Secure Socket Layers! What are they? Why are they in place?

What are Secure Socket Layers?
Secure Socket Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet.

The SSL Security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.

SSL is built into all major browsers and web servers.

Both Netscape Navigator and Internet Explorer support SSL, and many websites use the protocol to obtain confidential user information, such as credit card numbers.

The primary goal of SSL is to provide privacy and reliability between two communicating applications.

SSL Protocol Stack

The SSL Protocol Stack is composed of two layers.

The first layer is the higher layer which is composed of SSL Handshake Protocol, SSL Change Cipher Spec Protocol, SSL Alert Protocol, and HTTP, which are used in the management of SSL exchanges.

The second layer is the lower layer composed of the SSL Record Protocol, TCP, and IP.

Why SSL?
As a web developer, I have come across many customers who ask “Why do I need SSL? What will it do for me?” This is an important question for anyone involved in the web to understand. SSL is the backbone of our secure Internet and it protects your sensitive information as it travels across the world. It keeps the Internet from being ruled by anarchists and criminals and provides many direct benefits to you and your customers.

Benefits of SSL
  • To Encrypt Sensitive Information
  • Authentication
  • To Gain Your Customers’ Trust
  • PCI Compliance
Disadvantages of SSL​

Cost

Cost is an obvious disadvantage. SSL providers need to set up a trusted infrastructure and validate your identity so there is a cost involved. Because some providers are so well known, their prices can be overwhelmingly high.

Performance

Performance is another disadvantage to SSL. Because the information that you send has to be encrypted by the server, it takes more server resources than if the information weren’t encrypted. The performance difference is only noticeable for web sites with very large numbers of visitors and can be minimized with special hardware.

Replies

  • PraveenKumar Purushothaman
    PraveenKumar Purushothaman
    Secure Sockets Layer (SSL): How It Works

    What Happens When a Browser Encounters SSL?
    1. A browser attempts to connect to a website secured with SSL.
    2. The browser requests that the web server identify itself.
    3. The server sends the browser a copy of its SSL Certificate.
    4. The browser checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
    5. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
    6. Encrypted data is shared between the browser and the server.
    How SSL works Tutorial - with HTTPS example
  • durga ch
    durga ch
    Good information praveen. I was wondering what type of encruption and authentication is done. Any info about the same?
  • PraveenKumar Purushothaman
    PraveenKumar Purushothaman
    SSL uses the famous public-key encryption. The key in public-key encryption is based on a hash value. This is a value that is computed from a base input number using a hashing algorithm. Essentially, the hash value is a summary of the original value.

    The important thing about a hash value is that it is nearly impossible to derive the original input number without knowing the data used to create the hash value. Here's a simple example:
    +--------------+-------------------+------------+
    | Input number | Hashing algorithm | Hash value |
    +--------------+-------------------+------------+
    | 10,667       | Input # x 143     | 1,525,381  |
    +--------------+-------------------+------------+
    You can see how hard it would be to determine that the value 1,525,381 came from the multiplication of 10,667 and 143. But if you knew that the multiplier was 143, then it would be very easy to calculate the value 10,667. Public-key encryption is actually much more complex than this example, but that's the basic idea.

    AES, the Advanced Encryption Standard, is a relatively new encryption technique/cipher that is the successor of DES. AES was standardized in 2001 after a 5 year review, and is currently one of the most popular algorithms used in symmetric key cryptography (which, for example, is used for the actual data transmission in SSL and TLS).

    It is also the “gold standard” encryption technique; many security-conscious organizations actually require that their employees use AES-256 (256-bit AES) for all communications.

    AES has been available in most cryptographic libraries for a long time. It was available in “OpenSSL” starting in 2002 with v0.9.7. OpenSSL is the foundation of most SSL services in UNIX and Linux environments, such as that used by LuxSci. GPG, the open source implementation of PGP, also include an AES 256 option.
  • PraveenKumar Purushothaman
    PraveenKumar Purushothaman
    How is the cipher chosen in an SSL or TLS session?

    In general, when an SSL client, such as an email program or web browser, connects to a server and wishes to use SSL or TLS, the client sends the server a list of encryption ciphers that it supports. The server then goes through the list, in order, and chooses the first match that it also supports. Usually, the client orders the list with the most secure methods first, so that the most secure method supported by both the client and server is selected. Sometimes, the client orders the list based on other criteria to make a compromise between security and speed; this can result in a sub-optimal cipher being chosen.

    Most modern web and email servers that support SSL encryption, like google.com’s servers, support many different strong encryption techniques all the way up to 128-bit RC4 and 256-bit AES. They provide a variety, instead of just a single really good method, so that users who have old or broken software can still take advantage of encryption, even if it is weaker than it should be. Additionally, most companies that provide security services do not permit use of techniques that deemed are “too weak” and which can be broken very easily (like the old “export grade ciphers” that used to be in prevalent use). So, if you are connecting to a reputable service provided over SSL or TLS, the type of encryption that will be used is almost certainly determined by your client program (i.e. email program or web browser).

You are reading an archived discussion.

Related Posts

Well happy to be a part of crazy engineers.well I am from bangalore. INDIA. i have very less to say right now,i am a guy who loves practicals rather than...
hii , can anyone attach previous year placement papers of thoughtworks.I really need them urgently.
NAME: Pranjal Tikhe. ENGINEERING TRADE: Electronics LOCATION: Pune. OCCUPATION: Student. WORK EXPERIANCE: NO. HOBBIES & INTEREST: Hiking,Biking,Traking,Interacting with people,Surfing net. AIM: To Be a Perfect In My FIeld.
Hey guys, I am trying to create a program in Matlab and am just looking for some kind of starting point because I am not very sure where to begin....
Please follow the link below and let me know what you think about it....! https://www.impulsengine.com/how/what_is_nps.shtml