Ivo Petkov

How SSL works

July 14, 2015
SSL stands for Secure Sockets Layer. It's also known as Transport Layer Security (TLS). This is the technology used to provide security on the web. Today we will learn how SSL makes the communication between a web browser and a website secure so no one can see our passwords or other personal data while they are traveling through the Internet.

Terms we need to know before we start

Key
A combination of characters (like a password) but preferably long in size, so it is very very hard to guess.

Encryption
The process of encoding information so that it can only be decoded by using a special key.

Decryption
The process of decoding information by using a special key.

Private key
A key that can encrypt or decrypt information. As the name implies, it must be kept in a secret place.

Public key
A key that can encrypt or decrypt information but can be shared.

Certificate
File that contains a public key and other information.

Certificate authority
Organization that issues certificates and can help your browser verify them.

Certificate authority root certificates
Certificates that are securely stored on your device and help you verify the identity of authority issued certificates. Your OS vendor takes care of updating them.
The secure connection requires two keys to be created, one public, and one private. Through the magic of mathematics, they can be used to encrypt or decrypt information. Everything encrypted with the private key can only be decrypted with its corresponding public key and vice versa.

How secure communication is established

These are our main players:
- A browser that has access to the root certificates
- A web server that hosts the website. It stores a private key securely and has a valid certificate issued by a Certificate Authority.
The browser requests secure connection from the web server
The web server responds with its certificate
The browser verifies the certificate using the root certificates, so it is sure it's communicating with the right web server
Now both parties have valid keys they can use for secure communication. The browser is using the public key for decrypting server responses and sending encrypted requests. The server is using its private key for decrypting requests and encrypting responses.
That's it.

Please use the comment box bellow if you like this post or need more information.
Thank you for sharing
Comments