Every single day 100s of terabytes of data is being transferred across the internet. In fact, based on Intel’s 2012 report, nearly 640K Gb of data is transferred every single minute. That’s more than 204 million Emails, 47,000 app downloads, 1.3 million YouTube videos watched and 6 million Facebook views.
We’re talking about a seriously massive amount of data here. So how do we know if that data is being transferred securely? Enter the SSL/TLS protocols.
What is SSL/TLS?
Most commonly used for website security SSL is a technology that allows transferring data in an secure manner. SSL stands for Secure Sockets Layer and is a technology developed in the early ’90s by Netscape. The original goal for creation of SSL was to provide an API that closely resembled the the socket protocols of the time and transfer the data securely.
Since the first stable release in 1996 the SSL standard has undergone many changes and improvements. As time passed security issues were found and patched causing the protocol to evolve over time.
While still commonly referred to as SSL the replacement is not actually compatible with the SSL protocols. The proper name for the replacement is Transport Layer Security, or TLS. The differences between TLS v1.0 and SSL v3.0 were minimal, however the subtle changes were enough to prevent interchangeability. The essential goals essentially remained the same; transfer data from a server to your browser in a secure and encrypted manner.
Why do I need SSL?
So far we’ve covered the very basics of what SSL/TLS is, but you may be asking yourself: ‘Why do I care and what do I need this for?’
That’s an excellent question! Why go through all the trouble and why do you care if your websites content is transferred securely. The most important (and perhaps most simple) reasons is that it protects your users. No matter where you or your users are located it’s always important to keep them in mind.
After all we don’t usually just make a website for ourselves. When you make a website you want people to see it and you want them to be engaged. By providing SSL support for your website you are signaling to your that your care. It says that you care about keeping their data and information safe from prying eyes.
This idea is especially important when your pages accept (or provide) sensitive information from your users. In this case sensitive information can be login/account credentials, personal information, or even financial information. These are all critical pieces of user data and they must be kept secure at all cost.
So how does SSL/TLS work then?
We have covered: what SSL and TLS are; the basics of what they do; and why you might want to use them. For some this may be more than enough information on SSL/TLS.
For the more curious, or the skeptical, you may want a better idea of how this protection works. While the actual process is quite technical, we can provide a fairly simplified detailing exactly how a connection over SSL/TLS is initiated.
To illustrate this concept we’ll use Google as an example. So you’re in your browser and type in: https://www.google.com/. We know this is going to be using SSL/TLS since in the URL we see https and not http. We hit enter and then what?
- Your browser establishes an initial connection to the Google servers. (Connection Established)
- Your browser and the server negotiate connection options & details. (Begin Negotiation Phase)
- At this point the browser and server compare their supported ciphers to find which they share in common.
- The server will respond, telling the browser the most secure cipher that they both support.
- The server sends the browser its SSL Certificate for verification with the browser. (Server Certificate Negotiation)
- The server will send both the public SSL certificate and the severs key exchange to the browser.
- This step in the process may vary slightly depending on the cipher chosen in the previous step.
- The client verifies the server Certificate and then sends a client key to the server. (Client Certificate Negotiation)
- Similar to step 3 this will vary depending on the cipher chosen in step 2.
- This step requires a bit of two-way communication as the Client (browser) and Server negotiate the keys exchanged.
- The client sends a “Looks good, everything from here out will be authenticated and encrypted” message to the server. (Connection Secured!)
- After the certificates have been properly negotiated a ChangeCipherSpec message is sent to the server.
- The client now sends an encrypted “Finished” message telling the server that the process is complete.
Once completed the messages (data) exchanged between your server and end users will be encrypted and secured.
After enabling SSL/TLS support on your server it will no longer be possible for prying eyes to see the information being exchanged. The only requirement for providing this extra security to your users is to install an SSL Certificate on your server.