Secure Sockets Layer (SSL) is an internet security protocol, establishing encrypted connections between computers on a network, such as the internet.
For example, logging into your online banking without the encrypted connections provided by SSL means anyone monitoring your connection could see your passwords and other sensitive financial data.
Alice, Bob, and Eve
Computer security specialists often refer to two parties trying to securely exchange information like this as ‘Alice’ and ‘Bob’. There is also ‘Eve’ who is intent on eavesdropping on their connection.
If Alice wants to communicate with Bob securely, they need to encrypt their data. But what is encryption? In the early days of the internet, all encryption was symmetric - the key used to encrypt data was the same key used to decode it.
In order to encrypt data safely and exchange messages, Alice and Bob needed to agree on a shared key. This was usually done via Data Encryption Standard (DES).
DES keys were relatively weak (56 bits), and vulnerable to brute-force attacks by powerful computers trying every possible password combination until it hit on the right one. There also was the problem of key distribution. Once your data is encrypted, how do you send the symmetric key to decode it to someone who might be on the other side of the world?
SSL: Public and private keys
SSL, developed by Netscape in 1995, was designed to solve Alice and Bob’s problem.
As it’s core, SSL (now known as Transport Layer Security or TLS) uses asymmetric encryption, or Public Key Cryptography. The (Public) key used to encrypt data is not the same as the secret (Private) key used to decrypt it.
The keys are related in a mathematical sense being based on factoring extremely large prime numbers. It’s not important to understand this in-depth except to say that knowing someone’s public key only allows you to encrypt data for them to decode: it cannot be used the other way round.
How SSL works
So, how does SSL work? The answer lies in a combination of traditional symmetric encryption and public key cryptography.
When Alice wants to securely communicate with Bob without Eve listening in, they first perform a virtual handshake. Traditionally, this allowed them to establish specific SSL protocols and encryption algorithms were supported.
Alice’s device uses Bob’s public key to generate a shared secret symmetric encryption key for this particular connection. Bob’s device then uses Alice’s public key to securely confirm that this is the key to use. Having established a common symmetric encryption key, communications are now secure
Using both public key and regular symmetric encryption may sound overelaborate but it has a big advantage. Symmetric encryption is much faster than asymmetric, so it makes much more sense to use public keys as little as necessary.
This set-up is a nightmare for bad actors like Eve. She may well be able to monitor the data passing between Alice and Bob’s devices, but unable to make sense of it. Knowing public keys isn’t helpful for decrypting the data and once the data is encrypted by a symmetric key, it’s equally meaningless.
SSL certificates
There is a flaw in the SSL security model up until now: what if a bad actor tries to intercept Alice and Bob’s connection and impersonate Bob? In that case they could supply their own Public Key to Alice to read all her sensitive personal data.
This is where SSL Certificate authorities come in. Certificate Authorities (CA) are publicly trusted, issuing digital SSL certificates and public keys to people or websites. They also use their own private key to digitally sign these certificates, so others can check it’s valid.
Almost all modern browsers come preloaded with details of trusted certificate authorities and their public keys, so it’s easy to check that the SSL certificate for a particular site is valid. To find out if a website is secured by SSL, you can check for a padlock icon on the address bar - give it a click for more information.
Each time your device connects to a website using SSL (indicated by a web address that starts “https://”), the site sends its SSL certificate, including its public key. Your web browser then validates the certificate, and alerts you if the site appears to lack security.
In practice there are several types of different certificates, but back in the original days of SSL, a certificate was simply used to establish that this is the valid public key for that particular domain.
SSL today
SSL hasn’t seen an update since SSL 3.0 in 1996. Today, the more secure TLS is its successor, becoming the most widely used protocol for securing website traffic.
Given the popularity of SSL, many web users still refer to web traffic encryption as SSL or SSL/TLS. Although Certificate Authorities only offer TLS certificates, they’re still commonly referred to as SSL certificates.
While no form of security is entirely perfect, using SSL/TLS hugely reduces the risk of data traffic between your device and websites being abused by bad actors. The trick to avoiding any SSL issues is making sure your set-up is correct.