Banner
SSL And You PDF Print E-mail
Written by Robert Robert   
Wednesday, 30 December 2009 17:00
SSL And You
by Robert Clowser ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) and David Smith ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it )

What is SSL?

SSL, Secure Socket Layering, is the most common way of encrypting and verifying traffic on the internet. SSL can be used to secure websites (HTTPS), email (SMTP), chat (XMPP), and others. In this post, we will try to explain SSL (both pros and cons) in an attempt to help people understand the mysteries of the internet.

The most important thing to know about SSL is that SSL is based on trust.... The user must trust that the Certificate Authority (company that gives out the certificate) is legitiamet and responsible. Anyone can create a certificate authority (CA), it's nothing special, but modern browsers are set to trust only certain CA's by default, these include Verisign, Thawte and others to name a few.


What happens?

When you browse to a website using a SSL certificate, the most obvious change is the protocol changes to HTTPS from HTTP and you will see a yellow padlock somewhere in the browser. But what is going on behind the scenes is slightly more complex. Firstly, your internet browser makes a request for an encrypted encrypted connection. The server responds with the highest common encryption protocol (think "we can both speak this language"). The server then transmits it's digitial certificate to the client, (think "this is who I am"). The client computer then checks with the CA to make sure they haven't revoked the certificate (think "is this still valid"). If this check is successful and the other information in the certificate matches. A secure connection is established using random numbers to encrypt the traffic.

What's bad about it?

As stated, SSL is about trusting the Certificate Authority (CA), if they are not trustworthy then you can create a encrypted connection to a malicious computer without knowning it. With that said, even having trusted Certificate Authority's doesn't solve all the problems with SSL. SSL that uses short encryption keys or outdated algorithms (MD2/MD5) are succeptable to brute force attacks (think "short passwords are bad").

What should I do?

Any security (encryption) is better than no encryption. Use HTTPS (SSL) whenever possible when browsing websites. If the browser alerts you to a certificate mismatch, pay attention to what it's saying (don't just click ok!). If your bank or sensitive information does not have SSL, request it from them! Above all else, use common sense (just like the real world.)

Share/Save/Bookmark