How SSL Works
The Secure Sockets Layer (SSL) is a protocol that provides secure communication between a client and a server. Here the client is your browser and the server is the web site you’re communicating with. A Secure communication tries to accomplish three main goals viz. privacy, message integrity, and authentication.
An example Scenario
A wants to buy a book from B’s online store. In order to complete the process he’ll need to transmit sensitive personal information like his credit card number. A wants to make sure that the data he sends to B is kept confidential (privacy), and cannot be altered along the way (message integrity). He also wants to make sure that he’s really sending the information to B and not an imposter (authentication).
The sensitive information A sends to B is kept private by a method called cryptography. A plaintext message is encrypted into ciphistext. It’s estimated that trying to crack the ciphistext by brute force alone (trying every possible combination) would take millions of years even if all the computers in the world were linked together to decrypt it.
Public Key Cryptography
The information which turns plaintext message into an encrypted ciphistext message is a called a key. Public key cryptography makes use of a pair of keys, one is public, and the other is private. A wants to send B private information, so B says, “Hello A, use this public key to encrypt your message before sending it to me. When I receive your encrypted message I will use my private key to decrypt your message.” It’s okay for anyone to have a copy of the public key, but only B should have a copy of his private key. A plaintext message encrypted with the public key can only be decrypted with the private key.
When A sends a message to B, someone could intercept that message, alter it, and send it on its way. He could end up buying the wrong book or more copies than he really wanted. Message integrity is achieved by sending a message digest along with the encrypted message. A message digest refers to a fixed-length representation of a message. A says to B, “I’m going to send you an encrypted message so that you know my message to you hasn’t been intercepted and altered along the way, I’m also sending a fingerprint of my original message. Please check the fingerprint to see if it matches when you receive my message.”
A’s message to B is encrypted for privacy, and fingerprinted for message integrity, but how does A know that he is really sending the message to B? A needs to authenticate B, to make sure he’s really B and not someone else. Authentication is achieved by digital certificates.
Digital SSL Certificates
When A and B first negotiate their SSL session, B sends A a copy of his digital certificate. A digital certificate is an electronic document. Inside that certificate is a copy of B’s public key and information about its owner (domain name, organization name, location).
SSL Certificate – Why Should A Trust the Information
Because the SSL certificate is verified or “signed” by a trusted third party Certificate Authority, such as Comodo. The trusted Certificate Authority’s job is to verify B’s application for a digital SSL certificate. The authentication process can range from verifying that B has authoritative control of his domain, to requiring B to submit legal documents that verify B’s business or organization. Once B’s identity has been verified he will be issued a digital SSL certificate.