Know More About Secure Sockets Layer (SSL)
Secure Sockets Layer
(SSL) is the most widely used technology for providing a secure
communication between the web client and the web server. Most of us are
familiar with many sites such as Gmail, Yahoo etc. using https protocol in their login pages. When we see this, we may wonder what’s
the difference between http and https.
In simple words, a HTTP protocol is used for standard communication
between the Web server and the client. HTTPS is used for a SECURE
communication.
What exactly is a Secure Communication?
Suppose there exists two communicating
parties: Say A (client) and B (server).
Working of HTTP:
One of the most commonly used services on the Internet is the World Wide Web (WWW). The application protocol that makes the web work is Hypertext Transfer Protocol or HTTP. Do not confuse this with the Hypertext Markup Language (HTML). HTML is the language used to write web pages. HTTP is the protocol that web browsers and web servers use to communicate with each other over the Internet. It is an application level protocol because it sits on top of the TCP layer in the protocol stack and is used by specific applications to talk to one another. In this case the applications are web browsers and web servers.
HTTP is a connectionless text based protocol. Clients (web browsers) send requests to web servers for web elements such as web pages and images. After the request is serviced by a server, the connection between client and server across the Internet is disconnected. A new connection must be made for each request. Most protocols are connection oriented. This means that the two computers communicating with each other keep the connection open over the Internet. HTTP does not however. Before an HTTP request can be made by a client, a new connection must be made to the server.
When you type a URL into a web browser, this is what happens:
One of the most commonly used services on the Internet is the World Wide Web (WWW). The application protocol that makes the web work is Hypertext Transfer Protocol or HTTP. Do not confuse this with the Hypertext Markup Language (HTML). HTML is the language used to write web pages. HTTP is the protocol that web browsers and web servers use to communicate with each other over the Internet. It is an application level protocol because it sits on top of the TCP layer in the protocol stack and is used by specific applications to talk to one another. In this case the applications are web browsers and web servers.
HTTP is a connectionless text based protocol. Clients (web browsers) send requests to web servers for web elements such as web pages and images. After the request is serviced by a server, the connection between client and server across the Internet is disconnected. A new connection must be made for each request. Most protocols are connection oriented. This means that the two computers communicating with each other keep the connection open over the Internet. HTTP does not however. Before an HTTP request can be made by a client, a new connection must be made to the server.
When you type a URL into a web browser, this is what happens:
- If the URL contains a domain name, the browser first connects to a domain name server and retrieves the corresponding IP address for the web server.
- The web browser connects to the web server and sends an HTTP request (via the protocol stack) for the desired web page.
- The web server receives the request and checks for the desired page. If the page exists, the web server sends it. If the server cannot find the requested page, it will send an HTTP 404 error message. (404 means 'Page Not Found' as anyone who has surfed the web probably knows.)
- The web browser receives the page back and the connection is closed.
- The browser then parses through the page and looks for other page elements it needs to complete the web page. These usually include images, applets, etc.
- For each element needed, the browser makes additional connections and HTTP requests to the server for each element.
- When the browser has finished loading all images, applets, etc. the page will be completely loaded in the browser window.
When A sends a message to B, the message is sent as a plain text in an unencrypted manner. This is acceptable
in normal situations where the messages exchanged are not confidential. But,
imagine a situation where A sends aPASSWORD to B. In this case, the password is also sent as a plain text. This has a
serious security problem because, if an intruder (hacker) can gain unauthorised
access to the ongoing communication between A and B , he
can easily obtain the PASSWORDS, since they remain unencrypted. This
scenario is illustrated using the following diagram:
Now let us see the working of HTTPS:
When A sends a PASSWORD (say “mypass“) to B, the message is sent
in an encrypted format. The encrypted message is decrypted on B‘s side. So, even if the Hacker manages to gain an unauthorised access
to the ongoing communication between A and B he gets only the encrypted password (“xz54p6kd“) and not the original password. This is shown below:
How is HTTPS implemented?
HTTPS is implemented using Secure Sockets Layer (SSL). A website can implement HTTPS by
purchasing anSSL Certificate. Secure Sockets
Layer (SSL) technology protects a Web site and makes it easy for the site
visitors to trust it. It has the following uses:
1.
An SSL Certificate enables encryption of sensitive
information during online transactions.
2.
Each SSL Certificate contains unique and authenticated information about the certificate
owner.
3.
A Certificate Authority verifies the identity of the
certificate owner when it is issued.
How Encryption Works?
Each SSL Certificate consists of a Public key and a Private key. The public key is
used to encrypt the information and the private key is used to decrypt it.
When your browser connects to a secure domain, the server sends a Public key to
the browser to perform the encryption. The public key is made available to
every one but the private key(used for decryption) is kept secret. So, during a
secure communication, the browser encrypts the message using the public key and
sends it to the server. This message is decrypted on the server side using the
Private key(Secret key).
How to Identify a Secure Connection?
In the Internet Explorer and most other browser programs like Firefox or
Google Chrome, you will see a lock icon 
in the Security
Status bar. The Security Status bar is located on the right side of the Address
bar. You can click the lock to view the identity of the website.
in the Security
Status bar. The Security Status bar is located on the right side of the Address
bar. You can click the lock to view the identity of the website.
In high-security browsers, the
authenticated organization name is prominently displayed and the address bar
turns GREEN when an Extended
Validation SSL Certificate is detected. If the information does not match or
the certificate has expired, the browser displays an error message or warning
and the status bar may turn RED.
So, the bottom line is, whenever you
perform an online transaction such as Credit card
payment, Bank login or Email login always ensure that you have a secure
communication. A secure communication is a must in these situations. Otherwise
there are chances of a Phishing attack using a fake login page.
I Hope you like the information presented in this article. Please pass
your comments.
This article gave me a complete guidance about ssl and how it works in real scenario. I really appreciate your efforts and the way you have tried to explain all the things in such a simple and easy way.
ReplyDeletedigital signature