The Secure Socket Layer

    August 12, 2003

What is SSL?

SSL, or Secure Socket Layer, is an Internet Engineering Task Force (IETF) approved protocol designed by Netscape to facilitate the secure transferring of information over the World Wide Web. SSL works by authenticating the server’s identity, along with the user’s identity, and sending encrypted information through the channel, protected from prying packet sniffers.

You can recognize a secure communication channel on the Internet by noticing https instead of http in your browser’s address bar, and is most often used when transferring credit card and other personal information through the Internet on e-commerce web sites like or SSL pages usually take slightly longer to process because the data needs to be encrypted and decrypted between the server and the user.

This article is divided into three sections, What is SSL?, How does SSL work? and Who are the certificate authorities?

How does SSL work?

Okay, we know what SSL is and what it does, but how actually does it work? Although the process may seem complicated at first, these processes take place in a split second, involving no human interaction whatsoever.

Before we go forward, understand what an SSL enabled web server is. An SSL web server is one that has had its identity confirmed. A certificate authority will provide that web server with identification (like a driver’s license). You, the client, ask for identification before sending any data, making sure the channel is secure and that we are doing business with a properly authenticated web site (and company).

This is analogous to your driver’s license. The DMV issues you a driver’s license which you use for identification. When a hotel clerk asks for your driver’s license, he or she is demanding proper identification before the transaction. This is xactly what takes place between you, the user, and the SSL enabled web server. You are demanding identification from the web server before you do business with it.

The process is detailed below.

  • Before any SSL data can be sent, the user must first contact an SSL enabled web site (remember, https).

  • Next, the web server that you just surfed to will send your browser a ‘digital certificate’, which ensures that the server that you are contacting is the server which it says it is. The digital certificate contains the certificate information (like the name and expiration date) and the name of the certificate issuer (or certificate authority). It also contains an encrypted version of the digital certificate. This certificate is encrypted with the certificate authority’s private key. The server will also generate a unique private and public key combination which will be used for encryption after a secure connection is made.

  • The browser will then decrypt the encrypted digital certificate (by using the certificate authority’s public key) and will compare it with the certificate information. If it matches, a connection can be made; otherwise (which indicates that packets have been tampered with during transmission), no secure connection can be made.

  • Next, the user’s browser will generate a secret code (known as a “session key”) that both your browser and the web server will use to encrypt data throughout the secure session. This code is kept strictly confidential between both parties, and is only used for this particular secure session between you and the SSL enabled web site. The secret code is encrypted with the public key that the SSL enabled web server sent along with the digital certificate. The server can now decrypt the secret code by using the corresponding private key. The server will then use the secret code to decrypt all encrypted data sent by the user’s browser.

Now that a secure connection is made and data is encrypted (using the session key), any packet can still be intercepted by a hacker. But, unless the hacker knows the session key that was established between the user’s browser and web server, he or she cannot read any data.

That, in a nutshell, is how SSL works. Now you may think of your transactions through an SSL enabled web server in a whole new way.

Who are the certificate authorities?

There are a number of certificate authorities, but the two most popular are Verisign and Thawte.