Secure Sockets Layer, otherwise known as SSL, is an encryption protocol that creates an authenticated channel between devices on the internet, so that information can be shared securely. Essentially, SSL puts the “s” in URLs that start with “https://” which means that the connection between you and the server is secure.
SSL was the security standard for websites until 1999, when it was succeeded by the updated protocol, Transport Layer Security (TLS). Although modern websites actually use TLS, SSL is still a widely used term, and it’s also common to see the technology referred to as both SSL/TLS.
Much like a VPN encrypts your online activity, SSL/TLS is another critical part of keeping your data secure on the internet. Use this quick guide to learn more about what SSL is, how it works, why it’s important, and how to get an SSL certificate for your website.
How Does SSL Work?
SSL provides the elements that are necessary to encrypt both the channel and the data being transmitted online. The protocol establishes a private connection between the browser and web server through a process known as an “SSL Handshake.”
The SSL Handshake uses three keys to establish a private connection: the private, public, and session keys. If data is encrypted with the private key, only the public key can decrypt it. On the other hand, the private key is the only thing that can decrypt information that is encrypted with the public key.
Both the private and public keys are used during the SSL Handshake to create a secure session key that will encrypt all transmitted data. For a step-by-step breakdown, check out the process below.
6 Steps of the SSL Handshake:
- The web browser (i.e., the client) connects with a website secured by SSL (i.e., SSL server) and requests that the website identify itself. This is known as the “client hello.”
- To identify itself, the website sends a copy of its SSL certificate and the website’s public key. This response is called the “server hello.”
- Then the client checks the certificate against a list of certificate authorities (CA) and makes sure the certificate hasn’t expired or been revoked.
- If the certificate is authentic, the client will trust it and create a symmetric session key using the website’s public key.
- The SSL server then decrypts the session key with the private key and sends an encrypted acknowledgement to start the session.
- All data transmitted between the website and browser is encrypted with the session key.
Despite all the various steps, the SSL Handshake actually occurs instantaneously and the process isn’t noticeable by website visitors.
Why is SSL Important?
Without SSL, if you share confidential information like your Social Security number online, that information is exchanged using plain text. Because plain text is not secure, your information is vulnerable to hackers and cybercriminals who may be trying to intercept and use your data.
Anytime you make a payment online or share personal information like your credit card number, SSL ensures that your data is kept private. As such, it’s a critical part of establishing trust between a website and its visitors.
It also helps websites abide by the following information security standards:
- Authentication: verifies that the website server is the correct server
- Encryption: keeps data transmissions private and protected
- Integrity: confirms that the data that is requested or transmitted is actually delivered
What is an SSL Certificate?
Similar to a passport or ID card, an SSL/TLS certificate verifies that a website or application is actually who they say they are, and they are stored by a website’s server.
Additionally, the SSL certificate also contains the private and public keys that are used during the SSL Handshake to create a secure connection. Without an SSL certificate, there is no way for your website to enable SSL protocol.
How To Get an SSL Certificate
Follow the steps outlined below to learn how to get an SSL/TLS certificate for your website.
1. Create Keys and a Certificate Signing Request (CSR)
The first step to obtaining an SSL/TLS certificate is to generate a pair of private and public keys on your server. Then, you’ll create a certificate signing request on your website’s server.
A CSR is an encoded data file that functions as a standardized method of sharing your public key and any identifying company information with a certificate authority.
Common Information on a CSR:
- Name of company and common name
- Company location
- Key type and size
2. Send the CSR Data File to the Certificate Authority (CA)
Once you have a CSR, you’ll need to submit the encrypted data file to a CA to get your certificate. To do this, you’ll need to pick a CA that is publicly trusted by web browsers like DigiCert or SSL.com.
Also, you’ll need to determine if you can use a standard free certificate or if you need to pay for a custom certificate. Regulated industries like insurance or finance have specific requirements for SSL certificates that may need customization.
After deciding on a trusted CA and the type of certificate you need, you can send out your CSR file. The CA will then send you your SSL/TLS certificate.
3. Install the SSL Certificate on Your Server
Now that you have your SSL/TLS certificate, you need to install it on your web server. You’ll also have an intermediate certificate to install, which confirms the authenticity of your certificate by linking it to your CA’s root certificate.
Follow the instructions from your server to install and test your certificate. Once installed, any browsers your website connects with will let users know that your site is secure and trustworthy.
How To Tell if a Website is Secure With SSL
There are a few ways to tell if a website you’re using is secured by SSL. All you need to do is take a quick glance at the URL bar to learn what you need to know. Below we detail the two signs that indicate a website is secure.
-
The URL begins with “https://” instead of “http://”
The “s” in “https://” stands for a secure connection and confirms that the website is SSL-encrypted.
-
There’s a padlock icon next to the secure URL
Depending on your browser, a padlock icon will appear either to the left or right of your URL. For example, if you use Google Chrome, the padlock should be on the left.
-
Bonus: Verify that the website’s SSL certificate is valid
A website with an expired SSL certificate won’t actually have a secure connection, but it may still have a URL that starts with “https://” and may also show a padlock.
Check that the certificate is still valid and that your connection is secure by clicking on the padlock in the URL bar for more information. If a website doesn’t put their identity on their certificate, this is a red flag that you shouldn’t share your personal information with them.
TLS vs. SSL: What’s the Difference?
As the successor to SSL, TLS was created as an update of SSL technology that was given a different name. They’re essentially similar protocols that both use encryption to keep users’ data private online.
With this being said, SSL is antiquated in comparison to the latest TLS version (TLS 1.3) and is considered insecure by modern web browsers. Although TLS is the most updated technology that is used to secure websites today, the term SSL is still widely known and used.
SSL vs. TLS: The Same But Different
Secure Sockets Layer (SSL) | Transport Layer Security (TLS) | |
---|---|---|
Versions and dates released | - SSL 1.0 (never publicly released) - SSL 2.0 (1995) - SSL 3.0 (1996) | - TLS 1.0 (1999) - TLS 1.1 (2006) - TLS 1.2 (2008) - TLS 1.3 (2018) |
Major cryptographic difference | Uses a port to make connections (i.e., an explicit connection) | Uses a protocol to make connections (i.e., an implicit connection) |
SSL/TLS is an important line of defense when it comes to protecting your data online. It creates secure connections between websites and servers, and keeps all transmitted information encrypted and private.
Now that you know all about what SSL is, read up on more information security topics by checking out our Media Center. Don’t forget to download our free VPN to encrypt your internet activity and add an extra layer of security for your data online.
Sources: GlobalSign |IBM | Kinsta | Microsoft |