The SSL (Secure Socket Layer) protocol was created in 1994 by Netscape (the leader in Internet browsers at the time) to respond to the growing concern about web security. The objective of the firm was to create a new secure communication standard, consisting of encrypting the data that passes between a site and its visitor. It was quickly adopted by e-merchants to secure online payments and quickly identified by buyers as a sign of confidence before entering their bank card numbers.
The SSL 2.0 standard was used from 1995 and was gradually replaced by SSL 3.0, used until 2015. This last version greatly inspired its successor the TLS standard.
The new TLS standard
When the Netscape company was dissolved, the Internet Engineering Task Force (IETF) group, which created most of the Internet standards, took over and improved the SSL, renaming it TLS (Transport Security Layer). This new version has taken over the characteristics of SSL 3.0 by improving the hash functions used to authenticate the electronic signature of certificates.
TLS is, therefore, evolution of SSL, but the latter being better known, the old acronym remains widely used in everyday language to designate a TLS certificate. This is not completely false in itself, TLS being an evolution of SSL.
What is the difference between HTTPS and SSL?
Do you know the OSI (Open Systems Interconnection) model? It is the global communication standard that governs communications between computer systems. The model is structured in 7 layers divided into two categories, the lower layers (material) and the upper layers (software). Here’s how the standard breaks down:
- HTTP, HTTPS, SMTP, FTP application layer…
- TLS, SSL presentation layer…
- TLS, SSL, SSH-user session layer…
- TCP, UDP transport layer…
- IPv4, IPv6 network layer…
- Ethernet link layer, 802.11 WiFi…
- physical layer Cable, optical fibre, radio waves, etc.
SSL is therefore located between the transport and application layers, i.e. it manages:
HTTPS is located at layer 7 Application. It combines the security of the SSL / TLS protocol and the well-known HTTP which is THE communication protocol of the World Wide Web. It is he who manages, for example, web addresses (called URLs), sending and receiving data between the visitor and the site (GET and POST) and authentication by a password. It returns information in HTML format which is interpreted by the browser.
SSL / TLS certificate
To establish a secure TLS connection, the visitor must authenticate the site to which he connects. To do this, the server must host a digital certificate, which can be seen as an electronic identity card which is used to authenticate the site and to encrypt data exchanges.
In this case, it must meet the X.509 standard and be issued by a certification authority which acts as a trusted third-party by attesting to the identity of the site.
Certification authorities are organizations referenced by internet authorities that guarantee their reliability. These organizations issue public keys which are directly integrated into browsers.
A certificate contains two keys:
A public key or root certificate, which authenticates the authority and validates the certificate.
A private key which is hidden and will be used for encryption of data exchanges.
There are many types of certificates (free or paid) offering different types of services and guarantees. For more information, read our article “The different types of SSL certificates”.
To go further, let’s see concretely how it all works.
How an SSL / TLS connection works in HTTPS browsers
Here are the different stages of a secure connection in SSL / TLS between a website and a visitor:
The browser sends the HTTPS site a request to establish a connection secured by TLS.
The site sends its certificate back to the browser, which contains its public key, its information (company name, address, etc.) and an encrypted electronic signature.
The browser tries to decrypt the signature of the certificate using the public keys of the known certification authorities registered by default in the browser.
If this works, the browser, therefore, identifies the name of the corresponding certification authority, verifies that the certificate has not expired and sends a request to the authority in order to know whether the certificate is still valid.
If none of the public keys works, the browser uses the public key contained in the site certificate. This means that the site itself signs its certificate. A warning message may, therefore, appear in order to warn the user that the site identity is not certified by authority and that he is running a potential risk
If the certificate is invalid, the connection cannot be established and an error message appears.
If the connection is validated, the browser then generates a symmetric encryption key from the public key which makes it possible to establish a session with the server.
The server then decrypts this session key using its private key. The TLS connection is considered to be established and the encrypted data may start to pass.
After the connection is interrupted or expired, the server revokes the session key.
The success of SSL lies in its ease of use for the end-user. Indeed, all browsers are compatible and communication is done without prior action by the visitor, he is simply informed by the display of a padlock (usually green) located in the address bar. This indication is a pledge of confidence long identified by visitors who give it a lot of credit. An English study by TNS PLC found that 75% of visitors leave an online store if it is not secure.
The encryption methods used are known to be solid and provide security for data exchanges, protecting passwords, form data or bank details.
However, although SSL has existed since the beginnings of the Internet, it has too often been confined to payment platforms while a lot of personal data is now passing through websites. Giants like Google have understood this and have decided to strike hard, by warning browser users of the danger they run on an unsecured SSL site and by giving an SEO bonus to HTTPS sites. Now SSL is intended to become the main exchange standard on the web.
About the author
DMTwebhosting.com’s Editorial Team prides itself on bringing you the latest web hosting news and the best web hosting articles!
You could also link to the news and articles sections: