Secure Socket Layer (SSL)

So we’ve mentioned SSL. Let’s take a deeper look at SSL. SSL is the protocol for encrypting web traffic. This is what gives us the green padlock on our website. We said if we generate our own certificate that’s bound to a website, our internal clients within our domain would trust it. External entities would be very unlikely to trust it. We need to use a certificate that has been issued by a trusted certificate authority. Typically the process checks that any..

so when your web browser connects to a HTTPS website, your web browser will check that the certificate has been signed by a trusted certificate authority, that the certificate is valid and has not expired or been revoked, that it matches the domain correctly. So if the certificate applies to the host www and the domain .google.com, if the host is slightly different, if the host is mail.google.com, you will see a red padlock, even if the rest of the certificate is valid. So we check that it conforms to the required security standard and that the domain listed on the certificate matches the domain requested by the user. So this is a check performed by the browser.

What you’ll notice now is if you go to google.com or a vast majority of websites, HTTPS is now the default method of access, HTTP is rapidly disappearing. This can be a problem in terms of compatibility for some embedded systems for some older devices, for some low power devices. But Google Chrome now warns you if a site is not using HTTPS. Google Chrome expects by default that HTTPS is in use.

So the Secure Sockets Layer, SSL, is a browser session, and the client creates the session key. So it will create a unique session key that it will send to the server. But before it sends it to the server, it will encrypt it with the public key of the server. And you’ll remember from the diagram that we showed, the only person that can decrypt that, if we’re using the public key of the server, the only person that can decrypt that is the server with the corresponding private key. So the server now can decrypt that message with its private key to gain access to the session key.

So the server then responds with an acknowledgment that is encrypted with the session key that the client can subsequently decrypt. So this is a very fast process. And a very robust process. And again, we’re talking about browsing to websites that potentially, that probably, we do not have an existing trust relationship with. So we are trusting the certificate authority instead. We’re trusting that the certificate authority has taken steps to appropriately verify the binding between the site and the certificate.