What is SSL/TLS Certificate?
SSL or TLS (Transport Layer Security) certificates are data files that bind a cryptographic key to the details of an organization. When SSL/TLS certificate is installed on a web server, it enables a secure connection between the web server and the browser that connects to it. The website’s URL is prefixed with “https” instead of “http” and a padlock is shown on the address bar. If the website uses an extended validation (EV) certificate, then the browser may also show a green address bar.
What is SSL used for?
The SSL protocol is used by millions of online business to protect their customers, ensuring their online transactions remain confidential. A web page should use encryption when it expects users to submit confidential data, including personal information, passwords, or credit card details. All web browsers have the ability to interact with secured sites so long as the site’s certificate is issued by a trusted CA.
Why do I need SSL certificate?
The internet has spawned new global business opportunities for enterprises conducting online commerce. However, that growth has also attracted fraudsters and cyber criminals who are ready to exploit any opportunity to steal consumer bank account numbers and card details. Any moderately skilled hacker can easily intercept and read the traffic unless the connection between a client (e.g. internet browser) and a web server is encrypted.
How Does SSL Work?
The following graphic explains how SSL Certificate works on a website. The process of how an ‘SSL handshake’ takes place is explained below:
An end-user asks their browser to make a secure connection to a website (e.g.https://www.example.com)
The browser obtains the IP address of the site from a DNS server then requests a secure connection to the website.
To initiate this secure connection, the browser requests that the server identifies itself by sending a copy of its SSL certificate to the browser.
The browser checks the certificate to ensure:
That it is signed by a trusted CA
That it is valid – that it has not expired or been revoked
That it confirms to required security standards on key lengths and other items.
That the domain listed on the certificate matches the domain that was requested by the user.
When the browser confirms that the website can be trusted, it creates a symmetric session key which it encrypts with the public key in the website’s certificate. The session key is then sent to the web server.
The web server uses its private key to decrypt the symmetric session key.
The server sends back an acknowledgement that is encrypted with the session key.
From now on, all data transmitted between the server and the browser is encrypted and secure.