Secure Socket Layer (SSL) definition & meaning
SSL stands for “Secure Socket Layer”, which is a protocol that provides security measures during the communication over a computer network between the client and the server. SSL was developed by Netscape in 1995 for the first time, uses encryption techniques to secure the transferred data. So even if the data is stolen by hackers, encryption will protect the transferred data against the MITM (stands for Man-in-the-Middle)attacks. Thus SSL is one of the most essential components of online security to protect valuable data such as confidential information, banking details, and login credentials.
A brief history of SSL
The first version of the SSL was never published publicly because of security flaws. SSL 2.0 was announced shortly after its predecessor in 1995. But the 2nd version also had some serious security flaws. 3rd and final version of SSL was released next year by the Netscape engineers. All the newer versions of both SSL and TLS are based on the draft version of SSL 3.0. The term “TLS” (Transport Layer Security) was first used in 1999. It was developed by the Consensus Development as an upgraded version of SSL 3.0.
A newer version of TLS published 7 years later with improved protection against cipher-block chaining (CBC) attacks. Two years later in 2008 TLS 1.2 was published with new cryptographic hash functions, which is developed by the United States National Security Agency (NSA). In this version, the MD5-SHA-1 combination was replaced by SHA-2 (Secure Hash Algorithm 2). The latest version, TLS 1.3 was released in 2018. Among many new features, algorithms, and protocols, one of the most important difference was the separation of fundamental agreement and authentication algorithms from the cipher suites.
Why SSL is important for your website?
The primary purpose of both SSL and TLS protocols are providing security during data transfer between the client and the server using encryption techniques. But there are also significant differences. While it’s easier to define new cipher suites with the TLS standardization process, it doesn’t support Fortezza, but SSL protocol does. Yet, it is safe to say that TLS 1.3 is the latest, most improved, and most popular version. Even though SSL is an outdated protocol, the “SSL” term became the blanket term during the last couple of decades for both SSL and TLS and is widely being used to refer to TLS protocol.
A website with an “HTTPS” in its URL means the website installed the SSL Certificate. SSL Certificate includes various information, such as domain name, certificate validity period, Certificate Authority (CA) details, public key, public key algorithm, SSL/TLS version, thumbprint, and thumbprint algorithm. Some advanced level SSL Certificates also include the name of the organization, website owner, and address information. That means all the data that will be sent is under the protection of SSL encryption.
How does SSL work?
During the encryption process, data sent by the client is encrypted by the public key, which is provided with the website’s SSL certificate. After the transmission, encrypted data is decrypted with the website’s private key. This method is called Public Key Infrastructure (PKI). The public key and the private key are associated with each other, which means the public key is can only be decrypted by the related private key and the secure connection between the client and the server can only be established if the client verifies the public key is matched with the private key. This technique is called Asymmetric Encryption.
The establishment of a secure connection between the client and the server is called SSL Handshake. It starts with “hello” messages from both sides just like a regular handshake. The first “hello” message is sent by the client and it also contains some information about SSL Certificate. And this message is responded by the server’s “hello” message, which also includes some similar information. Then the client validates the identity of the server’s SSL certificate information with the Certificate Authority. After the validation, both sides share their keys. Then, the client generates a pre-master key using the public key, and the server decrypts this pre-master key. So the master key can be generated to encrypt and decrypt the data.
What are the types of SSL?
There are three types of SSL/TLS Certificates. Domain validation is commonly used by smaller organizations. Basically, being a domain owner is enough to be validated by the Certificate Authority. To be able to obtain an Organization Validation, both domain ownership and the business should be validated by the CA. This type of certification is mostly preferred by medium-size organizations. Extended Validation (EV) is preferred by e-commerce companies, social networks, and other online operations that require the highest level of security. Websites with EV Certificates are indicated in the address bar of the web browsers.
As mentioned above, SSL certificates are crucial components of present-day internet security. But some website owners can be reluctant to install them because of the additional cost. However, a non-profit organization called Let’s Encrypt decided to make SSL certificates more accessible by creating a free certificate authority. Due to the required coding knowledge to install the SSL certificate, most WordPress hosting companies included a free SSL certificate in their web hosting providers to make it even easier for entry-level enterprises.
Differences between free SSL and paid SSL certificate
Even though free SSL certificates help to improve the security of a website, they can’t offer all the features of paid SSL services. One of the most important differences between the free and paid SSL certificate is to validate a business’ information on the website, Organization Validation or Extended Validation is mandatory, which is not possible with a free SSL certificate.
Another major difference is while paid certificates issued by CA last 1-2 years, most popular free certificates issued by the CA should be renewed after 30-90 days. Also, paid SSL certificates provides a support system via email, phone call or live chat, OV and EV certificates also includes visual elements of the business name in URL and certificate information. Finally, if anything goes wrong, paid SSL certificates to offer compensation, while free certificates don’t.
It is safe to say that your data is as secure as your encryption method. When it comes to cracking a cryptographic key, choosing a 256-bit SSL Encryption is much safer than a 128-bit one. With more digits involved, it becomes much harder to crack the key during an attack.