How Does SSL Certificate Work? Understanding HTTPS Security
Learn how SSL certificates make HTTPS websites secure through asymmetric and symmetric encryption, digital signatures, and the TLS protocol. Complete guide to web security.
How Does SSL Certificate Work? Understanding HTTPS Security
We know that HTTPS in the website URL (Uniform Resources Locator) makes a website more secure. But have you ever thought about what makes an HTTPS website more secure than an HTTP website? It is an SSL certificate that makes the HTTPS website more secure.
Types of Encryption
Before understanding how it works, we need to learn the types of encryption:
1. Symmetric Encryption
In this type, one key performs both the function of encryption of the data and decryption of the data.
2. Asymmetric Encryption
In this type, we have two keys: public and private keys.
- The public key encrypts the data, whereas the private key decrypts the data
- The public key can be accessed by anyone, but we need to keep the private key safe and ensure it isn't shared with anyone
How SSL Certificates Work
The SSL certificate is issued by a third-party authority to ensure secure communication and authenticate the ownership of the domain. The authority can charge money for this service, but some provide the service for free as well. For Example: Let's Encrypt.
The Certificate Issuance Process
The issuing authority creates a hash of the server's public key using a cryptographic function. The hash from the function and other information on the certificate are encrypted using the authority's private key, referred to as the digital signature on the SSL certificate.
The Handshake Process
The client initiates the handshaking by sending a "Client Hello" message to the server to establish the connection between server and client. The process works as follows:
- The client produces the hash for the server's public key using the same function the issuing authority used
- It decrypts the digital signature of the SSL certificate using the issuing authority's public key
- It compares both hash values
Two outcomes are possible:
- If both values match: It signifies that the response is coming through an authenticated server and it isn't altered by anyone in data-in-transit
- If values don't match: It signifies that the response has been tampered with while data-in-transit
Secure Communication
If the connection is established successfully, further communication is done using symmetric encryption by shared secret keys during the connection establishment, which are possessed by both the server and the client.
Important Note: The shared secret keys aren't directly exchanged; they are generated through a process. The symmetric encryption ensures data integrity and authenticity for the messages once connection is established.
Understanding Digital Signatures
Now, you may be wondering: in asymmetric encryption, the public key is used to encrypt the data and the private key is used to decrypt the data. But in the case of verifying the signature, encryption of the server's public key is done using CA's private key, and decryption happens with CA's public key.
SSL vs TLS Protocols
For in-depth understanding, let's understand SSL and TLS protocols:
SSL (Secure Socket Layer)
SSL stands for Secure Socket Layer Protocol that was developed by Netscape to protect user privacy, which allowed encryption of data during transit time so that data cannot be understood by anyone. But it is now deprecated for major security concerns.
TLS (Transport Layer Security)
SSL is replaced by TLS, which stands for Transport Layer Security and was developed by the Internet Engineering Task Force. Both of these are used interchangeably by users and organizations, but both are different at protocol levels.
Conclusion
I hope you understand the concept well. SSL certificates and TLS protocols are fundamental to modern web security, ensuring that our data remains private and authenticated during transmission.