Before diving into the many benefits and uses of SSL Certificates, it may be helpful to understand the underpinning technology. This article provides a brief history lesson on how Secure Socket Layer (SSL) has evolved into Transport Layer Security (TLS) and a simple explanation of how the protocol works.
What is SSL?
SSL is the original name of the cryptographic protocol for authenticating and encrypting communications over a network. Officially, SSL was replaced by an updated protocol called TLS some time ago.
SSL to TLS Timeline
The following is a timeline of how SSL has changed over time:
- SSL is a security protocol developed by Netscape in the 90s for encrypting and securing communications over the internet. SSL v1.0 was never released due to security issues.
- In 1995, Netscape released SSL v2.0, but it still had many flaws.
- SSL v3.0 released in 1996 and addressed the problems of SSL v2.0. This version offered incredible improvements and forever changed the way the internet works. However, as of 2015, SSL 3.0 and prior versions have been deprecated.
- TLS was developed by the Internet Engineering Task Force (IETF) as an improvement on SSL; TLS v1.0 released in 1999 and based on SSL v3.0, with minor security improvements still significant enough that SSL v3.0 and TLS v1.0 did not interoperate.
- TLS v1.1 came out seven years later in 2006 and was replaced by TLS v1.2 shortly afterward, in 2008. That hurt TLS v1.1 adoption as many websites upgraded from TLS v1.0 directly to TLS v1.2. 11 years later, we are now at TLS v1.3.
- TLS v1.3 finalized in 2018 and after nearly 30 IETF drafts. TLS v1.3 makes significant improvements over its predecessors. Microsoft, Apple, Google, Mozilla, Cloudflare, and Cisco all have deprecated TLS v1.0 and TLS v1.1 as of March 2020. TLS v1.2 and TLS v1.3 are now the only SSL protocols still available.
So, in reality, TLS is simply a newer version of SSL. However, most people still say SSL instead of TLS. SSL and TLS serve the same purpose, protecting sensitive information during transmission, but under the hood, the cryptography has changed a lot from the original SSL to the latest TLS v1.3.
How does it Work?
The primary purpose of SSL is to provide a secure transport-layer connection between two endpoints, the server and the client. This connection is typically between a website server and the client's browser, or a mail server and the client's email application, such as Outlook.
SSL comprises two separate protocols:
- The Handshake protocol authenticates the server(and optionally the client), negotiates crypto suites, and generates the shared key.
- The Record protocol isolates each connection and uses the shared key to secure communications for the remainder of the session.
The Handshake Protocol
The SSL handshake is an asymmetric cryptography process for establishing a secure channel for server and client to communicate — HTTPS connections always begins with the SSL handshake.
A successful handshake takes place behind the client's browser or application, instantly and automatically — without disturbing the client user experience. However, A failed handshake triggers the termination of the connection, usually preceded by an alert message in the client's browser.
Provided the SSL is valid and correct, the handshake offers the following security benefits:
- Authentication: The server is always authenticated for as long as the connection is valid.
- Confidentiality: Data sent via SSL is encrypted and only visible to the server and client.
- Integrity: Digital Certificate Signatures ensure the data has not been modified during the transfer.
In particular, the client needs to verify that the SSL certificate is genuine and issued by a trusted party, and issued to the hostname it intended to contact. The server application and client browser usually handle this. The process can be simply explained in three steps:
- The client sends an initial message to the server, telling the server the supported TLS versions, cipher algorithms, compression methods. The server replies to the client with its public certificate and establishes the cipher suite algorithms to use. There are four algorithms in a cipher suite:
- Key Exchange Algorithm
- Digital Signature Algorithm
- Message Authentication Algorithm
- Hashing Algorithm
- If SSL client authentication is enabled, the server requests the client certificate and any intermediate certificates in the client's certificate chain. In any case, the client then verifies the server certificate, then ciphers and sends a new key to the server. The public/private key pair will not be used anymore after this step.
- After the end of the handshake, the client and the server now hold the same shared session key at both ends. As long as the session remains valid, data-in-transit will be encrypted using symmetric cryptography, as it's a more efficient method than asymmetric cryptography.
In summary, SSL certificates fundamentally work using a blend of asymmetric cryptography and symmetric cryptography for communications over the internet. There are also other infrastructures involved in achieving SSL communication in enterprises, known as Public Key Infrastructures.
Now you know the history of SSL and how it works, in general. The next step is to learn about SSL Certificates and how they are used to secure connections on the internet and in Public Key Infrastructures (PKI).