SSL (Secure Sockets Layer) is a method, or protocol, for securing connections between computers. If the connection between two computers is not secured, then cyber attackers can intercept these communications and steal data, including credit card numbers and personal information. If you have any kind of online business, then these attacks (eavesdropping, phishing or man-in-the-middle attacks) are a threat to you.
SSL is the industry standard for securing data, and is used by millions of websites to protect their online communications with their users. For any online store, SSL is obviously a necessity, but many social and messaging sites are moving toward using SSL for all user sessions.
SSL makes connections safe by encrypting them. Now we'll take a look at how it does that.
How Does SSL Work?
Let’s first take a look at two important concepts – symmetric and asymmetric encryption. Don’t worry – this is actually pretty simple.
- Symmetric encryption: Two computers that use the same key (a very complex code generated by one of the computers) to lock and unlock the data that they send.
- Asymmetric encryption: Instead of using one key, there are two. The public key is used to lock the data, and the private key is used to unlock it.
Think of it like this – symmetric encryption functions like a code that you agree on beforehand. So if we’re trying to write secret messages and use the simple code that a=1, b=2, and so on, then the message 8, 5, 12, 12, 15 says “hello”. This code works if both of us know it. You use the same code to encrypt and decrypt the message.
Asymmetric encryption is like a key and a padlock – anyone can lock the padlock, but you need the key to open it. You use different codes to encrypt and decrypt the message. The public key (the padlock, in this analogy) is available to everyone, but the private key is secret and stored on the site's server.
SSL Encryption Methods
SSL uses a sophisticated combination of both of these methods to communicate in four steps.
- The first part is identification, or the SSL Handshake. In this step, when you connect to a site with an https (secure) address, your browser asks that the server identify itself.
- The server then sends its SSL Certificate back (more on SSL Certificates later), which includes the public key. This is the first part of the asymmetric encryption.
- The browser then makes sure that the SSL Certificate is real and valid for the website that you’re connecting to. Major browsers all have lists of trusted key providers (like Crazy Domains) included in them. If the certificate is authentic then another key is made, called a session key. This is the symmetric encryption part. The session key is encrypted using the public key in the SSL Certificate (remember, only the server knows how to decrypt it). Then the browser sends the encrypted key back.
- The server then decrypts the session key using its private key (that only it has) and then sends back a prompt that everything went fine and that the secure connection can start.
That's how the server can use asymmetric encryption one time to make symmetric encryption more secure (asymmetric encryption uses a lot of computing resources, so it makes connections slower). If the encryption were just asymmetric and the keys were exchanged, then anyone listening in would also have the key. With SSL, they won't be able to break the encryption.
As we saw in the example above, the SSL Certificate is very important in creating secure connections. It contains the private and public keys that are used in encrypting the session key.
It also contains the identity of the site that uses the certificate. This is very important as well, as sites that attempt to steal user information often use forged SSL certificates. Luckily, modern browsers do not trust these sites and give prominent warnings when people try to access them.
To create an SSL Certificate you will need to generate a CSR (Certificate Signing Request). See our article called What is a CSR? for more details.
Do I Need an SSL Certificate?
If you have an online business and you want your customers to know that they are secure, then SSL is the industry-standard way to go. All banks use SSL certificates, as do PayPal and eBay. They are vital for any ecommerce site. They secure data and let your customers know that they are in good hands. We recommend SSL for any serious online business.
In addition, Google gives extra weight to sites that have SSL in place. If you want your site to get found in search engines, then an SSL Certificate can only help you.
If that's what you want, get your SSL Certificate and let your customers know they’re safe. They are available within your Account Manager.