Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

The Mega Guide on SSL Certificates for Best Encryption Knowledge

DZone's Guide to

The Mega Guide on SSL Certificates for Best Encryption Knowledge

Need help with encryption? Here is a guide on everything you need to know about SSL, encryption, and HTTPS. Click here to learn more.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Everything You Need to Know About SSL, Encryption, and HTTPS

So, a while back, I’m sitting at my desk, and I get an email from this fellow on our Search Engine Optimization team. Sometimes, the SEO team sends me suggestions on what to write. This particular piece of electronic mail suggested I work on: “The Mega Guide on SSL Certificates for Best Encryption Knowledge.

"Now, fellas," I said, "that sounds like kind of a mouthful, why not call it 'Everything you need to know about SSL?' Or 'Encryption for Dummies?' Something a little more natural."

But, they were very insistent — it must be called, “The Mega Guide on SSL Certificates for Best Encryption Knowledge.” So, I guess that’s what we’ll go with. Look, I really don’t understand Search Engine Optimization (or SEO as these kids call it). I’m not even 100 percent sure that’s what it stands for. I asked a couple of the guys on the SEO team about it once and the answer was long and very involved, and they started talking about penguins and pandas. It got weird, fast.

And, frankly, I’m okay with not knowing. I feel like SEO is a wormhole that you dive down — one that starts with landing pages and brand authority, and, before you know it  Alvin and the Chipmunks’ Witch Doctor is playing on loop while long-tail keywords swirl around your head in various non-supported fonts, and you can’t tell if you’re having some sort of organic search fever dream, or you’ve accidentally ingested LSD while the TV was tuned to Alice in Wonderland, again.

Ahem, or so I’ve heard.

Anyway, you’re here to read The Mega Guide on SSL Certificates for Best Encryption Knowledge, so let’s get started…

The Mega Guide on SSL Certificates for Best Encryption Knowledge

SSL stands for “Secure Sockets Layer.” The original version was developed by Netscape back in 1995, shortly after Al Gore finished arranging the series of tubes that would later be dubbed the “Internet.” The original version, 1.0, was never even publicly released, because it was riddled with security vulnerabilities. Also, syphilis, which is a little-known fact, but mostly security vulnerabilities.

In fact, security vulnerabilities were a hereditary issue that ultimately ended the life of SSL 2.0 and SSL 3.0, too. It’s the hardest a single family has been hit by a tech bug since the entire Johnny 5 line was disassembled by digital dysentery back in the late 1980’s.

Anyway, SSL was replaced by TLS or Transport Layer Security, which is technically different, but doesn’t suffer from the same health problems and is still colloquially known as SSL. Confused? Don’t be. It’s kind of like what happened to Steve Perry and the band Journey. The band replaced him with a younger, healthier version that can do all the same things, and they’re still known as Journey, even though they technically aren’t anymore.

Anyway, TLS 1.3 is just being released, today most security implementations use TLS 1.1 or 1.2. And, that’s a brief history of SSL. Now, let’s address a few other questions:

Then, we’ll finish by talking a little bit about brands. Well, I say we – I’ll finish – you may not be reading by then. Who knows. The night is young!

What Is an SSL Certificate?

An SSL certificate is a digital certificate that allows for the validation of a web server and the encryption of all communication between that server and its visitors. Or, put another way, an SSL certificate is what facilitates encrypted connections.

Think of it like a driver’s license. When you get one, the Certificate Authority that’s issuing the certificate – which stands in for the DMV in this metaphor – verifies the identity of the applicant before issuing a document that gives the holder specific privileges. That means driving in the case of a driver’s license, or using Public Key Infrastructure to encrypt communication in the case of an SSL Certificate. Fortunately, validation doesn’t require sitting in a stuffy waiting room next to the dregs of society for two hours while a disinterested clerk uses a 90’s era computers to inch through the line. You pull a number; it says D6; and they’re on A15.

An SSL certificate serves two basic functions, though only one of them really gets any attention. The first and most celebrated function is encryption. An SSL certificate will let you encrypt all communication to and from your website. But, depending on the type of validation you choose, an SSL certificate can also authenticate your identity.

We’ll get into that a little more in-depth when we talk about certificate types later, but for now, just remember that an SSL certificate is kind of like a digital driver’s license. It identifies its owner and grants certain permissions.

Now, let’s define a few key terms. You’ll need to know these before we go any further.

  • HTTPS – This is the secure version of the HTTP protocol that the Internet is based on. You redirect your website to HTTPS URLs after installing SSL.
  • Client – This refers to the user, typically visiting on a web browser like Google Chrome or Mozilla Firefox.
  • Server – Websites are hosted on servers, when communication takes place with a client it occurs with the server, not the site itself.

That should pretty much cover it. Let’s move on.

How Does an SSL Certificate Work?

There are two ways I could explain this, one is exceptionally technical and would require a lot of research on my part. The other is to explain it in layman’s terms and try not to alienate my readers. I’m going to go with the second route. It’s not that I don’t want to do a bunch of research, actually, yes it is. That’s exactly why. I’m not going to lie to you.

Ok, so when a client’s browser reaches a website’s server and notices it has SSL, it begins a process called “The SSL Handshake.” This is where the client and the server decide on the means of encryption they will use (which algorithms and ciphers – basically the directions for encrypting), authenticate the server, and then exchange symmetric session keys.

Once the session keys are exchanged, the two begin encoding communication in a way that only the other party can read it. This prevents eavesdropping from third parties, content injection, and a litany of other potential issues.

Now, a quick word on keys. There are two kinds of encryption at play during encryption. The first is asymmetric encryption that occurs between the private key and the public key. For an in-depth explanation of asymmetric encryption, click here.

The other kind of encryption, symmetric encryption, occurs between the session keys. With asymmetric encryption, the public key encrypts, and the private key decrypts. However, symmetric encryption allows both keys to encrypt and decrypt. This is necessary for two-sided communication.

A session key, as the name suggests, is good for one session, after which the keys are discarded and new keys are exchanged upon the next visit. An asymmetric private key is usually 2048-bit. Session keys, which need to be faster, are 256-bit. Don’t worry about the drop in size though; it would take a supercomputer 10,000 years to break 256-bit encryption.

Why Would You Use SSL?

Hackers. Let’s move on.

Ok, ok. There are some very specific threats that exist on websites without encryption— specifically eavesdropping. Eavesdropping can occur anytime there is an unencrypted connection between a client and a server. It basically means a third party can “listen in” and see every last piece of data being transferred between the two parties. This includes sensitive information like names, addresses, credit card numbers, social security numbers, etc. It’s kind of like having a Peeping Tom, only instead of a stranger in your bushes, he (or she—it could be a she, it’s 2017, get over it) is spying on your financial data. 

Obviously, this is a problem, especially for websites that collect personal information. This is the biggest reason for encryption. Websites need to protect the information being transmitted to and from their visitors — especially e-commerce sites, banks, medical organizations, and a range of other industries.

Beyond stealing sensitive information, eavesdroppers can also manipulate information. Meaning, they can impersonate the client or the server and cause chaos. This is called a man-in-the-middle attack. Your client thinks it’s connected to the server; your server thinks it’s connected to the client; but, there’s an intermediary there. The client sends info to the attacker, who then sends it to the server. Obviously, you can see how this can create problems. SSL solves those problems by preventing MITM attacks and eavesdropping.

It also prevents content injection. This is typically done by ISPs when they’re injecting unwanted ads into websites, but it can also be done by malicious third parties, which is way more dangerous. 

What Are the Types of SSL Certificate?

For the sake of ease, we’re going to divide SSL types into two categories:

  • Validation Level
  • Functionality

There are three validation levels and four functionalities. Let’s start with validation types. Validation type refers to how much the Certificate Authority is going to vet your company or organization.

  • Domain Validation — Only requires domain control validation (meaning that you own your website), DV can be used by anyone.
  • Organization Validation — Light business authentication needs to be performed before issuance. This can be done in a few days.
  • Extended Validation — This requires full business authentication, which can take up to a week. EV displays your business name in the address bar.

Next, let’s look at the different functionalities.

Should I Get a Free SSL Certificate?

For many websites, especially ones that aren’t associated with a business, free SSL is a great option. It’s easy to acquire, easy to install, and it’s going to provide industry-standard encryption. I’m not going to lie to you, sometimes FREE is the way to go.

But, if you’re running a business, don’t go the free route. The scale of what you’re doing, certificate management and support will all be thoroughly lacking. Through no fault of their own, free CAs can’t provide the kind of support paid CAs do. If you run into an error, you’ll be left to sort through old forum posts for an answer.

Not to mention these certificates expire every three months and only come in single domain and wildcard.

Paid CAs provide better options, better scalability, and better support. If that’s important to you, we recommend staying away from free certificates.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
web security ,security ,ssl ,ssl certificate ,encryption ,https

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}