SSL, which is short for Secure Sockets Layer (today, we actually use its successor Transport Layer Security (TLS) but still colloquially refer to it as SSL), is really two things. It\u2019s a certificate and a protocol.<\/p>\n
Think of the certificate as a driver\u2019s license of sorts. It both verifies the identity of its holder while also granting certain permissions. The SSL protocol handles the actual encryption and decryption \u2013 in this car metaphor, the protocol is like the engine \u2013 we\u2019ll talk about how it works later.<\/p>\n
SSL Certificates are issued by Certificate Authorities<\/a><\/strong>. Certificate Authorities are trusted third parties that authenticate websites and issue SSL certificates. When we say trusted, what we mean is that they are considered trusted by web browsers and operating systems, and are essentially vouching for the authenticity of the websites they\u2019re issuing SSL Certificates to.<\/p>\n As far as a web browser is concerned, there are two tiers of vouching. There\u2019s Domain Validation and Organization Validation, which grant one level of authentication. And then the second tier is Extended Validation, which grants the highest level of authentication.<\/p>\n<\/span><\/span>\n When a company or person wants an SSL certificate<\/a><\/strong> they first fill out a certificate signing request, or CSR. That is then submitted to the CA who goes through the necessary steps to vet the requester. The certificate is then created, signed and delivered for installation.<\/p>\n In order to grant the certificates, the CA\u2019s must digitally sign them. A digital signature is a lot like a traditional signature, but more secure and they offer additional benefits.<\/p>\n When a document is digitally signed it:<\/strong><\/p>\n In order to sign a certificate, a hash<\/a> of the data to be signed must be produced. The result is then encrypted with the sender\u2019s public key and appended to the data. This is what protects the integrity of the hash result.<\/p>\n The recipient of the data then uses the corresponding private key (don\u2019t worry, we\u2019ll explain public and private keys in a bit), to decrypt the hash.<\/p>\n A new hash result is then created, it is matched up against the original signed hash result and if the two codes are the same, it indicates that the data hasn\u2019t been altered. This means the recipient can verify the sender, because only the entity with the private key could have signed it.<\/p>\n You may be wondering what we meant back there when we referred to public and private keys. That all relates to PKI, or Public Key Infrastructure. PKI is the underlying framework for SSL and many other kinds of encryption. Public Key Infrastructure implements encryption using a process called asymmetric cryptography.<\/p>\n Asymmetric cryptography involves two keys, one which performs the encryption and another which performs decryption. The keys are created by the website owner (when they create a certificate signing request, or CSR) and are used in pairs–there is a private key and a public key. The public key is available to anyone who wants it, but the private key is kept by its owner and should never be handed out.<\/p>\n When someone wants to send information, they use the recipient\u2019s public key to encrypt the information they are sending. The SSL protocol takes care of all of these steps invisibly in the background. The recipient is then the only person (or website) with the private key who can decrypt it.<\/p>\n So how does SSL work? You now understand how a certificate is issued, how it\u2019s signed and what PKI is, but how does it all fit together?<\/p>\n When you visit a site the first thing your computer does is looks for the site\u2019s SSL certificate (well, maybe not the first thing\u2014but one of them). This lets your computer know if the site has been verified and if encryption will be used during communication.<\/p>\n If an SSL certificate is present the computer and the website do something called the SSL handshake, wherein they trade information and capabilities so they can decide exactly how they will be encrypting information.<\/p>\n If the handshake is successful, encrypted communication begins. The \u201cclient\u201d \u2013 which is the computer connecting to the website – uses the website\u2019s public key to encrypt any information it\u2019s sending \u2013 this can be anything from credit card info to computer requests for which page they want to access \u2013 while the website uses the private key to decrypt the information once its reached its server.<\/p>\n This keeps the information safe from malicious third parties who may want to steal it.<\/p>\n While there\u2019s plenty of much more in-depth topics when it comes to SSL\/TLS, that\u2019s a basic overview of how SSL\/TLS works.<\/p>\n In summation:<\/strong><\/p>\n We could go into more detail about root certificates, cross signing, SHA1 and SHA2<\/a><\/strong>, ECC Algorithm<\/strong><\/a>, etc. And we will at a later date. But for now, this should serve as a nice entry point into how SSL\/TLS works, its architecture, its processes and its interactions.<\/p>\n\n<\/span><\/span>","protected":false},"excerpt":{"rendered":" Taking a closer look at SSL\/TLS Certificates and how SSL\/TLS works You may have heard of SSL, your website may even employ SSL encryption\u2014but do you know how it works?…<\/p>\n","protected":false},"author":2,"featured_media":2836,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[],"class_list":["post-2046","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","post-without-tags"],"views":26470,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/08\/Electric_Lock_Photo.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/2046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=2046"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/2046\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/2836"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=2046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=2046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=2046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Digital Signatures<\/strong><\/h2>\n
\n
![\"SSL](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/02\/Certificate-Blog-Image.png\")
<\/p>\nPKI (public key infrastructure)<\/strong><\/h2>\n
![\"SSL](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/02\/PKI.png\")
<\/p>\nSSL Interactions<\/strong><\/h2>\n
How SSL\/TLS Works<\/strong><\/h2>\n
\n
\n
![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/02\/HowSSLWorks-1.png\")
<\/p>\n<\/div>\n