What is SSL and why you need it now?

Data transferred in plain-text form or in non-encrypted format can be intercepted, eavesdropped, compromised and stolen. Transactions performed online may involve submitting personal information such as credit card information, social security numbers, usernames and passwords. Cybercriminals who intercept unencrypted communications will gain full access to this data and can use it for fraudulent purchases and activities.

Trust and security are what make individuals sufficiently certain to give private, sensitive data on the web. SSL authentications are what make a site trusted. SSL stands for Secure Sockets Layer, the protocol which provides encrypted communications between a website and an internet browser. SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details and are typically installed on pages which ensure that any data transferred between users and sites, or between two systems remain impossible to read. It safeguards sensitive data being sent between two systems like credit card details or passwords, exchanged during each visit, which is called a session, from being intercepted from non-authorized parties. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.

How it works:

The Secure Socket Layer protocol was originally created by Netscape. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. Let see how it works:

  • A browser requests a secure page (usually https://).
  • The web server sends its public key with its certificate.
  • The browser verifies that the certificate was issued by a trusted party (more often a trusted root CA), that the certificate is as yet legitimate and that the certificate is identified with the site reached.
  • The browser at that point utilizes public key, to scramble a random symmetric encryption key and sends it to the server with the encoded URL required and additionally other encoded http data.
  • The web server decodes the symmetric encryption key utilizing its private key and uses the symmetric key to unscramble the URL and http data.
  • The web server sends back the asked for html archive and http information scrambled with the symmetric key.
  • The program decodes the http information and html report utilizing the symmetric key and shows the data.

Thus the encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair. The keys are comparative in nature and can be utilized on the other hand: what one key encode, the other key pair can decode. The key pair depends on prime numbers and their length as far as bits guarantees the trouble of having the capacity to unscramble the message without the key sets. The trick in a key pair is to keep one key mystery (the private key) and to circulate the other key (the public key) to everyone. Anyone can send you a scrambled message, that lone you will have the capacity to decode.

Type of Certificates:

There are three basic sorts of certificates. Picking the correct one will be based on the level of security your site needs, for example domain-validated (low in security), organization-validated (medium), extended validation (high); property types you wish to protect (domain, sub-domain) and number of properties for which you need protection (wildcard or multiple domain).

  • Standard SSL & Extended Validation (EV) SSL – Standard SSL and EV SSL are both single-domain SSL (Secure Sockets Layer) certificate but the later ensures highest degree of authentication and requires more evaluation and documentation checks for applicant websites than the other.
  • Multi-Domain SSL – It offers the highest degree of authentication and protection using one certificate for many domains and sub domains.
  • Wildcard SSL – a Subject Alternative Names (SANs) secured Wildcard is a top choice for organizations managing multiple sites hosted across numerous sub domains.

Google’s disciplinary measures for non SSL websites:

For a considerable length of time, Google has been actively looking for approaches to urge site proprietors to actualize SSL certificates. Earlier Google follows a reward scheme in which it began ranking websites higher in search results if they had an SSL Certificate installed. At that time, SSL certificate was mandatory for web based business sites that acknowledged online buys and took users credit card details.

Recently, Google has moved from a reward system to a punitive one. Few months back, Google was blacklisting non-HTTPS websites that allowed password fields and credit card forms to be filled. From October, 2017 onwards Google Chrome browser began showing a “not secure” message on all websites that were running without an SSL certificate. In any case, with site security more essential than any time in recent memory, Google has chosen to “drive” all website owners to include this additional level of security, or pay the cost.

We’re here to help

If you’d like to talk further about your website’s security and how this might impact your business, we’re always available to help. Contact our office and speak to one of our friendly consultants should you have any questions.

References:

  1. http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
  2. https://www.instantssl.com/ssl-certificate.html

 

 

Share This: