping an internet connection secure. It safeguards any sensitive data that is being sent between two systems, thus preventing data in the stream from being intercepted by unintended recipients who may have criminal intent.
This is done by making sure that any data transferred between users and sites, or between two systems, remains impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it’s sent over the connection.
This includes anything sensitive or personal, such as names and addresses, logins, emails, credit card numbers, and other financial information. And it extends over FTP, web apps, cloud-based computers, hosting planets (e.g., cPanel), VPNs, intranets, extranets, and DB connections.
To quickly clarify a point: Although the terminology is used interchangeably, and they are intrinsically connected, HTTPS is not SSL. HTTPS is a combination of HTTP and either SSL or TLS. So more accurately, HTTPS is one common instance of SSL.
With that said, let’s move on to SSL certificates.
An SSL certificate encrypts the information that users supply to a site, which basically translates the data into complex code. Even if someone managed to steal the data being communicated between the client and the server, it would be a mess of gibberish impossible to decipher.
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, the HTTPS protocol (over port 443) allows secure connections from a web server to a browser.
SSL Certificates bind together:
- a domain name, server name, or hostname
- an organizational identity (i.e., company name) and location
An organization needs to install the SSL Certificate onto its web server to initiate secure sessions with browsers. Depending on the type of SSL Certificate applied for, the organization will be vetted at the appropriate level.
Once HTTPS is installed, all traffic and communication between the web server and the web browser will be encrypted and secure.