What Is SSL?

We secure network connections between computers using encryption. If you're not sure what that means, check out my article: What Is Encryption. It's not as hard to understand as it might seem. SSL can be used for much more than just Web browsing, including almost any kind of TCP connections, including e-mail, other messaging, file and data transfer. The latest incarnation of SSL has changed names--it's now called TLS. TLS has a few new features to make it more secure. SSL version 3 is what's used by most SSL enabled applications now, because the older version, SSL v2 was found to have some problems. You generally won't need to know these details and which versions you're using, but it is important to know that older browsers and older programs may not support the newest & most secure version of SSL.

SSL uses PKI (Public Key Infrastructure) to provide security verifying the identity of the server you're connecting to. PKI may sound like another confusing acronym to you, but it's the core of what makes SSL work to secure network connections, so bear with me. Like we mentioned already, when we're connecting with SSL, we're using encryption. Once our session is encrypted the data we send and receive during that session is secure. If someone eavesdrops electronically they won't be able to see what data we're sending and receiving because it's encrypted. It's possible to crack this encryption, but it's difficult.

The second thing that SSL provides in this connection is authenticity. Authenticity in this case means that we have assurance that the server we're connecting to is who it says it is. This assurance is something that's not immediately obvious as a benefit, but it's important. The web server's certificate includes public keys verifiable by a certificate authority (CA) server (or servers) that are listed in our browser's configuration. The server encrypts information using its private key. We can decrypt the information using its public key . When we encrypt information using its public key however, it can't be decrypted by just anyone else with that public key. That wouldn't be secure, since anyone could get the public key from the key server. The server uses its private key to decrypt the encrypted information. The actual math used is complex, so we won't go into that here. The important thing is that this information is then used to continue the encrypted communication.

In most browsers there will be an icon present that looks like a closed lock when you're connected via SSL. The other big clue is that your URL (what you typed in or clicked on to get to the web site) in your web browser should start with https. For example, the URL should say something like: https://my.bank.com, not http://my.bank.com. If you don't see that lock icon in Internet Explorer or Firefox, and you don't see https in the URL, you can be sure that you're not using SSL. It can become a habit to assume that you've got a secure connection, but don't assume--check when you connect with a site or server that you want to communicate securely with.