Secure sockets layer (SSL) is a networking protocol designed for securing connections between web clients and web servers over an insecure network, such as the internet. Netscape formally introduced the SSL protocol in 1995, making it the first widely used protocol for securing online transactions between consumers and businesses. It eventually came to be used to secure authentication and encryption for other applications at the network transport layer.
Numerous issues with SSL caused the Internet Engineering Task Force (IETF) to stop advising its use in 2015. The Transport Layer Security (TLS) protocol took its place. While TLS has replaced SSL as the standard for safeguarding internet connections, SSL is still in use today, mostly in legacy systems.
SSL was used at the network transport layer to authenticate and encrypt other applications in addition to protecting internet connections. In most cases, SSL was used to protect communications between a web browser (client) and a website (server). It made it easier for customers and businesses to transact safely, laying the groundwork for e-commerce. Without SSL, a threat actor could intercept data being sent to and from a website.
SSL uses public key and private key encryption and other cryptographic functions to secure connections between devices communicating over a TCP/IP network. SSL can scramble clear text entered on a website using asymmetric cryptography and public key encryption. It is just one of the ways in which public key infrastructure (PKI) is used by modern businesses.
How the SSL certificate is obtained
The SSL protocol process starts with a company acquiring a valid SSL certificate from a trusted certificate authority (CA). The purpose of the SSL certificate is to confirm to the user and the web browser they’re using that they are interacting with the desired web server and not an imposter.
Let’s imagine that Brand A, a business, wants to build a safe website where customers can order its goods without having to worry about their personal information being stolen. Company A chooses to use SSL on their website. To obtain an SSL certificate for its website, company works with a reliable CA like Comodo SSL or DigiCert.
The digital certificate includes the following:
- the person, organization or device to which the certificate was issued;
- the certificate thumbprint — a hash of all the certificate data and its signature;
- the SSL or TLS version being used;
- the domain name it was issued under;
- any associated subdomains
- the name of the CA issuing it;
- the CA’s digital signature;
- the certificate’s issue and expiration dates;
- the public key; and
- an associated private key that is kept secret.
Steps involved in the secure sockets layer process
There are several steps involved in the SSL process, including the following:
- Initial connection. When a user — say a customer — logs onto Brand A’s website, the web browser indicates to Brand A’s server that a user wants to establish a private connection. After receiving this notification, the Brand A server sends over its SSL certificate, which includes its public key.
- Certificate authentication. Brand A’s server presents its SSL certificate as part of the initial handshake procedure to authenticate itself to the client. That would be the customer’s web browser in this instance. Server certificates adhere to the Public Key Cryptography Standards’ 509 certificate format. In order to confirm that the user is communicating with the intended server, the web browser examines the certificate. To validate a digital certificate and ensure that a server is who it says it is, public key encryption is utilized. In order to speed up the process, the majority of web browsers will implicitly trust SSL certificates that have been issued by a CA.
- Once the browser, or client, has authenticated the web server and its certificate, it encrypts the user’s message using Brand A’s public key. The message is then sent to Brand A’s server.
- Brand A’s server decrypts the message using its own private key. The message includes a symmetric session key to establish a two-way handshake between the two entities.
- Cipher settings and shared encryption key. Once the server has been authenticated, the client and server establish cipher settings and a shared key to encrypt the information they exchange during the remainder of the session. This provides data confidentiality and integrity. This process is invisible to the customer. For example, if a webpage requires an SSL connection, the URL will change from HTTP to HTTPS, and a padlock icon will appear in the browser once the server has been authenticated.
- Client authentication. The handshake also allows the client to authenticate itself to the server. In this case, after server authentication is complete, the client must present its certificate to the server to authenticate the client’s identity before the encrypted SSL session can be established.
Types of SSL certificates
The three types of SSL certificates that can be obtained are: Extended Validation (EV SSL), Organization Validated (OV SSL) and Domain Validated (DV SSL). Their encryption levels are the same, but the processes used to verify applicants for the certificates differs. Some of the differences include the following:
- EV SSL verifies the existence and identity of the entity making the application and its right to use the domain it is applying under. A range of supplemental documents are required to get one, as well as background checks. It can take five or more business days to get this certificate.
- OV SSL validates right of the applicant to use the domain and does some vetting of the organization. It can take two to five days to obtain.
- DM SSL verifies the person submitting the request. Company information is not checked. It requires only email or internet confirmation of the request. It can be obtained in a few hours.
Secure Socket Layer Protocols:
- SSL record protocol
- Handshake protocol
- Change-cipher spec protocol
- Alert protocol
SSL Protocol Stack:
SSL Record Protocol:
SSL Record provides two services to SSL connection.
- Message Integrity
The SSL Record Protocol application divides data into smaller pieces. The fragment is compressed before having a MAC (Message Authentication Code) that has been encrypted and created using the Secure Hash Protocol (SHA) and the Message Digest (MD5) algorithms attached. After that, the data is encrypted, and at the conclusion, an SSL header is inserted to the data.
Handshake Protocol is used to establish sessions. This protocol allows the client and server to authenticate each other by sending a series of messages to each other. Handshake protocol uses four phases to complete its cycle.
- Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP session, cipher suite and protocol version are exchanged for security purposes.
- Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-2 by sending the Server-hello-end packet.
- Phase-3: In this phase, Client replies to the server by sending his certificate and Client-exchange-key.
- Phase-4: In Phase-4 Change-cipher suite occurred and after this Handshake Protocol ends.
This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the SSL record Output will be in a pending state. After the handshake protocol, the Pending state is converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have only one value. This protocol’s purpose is to cause the pending state to be copied into the current state.
This protocol is used to convey SSL-related alerts to the peer entity. Each message in this protocol contains 2 bytes.
The level is further classified into two parts:
Warning (level = 1):
This Alert has no impact on the connection between sender and receiver. Some of them are:
Bad certificate: When the received certificate is corrupt.
No certificate: When an appropriate certificate is not available.
Certificate expired: When a certificate has expired.
Certificate unknown: When some other unspecified issue arose in processing the certificate, rendering it unacceptable.
Close notify: It notifies that the sender will no longer send any messages in the connection.
Fatal Error (level = 2):
This Alert breaks the connection between sender and receiver. The connection will be stopped, cannot be resumed but can be restarted. Some of them are :
Handshake failure: When the sender is unable to negotiate an acceptable set of security parameters given the options available.
Decompression failure: When the decompression function receives improper input.
Illegal parameters: When a field is out of range or inconsistent with other fields.
Bad record MAC: When an incorrect MAC was received.
Unexpected message: When an inappropriate message is received.
The second byte in the Alert protocol describes the error.
Silent Features of Secure Socket Layer:
- The advantage of this approach is that the service can be tailored to the specific needs of the given application.
- Secure Socket Layer was originated by Netscape.
- SSL is designed to make use of TCP to provide reliable end-to-end secure service.
- This is a two-layered protocol.