How are SSL certificates used?
Let’s start with the an obligatory question,
‘What is SSL?’
Going by the simplest definition,
SSL(Secured socket layers) is a standard technology for establishing an encrypted link between the web server and the browser.
The above link makes sure that the data passed between the web server and the browsers remain private and integral.
Before we dive directly into the know-how of the communication between the browser and the web server using SSL certificates, here are a few terms that one must know:
· Certificate: An electronic document that identifies a particular digital entity
· CA (Certificate Authority): It is an administrative authority that issues the above mentioned certificates to an entity after validation
· CSR (Certificate signing request) : It contains info about the particular organization/business details and is the first step towards creating a certificate
· Public key and Private key: Cryptographic keys generated when a CSR is created, public key doesn’t have to be a secret and is included in the CSR itself. Private key is matched with the issued SSL certificate by the server and should be kept a secret.
Point to remember : Anything encrypted with public key can be decrypted only by a private key.
So how does the communication between the client’s browser and the web server goes down once our web server has the certificate?
*Browser connects to the web server*
Browser: ‘Can you please identify yourself?’
Web Server: ‘I most certainly will’
The web server sends back the certificate which was issued by the CA which also contains the web server’s public key.
Browser: ‘Alright, let me check if you’re on the list.’
The browser then checks if the CA is one among the trusted CAs and further checks for the validity of the certificate.
Browser: ‘Oh, there it is, alright, let me create a pass for you (session key) and what did you tell your validation code(public key) was please?’
Browser creates the pass(session key) using the validation code (public key) and hands it over to the web server.
Web Server: ‘Hmm.’
The server then decrypts the symmetric session key using it’s private key (Remember? Things encrypted by a public key can only be decrypted by a private key?) and sends back the acknowledgement encrypted with the session key to start the session.
Now they would use session key to encrypt all the exchanged messages.
A noteworthy thing I found out was that these certificates can be issued to even malware distribution websites, because all that is done now is that the connection between the browser and the web server is secured, ignoring the fact the web server is a threat in itself!