Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash
An SSL certificate (or TLS certificate) is a digital certificate that binds a cryptographic key to your organization’s details. Secure Sockets Layer (SSL) are cryptographic protocols designed to encrypt communication between a server and a web browser.
While SSL certificates are installed server-side, there are visual cues in the browser that show SSL protection. If SSL is present, you may see https:// in the address bar, a padlock, a green address bar, or a combination of the three. SSL secures your connection to a web server and encrypts any transferred data. Encrypting data reduces the cybersecurity risk of man-in-the-middle attacks or many other cyber attacks. SSL has traditionally been used to secure credit card information on e-commerce sites, personal data transfers, and social media sites.
Today, search engines like Google have called for HTTPS everywhere, even if websites don’t handle sensitive data or information like personally identifiable information (PII). HTTPS not only provides critical information security and data integrity but is a requirement for many new web browser features like progressive web apps (PWAs). What is Transport Layer Security (TLS)?
Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). Think of it as a more secure version of SSL. Despite new certificates using TLS (RSA or ECC), it remains common for security certificates to be referred to as SSL certificates.
TLS, like SSL, provides privacy and data integrity between two or more communicating applications. When secured by TLS, connections between your browser and a server must have one or more of the following properties:
The connection is secured by symmetric cryptography. The keys for symmetric encryption are unique to each connection, based on a shared search negotiated at the start of a session through a TLS handshake. The server and your browser negotiate the details of which encryption algorithm and cryptographic keys are used before data is transmitted. Negotiating a shared secret is secure (preventing eavesdropping) and reliable (no attacker can modify messages without being detected, preventing man-in-the-middle attacks).
The identity of communicating parties can be authenticated using public-key cryptography. Public keys are disseminated widely, and private keys are only known to the owner. People can encrypt a message using the receiver’s public key, but only their private key can decrypt. Authentication can be optional but is generally required for at least one of the parties (typically the server).
The connection is reliable because each transmitted message has integrity checked using a message authentication code (MAC), preventing undetected loss or manipulation of data. A MAC is a short piece of information used to confirm the message came from the stated sender and has not been changed. This protects data integrity and authenticity.
In addition, the configuration of TLS can provide additional privacy-related benefits like forwarding secrecy. Forward secrecy ensures future disclosure of session keys only compromises a particular session. This is achieved by generating a unique key for each session, so the compromise of a single session key cannot affect the data exchanged in any other session.
What is Hypertext Transfer Protocol Secure (HTTPS)?
Hypertext Transfer Protocol Secure (HTTPS) is an extension of Hypertext Transfer Protocol (HTTP). It is used to securely transfer data over a network. In HTTPS, the communication is encrypted using TLS.
HTTPS provides authentication of the accessed website, protecting the privacy and integrity of exchanged data. It also protects against man-in-the-middle attacks such as eavesdropping and tampering with transmitted data. Because HTTPS piggybacks HTTP on top of TLS, the entire HTTP protocol is encrypted, including the requested URL (the specific page requested), query parameters, headers, and cookies (which often contain identifying information about the user).
The one thing that eavesdroppers can see is the website address and port numbers which are part of TCP/IP protocols and not protected by HTTPS. This means an eavesdropper can infer the IP address and port number of a web server (the domain name but not the specific page) that you are communicating with, as well as the amount of data transferred and session time.
Modern web browsers know which HTTPS websites to trust based on pre-installed certificate authorities. Certificates authorities like Let’s Encrypt are trusted to provide valid certificates. This means HTTPS connections are only trusted if all the following are true:
You trust your web browser correctly implements HTTPS with valid certificate authorities. You trust the certificate authority will only vouch for legitimate websites. The website you visit provides a valid certificate signed by a trusted certificate authority. The SSL certificate correctly identifies the website and not another entity. You trust SSL/TLS is sufficient to protect against eavesdroppers.
