The primary reason for including a Secure Sockets Layer (SSL) on a website is to make the transmitting of information to and from the server as difficult as possible for other malicious people to intercept or read. The role of an SSL certificate is to indicate to the visitor’s browser that the site they have connected to is the real site, and not that of an interceptor.
When requested, there are several steps to setting up an SSL connection:
1) A request is received by the outer layer of the server. If a secure connection is required, the request is passed to the SSL layer (whereas non-secure requests are typically passed to a TCP/IP layer).
2) The SSL layer initiates a ‘handshake’ between itself and the browser – detecting and deciding which encryption type to use.
3) The server and the visitor’s browser pass each other necessary information – the server also sending the browser its SSL certificate and a public key.
4) The visitor’s browser checks the certificate it receives, and if it doesn’t match the intended domain name, notifies the visitor that there is a problem.
5) If the certificate is valid, the browser creates a ‘pre-secret key’, encrypted using the agreed upon encryption type and combined with the server’s public key.
6) Together, the browser and server then turn the ‘pre-secret key’ into a ‘secret key’, which is used as the key for the encryption of any data passed between them for the rest of the session.
In order to use an SSL connection, ‘Hypertext Transfer Protocol with Secure Sockets Layer’ (HTTPS) must be used in the URL instead of the standard ‘Hypertext Transfer Protocol’ (HTTP), to tell the server that a secure connection is required. Depending on the browser being used, various icons are displayed to inform the user that the secure connection is in place.
There are various companies on the web that provide them, ‘VeriSign’ being one of the largest. For a fee they will provide the necessary certificate, after which it is a case of configuring the server to use it properly.
As well as the security and confidentiality benefits brought by SSL, as described above, there are other reasons for wanting one. For some companies, having an SSL certificate is a way of showing visitors that they are a legitimate organisation, and a way of enhancing the brand by telling visitors that they can be trusted. It is a way of showing your professionalism to visitors.
SWS has vast experience in setting up and using SSL certificates at both ends of the scale. Our recent project with one of the top energy providers in the UK required strict SSL to be in place, for which we used 256-bit encryption. On the other hand, many of our previous projects have also stated SSL as a requirement, for which we have been happy to include the more appropriate 128-bit encryption.