TECHNOLOGY & SECURITY

Secure Socket Layer (SSL) Explained👨‍💻

Secure Socket Layer (SSL) enhances the security of data exchanged between a web browser and a server. By encrypting the communication link, SSL ensures that all information transmitted between the web server and the browser remains confidential and immune to potential attacks. Essentially, an SSL certificate serves as a digital entity enabling systems to verify identity, subsequently establishing a secure, encrypted network connection using the Secure Sockets Layer protocol. These certificates are integral components of a cryptographic system known as a public key infrastructure (PKI). In the context of PKI, certificates play a crucial role in allowing one party to authenticate the identity of another party, provided both parties trust a third-party entity, commonly referred to as a certificate authority. SSL certificates, therefore, function as digital identity credentials, securing network communications and verifying the identity of websites on the Internet as well as resources within private networks. It’s worth noting that while SSL and TLS are often used interchangeably, there are distinctions between them, which will be discussed in a subsequent blog. However, the foundational concepts remain consistent across both protocols. An SSL certificate contains the following information.

• Domain name
• Certificate authority
• Certificate authority’s digital signature
• Issuance date
• Expiration date
• Public key
• SSL version

What are the benefits of SSL

• Safeguards sensitive information — To establish and maintain secure connections with a website server, browsers verify the SSL certificate of the website. SSL technology plays a crucial role in encrypting all communication between your browser and the website, ensuring the protection of private data.
• Enhances customer trust — Informed online users value privacy and seek to trust the websites they visit. A website secured with SSL displays the green padlock icon, instilling confidence in customers. SSL protection assures customers that their data is safeguarded when shared with your business.
• Ensures regulatory compliance — Certain businesses are required to comply with industry regulations governing data confidentiality and security. For instance, entities in the payment card industry must adhere to PCI DSS standards, which mandate securing web servers with SSL certificates for secure online transactions.
• Boosts SEO — Major search engines consider SSL protection as a ranking factor for search engine optimization. Consequently, a website with SSL encryption is likely to achieve higher rankings compared to a similar website lacking an SSL certificate. This, in turn, attracts more visitors from search engines to the SSL-protected website.

Key concepts in SSL

• Certificate Authority — A certificate authority (CA) is an entity that sells SSL certificates to website owners, web hosting companies, or businesses. The CA validates domain and owner details before issuing the SSL certificate. To become a CA, an organization must meet specific requirements established by operating systems, browsers, or mobile device companies and apply for listing as a root certificate authority. This is crucial for establishing trust among internet users.
• Encryption — Encryption involves scrambling the original message to make it decipherable only by the intended recipient. For instance, one might change the word “apple” to “2a17a17a13a6” by changing each letter to numeric, adding 1, and adding random letter between them. The recipient, aware of the rule (or key), reverses each letter by two places to read the actual word. SSL encryption builds on this concept, employing public key cryptography with two distinct keys for message encryption and decryption. PKI facilitates identity verification between parties if they trust a common third party, referred to as a certificate authority. Before communication begins, the certificate authority verifies and authenticates both parties. Please note Encryption and Decryption are vast concepts, which we will cover in separate blog, above is just an example for understanding.
• Keys — There are two types of keys :
  Public key — The browser and web server communicate using public and private key pairs. The public key, present in the SSL certificate provided by the web server, encrypts information before transmission to the web server.
  Private key — Exclusively held by the web server, the private key ensures that a file encrypted with it can only be decrypted by the public key, and vice versa. If the public key can decrypt a file encrypted by the private key, this assures that the intended receiver and sender are authentic.
• Authentication — The server sends the public key in the SSL certificate to the browser, which verifies the certificate through a trusted third party. This process ensures the web server’s claimed identity.
• Digital signature — A digital signature, unique to each SSL certificate, is a distinctive number. The recipient generates a new digital signature and compares it with the original to confirm that external parties did not alter the certificate during network transmission.
• Session Key — Following the completion of the initial SSL authentication, a session key is employed to uphold encrypted communication between the browser and the web server. This key operates as a cipher key in symmetric cryptography, where the same key is utilized for both encryption and decryption processes. Due to the substantial computing power involved in asymmetric cryptography, the web server transitions to symmetric cryptography, which demands less computation, ensuring the continuity of the SSL connection.

High-level flow in SSL Handshake

Browsers initiate a secure connection with the web server using the SSL certificate through the SSL handshake. The SSL handshake is an integral aspect of the Hypertext Transfer Protocol Secure (HTTPS) communication technology, which combines HTTP and SSL. HTTP serves as a protocol for browsers to transmit information in plain text to a web server. Since HTTP transmits unencrypted data, it exposes information sent from a browser to potential interception and reading by third parties. To ensure fully secure communication, browsers utilize HTTP with SSL, commonly known as HTTPS. For more understanding on HTTP please read my previous blog on HTTP with link below.

HTTP Protocol Anatomy 🔬⚗️

• The browser initiates a secure connection to an SSL-protected website, establishing a link with the web server.
• To authenticate the web server, the browser requests identifiable information.
• In response, the web server transmits the SSL certificate, encompassing a public key.
• The browser scrutinizes the SSL certificate for validity and domain matching. Once satisfied, it utilizes the public key to encrypt and dispatch a message containing a confidential session key.
• The web server decrypts the message using its private key, extracting the session key. Subsequently, it encrypts and sends an acknowledgment message to the browser using the session key.
• With both the browser and web server now utilizing the same session key, they transition to secure message exchange.

Protocols in SSL

SSL is composed of different protocols, let us look at them. Below is the image of all the protocols involved with SSL.

SSL Record Protocol

The SSL Record Protocol offers two crucial services to SSL connections:

• Confidentiality
• Message Integrity

Within the SSL Record Protocol, application data undergoes fragmentation. These fragments are compressed and then coupled with an encrypted Message Authentication Code (MAC) generated by algorithms such as SHA (Secure Hash Protocol) and MD5 (Message Digest). Following this, the data undergoes encryption, and finally, the SSL header is appended to complete the process.

Handshake Protocol

The Handshake Protocol is employed for session establishment. It enables mutual authentication between the client and server through a series of exchanged messages. The Handshake Protocol progresses through four phases to complete its cycle. Basically, this is responsible for the flow we discussed in above sections.

Change-cipher Protocol

Operating in conjunction with the SSL record protocol, this protocol ensures that until the Handshake Protocol is fully executed, the SSL record output remains in a pending state. Upon completion of the Handshake Protocol, the pending state is transitioned into the current state. The Change-cipher protocol comprises a single message with a length of 1 byte, having only one possible value. Its primary function is to facilitate the transfer of the pending state to the current state.

Alert Protocol

Designed to communicate SSL-related alerts to the peer entity, each message within this protocol consists of 2 bytes.

SSL/TLS certificates vary based on validation and domain criteria. Certificates with distinct validation levels include:

• Extended validation certificates
• Organization-validated certificates
• Domain-validated certificates

SSL/TLS certificates designed to accommodate different domain types consist of:

• Single-domain certificates
• Wildcard certificates
• Multi-domain certificates

I hope this blog clarified what SSL is and delved into its inner workings. In the next blog, we will explore some of the perplexing terms such as SSL Offloading/ Termination, SSL Passthrough, and SSL Bridging within load balancer context.

🙏Thanks for taking the time to read the article. If you found it helpful and would like to show support, please consider:

1. 👏👏👏👏👏👏Clap for the story and bookmark for future reference
2. Follow me on Chaitanya (Chey) Penmetsa for more content
3. Stay connected on LinkedIn.

Wishing you a happy learning journey 📈, and I look forward to sharing new articles with you soon.