What Is SSL and Why Does Your Website Need It?

Posted on: August 21, 2019

Securing your web site is the most critical element in protecting your website and its customers from hackers and other cybercriminals. Securing the connection between your site and your visitors is the best way to prevent anyone from spying on your traffic and stealing sensitive information such as usernames, passwords, and credit card numbers.

To protect websites, web engineers use what’s known as a Secure Sockets Layer, or SSL, to safeguard the information being transmitted through the connection.

Why Do We Need So Much Security?

When the World Wide Web was first conceived, it was created by academics who didn’t concern themselves too much with online security. This isn’t their fault; they simply didn’t see the need for it at the time. Nowadays, there is literally nothing more important than security for anyone who owns a website. To combat this, engineers from a wide spectrum of internet technologies have devised several methods of online security that work at different levels to minimize the exposure of servers to attack. Much of these rely on securing the transmission of information, or data, in a way that only the intended recipients can view. In order to provide the security that the modern web requires, various methods have been implemented that are centered around cryptography, which is the science of encoding, or rendering messages illegible without a key to decode, or revert the coded message back into legible content.

Since a considerable portion of the traffic is between browsers and web servers, a robust and powerful method had to be devised so that the traffic can be secured without impacting the speed at which data was sent between recipients.

Understanding Web Traffic, Simplified

Every time you click on a link or submit a form on the Web, you create what’s known as a request. This request is then sent from your computer to the Web site you’re accessing, divided up into little bits called packets. It’s divided as a method of preventing data loss, since smaller packets are more likely to arrive. Once the request packets are received by the server, they’re reassembled into the complete request, which is then fulfilled.

When the packets are traveling from your computer to the destination server, they can be read by anyone who is connected to the path between the end points while the packets are on route. If information is transmitted in plain text, also called clear text, it can be read by anyone who can see the packets.

How can people see the packets? Most commonly, an unapproved computer is connected to your wifi or wired network, and programs called packet sniffers can see all of the traffic on the network. This can take the form of a compromised computer, or a small, unobtrusive device that was smuggled into the office and hooked into the network surreptitiously. Alternately, bad actors can set up a malicious computer or router somewhere that traffic is sent through and read the packets as they’re traveling through. This is also known as a man-in-the-middle attack. Attacks using a man-in-the-middle attempt to capture the traffic and respond as the server you were expecting to reach by sending bogus responses disguised to look real.

By using SSL, your browser and the server agree to scramble the messages they send back and forth with a special type of key, known as a cryptographic key. A cryptographic key is a long string of random characters that, when used to scramble, or encrypt, a message, only a matching key can unscramble, or decrypt it.

SSL, An Overview

The inner workings of SSL are intricate and complex. That doesn’t mean you shouldn’t have at least a basic understanding of what it is and how it works. As an example of how SSL works, the following is a human-style interaction between a browser and a server:

Browser: Knock knock. Request for you. Please open the package slot.

Server: I can’t let you use the mail slot unless you have a key. The package slot only takes packages that have been packaged and locked with a key.

Browser: I don’t have a key to send messages through the package slot, can you send one to me? Also, how do I know you’re the right Server?

Server: I’m going to send you two things. The first is proof that you’re really sending the package to the right Server, and then I’m going to give you a one-time key so you can then make a new, shared key we can both use to lock and unlock packages. Passes one-time key through package slot.

Browser: Okay, I’m going to use your one-time key to lock our shared key in a package. When you unlock it, we’ll be able to use the shared key for packages. Sends shared key in a package locked with the Server key.

Server: Sounds good. I’ve unlocked the package, and now we can use the shared key to lock and unlock messages.

Browser: Okay, I’m putting the message into a box and locking it. Since the package slot is so small, I’m going to chop it up into packets and slip them through one at a time. Starts sending packets through the mail slot.

Server: Once I have all of the packets, I’ll put it back together and then unlock the whole package with my copy of the shared key. I’ll send the response to your package through the package slot, also locked with our shared key.

Cybercriminal: I can see the packets that the Browser is pushing through the package slot to the server, and I can even see what’s written in the packets, but I can’t read what they say, they’re all gibberish – I’ve been foiled again!

While the following might seem over-simplified, it’s an accurate depiction of how a browser and server negotiate a secure connection. And even though it seems long-winded, the back-and-forth takes place within fractions of a second.

The certificate that the Server sends to the Browser in the example is tied exclusively to the domain name of the server, which is independently verified by another company. For instance, you the reader couldn’t set up an SSL certificate that uses the domain name Amazon.com, because you would have no way to prove that your server is actually the Amazon server. This connection between the server and the domain name of a web site is one of methods SSL uses to ensure the security of your web site.

The Business of SSL

In the above example, the server (which is your server), uses a certificate and cryptographic key in order to encrypt and decrypt messages with the browser. You get these components from a company that verifies the existence of your company, for which you pay a fee, that, at the time of writing, was around $100.

The companies that have built up their businesses as distributors of SSL certificates have gone to great lengths to be considered reputable for providing them. The alternative had been to create your own certificate, but these “self-signed” certificates are considered less trustworthy, since the only person willing to verify that you are who you say you are, is you. The market for obtaining SSL certificates was limited to buying a commercial certificate from a trusted SSL vendor.

That is, until the Electronic Frontier Foundation stepped in.

The Electronic Frontier Foundation, or EFF, is an organization dedicated to promoting the freedom of information on the Internet. They promote the development and distribution of free, Open Source software, and assist companies who do not have the legal means to defend themselves against corporations who take advantage of smaller companies.

A few years ago, the EFF took on the responsibility of issuing valid SSL certificates to anyone who wanted one, without having to pay for it. The mechanism they use to issue SSL certificates relies on the company being able to reliably prove that they are in control of the domain name for which they want an SSL certificate. This has lowered the barrier of entry for every single domain to receive an SSL certificate that is issued for that domain name. As a result, more and more traffic on the web has become encrypted, making it harder for malicious actors to intercept and read data packets that weren’t intended for them.

Typically, the companies who issue the certificates must they themselves be recognizable and accepted as valid certificate authorities. Because of the high profile and recognition of the EFF as an honest broker, their authority to provide SSL certificates has been accepted as beyond reproach.

Security Beyond Browsers

The fact that SSL certificates are used largely for encrypting web traffic doesn’t mean that it’s limited to that use exclusively. As long as you have an SSL program to encrypt and decrypt, you can use it to protect files that you want to keep secure. Fortunately, there is a number of powerful and freely available programs that your business can use to protect its most important data assets, so even if your network is compromised, the data will be encrypted and useless to anyone who doesn’t have the password.

More and more companies are relying on cryptographic methods for securing their information. Modern cryptography programs are designed to encrypt whole directories or even entire disk drives with little effort on the part of the user. In this way, even if a computer is stolen from an office or lost in a taxi, the data that is present on the computer is safe from all but the most determined cyber thieves.

SSL Is Good for Business

Every day the news is full of reports of companies that have been compromised by malicious attacks on their networks. While many of the newsworthy ones are about large companies targeted by well-coordinated bad actors, many smaller, less notable websites are successfully penetrated.

The first place attackers are going to start looking when they have you in their crosshairs is your web site. The reason for this is because web attacks are some of the most vulnerable and common types of intrusions that attackers have available to them. Without properly securing your web site, you’re essentially giving them a means to attack it with impunity.

When new visitors come to your web site, the first thing they’ll notice is whether or not your site is secured using SSL. The convention for indicating whether or not a site is secured is by displaying a small padlock icon next to the address bar of the browser. In fact, in mid-2018, Google announced that its browser, Chrome, would by default assume that a web site is secure, and issue a warning when it wasn’t. This prompted many people to update their web sites to use the HTTPS, or secure web protocol that employs SSL encryption as a security measure.

No one is completely safe from attack online. In fact, if you ask your IT people, you’ll find that your site is more or less under constant attack, but the nature of the attacks are so rudimentary that it’s not even worth bringing to your attention. If you are a small business owner, you need to make digital security a priority for your business. Speak to your tech consultants and come up with a plan and a budget for making sure your online assets are secure from any serious attempts to compromise them.

Your customers rely on you to protect the information they give you. Often, that data is sent through your web site. Make sure your site is secured using SSL, so that the data they send you is secure from prying eyes. SSL gives them that security and peace of mind knowing that your company is treating their information properly.

BizIt