SSL (Secure Sockets Layer) encrypts the data of the network traffic between the server and the client, mainly with asymmetric encryption algorithms such as RC4 or IDEA, and encrypts the session key such as RC4 or IDEA using a public key encryption algorithm RSA.
What is the SSL Protocol?
Secure Socket Layer is a general protocol system designed by Netscape Communications Corporation in 1994 and is based on the joint use of symmetric cryptography, asymmetric cryptography (public key), digital certificates, and digital signatures to create secure channels over the Internet.
With symmetric cryptographic systems used in data transmission, it takes advantage of transaction speed to increase the security of data privacy and asymmetric systems are used for the secure exchange of symmetric keys.
When connected to a secure server, SSL informs the browsers that the traffic is secure via a green padlock in the upper left and checks the information contained in the digital certificate to ensure that it is a secure server.
SSL provides a secure environment for data such as credit card information, as it transmits information sent via a secure form to the server in encrypted form.
In short, the purpose of SSL is to provide a secure connection between Internet browsers and websites and to transmit private data online and securely.
SSL provides a secure layer using a negotiation protocol to establish secure communication at the socket level between a server to which the user wants to connect.
The identity of the secure web server checks the Digital Certificate to check the validity before exchanging data that is sensitive to privacy, and thus uses the Digital Signature to ensure the integrity and authentication of all data sent and received.
SSL creates additional security at the protocol layer by encrypting data going out from the application layer before it is partitioned at the transport layer and encapsulated and sent by sublayers.
It can cut large blocks into pieces and combine them at the receiver by applying compression algorithms to the data to be sent.
SSL, which is implemented in OSI and TCP/IP reference models, is located between the Application Layer and the Transport layer and acts as an additional layer by configuring the operating system sockets, often using port 443.
The most current version of SSL is 3.0. It uses symmetric DES, TRIPLE DES, RC2, RC4 and IDEA encryption algorithms, asymmetric RSA, MD5 hash function, and SHA-1 signature algorithm.
How Does It Work?
SSL uses a negotiation protocol to transparently establish secure communication at the socket level to users and applications.
When the client requests secure communication from the secure server, the server creates an encrypted port that is managed by a software called SSL Record Protocol located on top of the TCP.
Secure communication is established between the client and the server with the SSL Handshake Protocol, which uses the SSL Record protocol and open port.
While the SSL Handshake Protocol is running, the client and server exchange a series of messages to negotiate security enhancements. In the first stage, the algorithms used for privacy protection and authentication are examined.
When exchanging information about the keys, the key exchange phase is initiated so that eventually both parties share a master key. A key is created for the medium that will be used for the security of data transmission between client and server.
In the server verification phase, RSA is used as the key exchange algorithm to authenticate the server for the client. If authentication is required for the client, the client authentication phase is initiated, during which the server requests an X.509 certificate from the client. Finally, a secure session is established between the client and the server.
SSL Record Protocol specifies the method of encapsulation of transmitted and received data. The data portion of the protocol has three components, MAC-DATA (the authentication code of the message), ACTUAL-DATA (application data to be transmitted), and PADDING-DATA (data required to fill the message when using block encryption).
Why Is It Used?
The SSL protocol is used by millions of e-commerce websites and banking systems to protect their customers and keep their online transactions confidential.
A web page that requires confidential data such as credit card details, passwords, or personal information should use SSL encryption to maximize security.
As long as the certificate of the websites used in all web browsers is from a recognized certificate authority such as Comodo, Cloudflare, Let’s Encrypt, both shopping and money transfers can be made with secure sites.
Why Is It Necessary?
The Internet has created new global business opportunities for companies doing business online, but this growth has also attracted scammers and cybercriminals who attempt all kinds of attacks, such as theft of bank account numbers and credit card information.
If the connection between a computer and a large website is not encrypted, data traffic can be easily intercepted by any moderate hacker.
It is extremely necessary to use SSL in order to prevent such attacks on online platforms and to prevent the private data of users entered in online transactions from being obtained by someone else.
How to Issue Certificates to Websites?
SSL certificates are issued to websites by a CA (Certificate Authority).
A CA issues a certificate after examining and confirming the identity of the company requesting the certificate and the requesting person’s information on the certificate.
Certificates issued to a website are added to the domain of the CA, namely the Trusted Root certificate, and these certificates are added to the Certificate Store in popular browsers such as Google Chrome, Mozilla Firefox, Opera, and Internet Explorer.
Any of these browsers will allow an HTTPS connection to be established when it finds a rooted website certificate in the certificate store.
If a certificate for a website is not found, the end-user is warned that the connection is unsafe and not to enter any private information.
These certificates are issued to legally responsible companies or individuals and can often include domain name, company name, address, city, state, and country information. It may contain information about the certificate authority that issued the certificate, as well as the issue date and expiration date.
When a browser tries to establish an HTTPS connection to a website, the browser obtains the certificate of the website and checks that it has not expired and belongs to a root in the certificate store.
If any of these checks fail during the check phase, the browser displays a warning to the end-user.
Differences According to the Use of Certificates
There may be major differences depending on the usage of the certificates used in online platforms. These differences are the validity period of the certificate, the creation and management of the certificate, the independent operability of the certificate, and the address names of the certificate in browsers.
Certificate Validity Period
The key difference between paid or free certificates is the validity period of the certificates. Most of the paid certificates can be used actively for 12-24 months, free ones usually expire after 90 days, and alerts are sent to the user by the browser. At this expiration, the renewal of the free certificate requires manual action.
Certificate Creation and Management
If payment has been made to own a certificate, it will be entitled to access the necessary tools for creating and managing the certificate. In free certificate transactions, management tools cannot be accessed and therefore these operations are performed manually by the user for a certain period of time.
Independent Employability of the Certificate
A free SSL/TLS certificate is created for only one domain address, but different projects can be created with a paid certificate.
Names of the Certificate at Address Location in Browsers
If web-based projects or e-commerce websites created are protected with a special and paid certificate, the company name is displayed in the address bar of the browsers. This feature cannot be obtained with a free certificate.
Differences Between Paid and Free Certificates
Free SSL Certificate
Paid SSL Certificate
They are valid for only one domain.
They can be used for different projects.
They do not apply to companies.
They apply to companies and some projects.
They offer basic security.
They offer more security.
You have to handle the certificate management yourself.
They have some tools for managing the SSL certificate.
Usually, they are only valid for three months.
They are generally valid between 12 and 24 months.
Not all browsers can recognize these certificates.
They are recognized by all browsers.
Users can see HTTPS, but the certificate is not visible to users.
Users can view both HTTPS and the certificate.
Encryption is a must for confidential and private transactions such as online e-commerce or banking. Ensuring this encryption process and security, the SSL protocol protects people’s information and initiates a secure process on online shopping platforms.
An SSL certificate gives confidence to users viewing a website and increases the company’s growth potential as online platforms can trust their customers more.
It is a great advantage that SSL works independently of computer operating systems. Because it does not matter what type of browser is used, and since there is no need for any additional software, anyone can establish a secure connection to websites with encryption without any restrictions.
SSL certificates are of great importance today, but they have a small disadvantage. The loading time of a website greatly affects the user experience, a server secured with SSL takes longer to load web pages.
If any website contains heavily firewall rules or certain restrictions, it may take longer to establish an HTTPS connection with an SSL certificate, resulting in increased web page viewing time, which may be a disadvantage for some users.
Therefore, both the security of online platforms and the loading times of the certificates should be configured by considering them.