Network Security

Why is an SSL Certificate required?

An SSL Certificate might be required mainly for two reasons – 1. To validate the identity of a website / portal using digital certificates; 2. Encrypt communications between server and browser (or) between two systems. SSL refers to Secure Socket Layer. Read on to find out the applications of SSL Certificates, Encryption methods used in SSL, How to identify if a website has implemented an SSL certificate & Purchasing an SSL Certificate.

Applications/ Advantages of SSL Certificates:

  • Securing website communications (between the server and browser).
  • Securing e-commerce transactions – payment gateway, order processing, etc.
  • Securing partner log-in.
  • Increase confidence in visitors, which might result in more e-commerce transactions.
  • Prevent phishing/pharming and other Internet scams.
  • Securing communications within the Intranet for employee portals.
  • Securing partner log-in in Extranet portals.
  • Securing email communications.
  • Securing important documents/files from being modified when they are shared.
  • Securing communications between multiple IT systems (Servers, for example).
  • Protecting download-able code from being modified, when users download it from a website.

Encryption Methodology used in SSL Certificates:

Before we move on to encryption methodology, first let us try to understand the problem with unencrypted communications. Sometimes, it is possible for hackers to intercept the messages that go from inside an organization to a web server through a technique called MITM – Man In The Middle attacks. It is done to understand more about the network and to launch further attacks like Replay attack which tampers / changes the messages sent between different users/ systems.

In order to secure the communications between web-server and browser, encryption technology is employed through SSL Certificates which use PKI – Public Key Infrastructure to do the same.

In SSL, there are two types of encryption – Symmetric & Asymmetric. Symmetric encryption advocates the process of using the same key for both encrypting and decrypting messages & SSL uses symmetric encryption to encrypt bulk data transfers. Though Symmetric encryption is faster and uses lesser resources, it is not very secure because of the issues faced in securely transmitting the key.

So, SSL uses a technique called as Asymmetric encryption for authentication (initially, before actually sending the bulk data). In Asymmetric encryption two different keys called ‘public key’ and ‘private key’ are used to encrypt and decrypt (respectively). Anyone can encrypt the messages using the public key but only the person (or entity) with the paired private key can decrypt the message and view it. Actually, the process is more complex than that.

Though Asymmetric encryption is more secure, it is computationally very intensive. Hence only the authentication happens using Asymmetric encryption and the actual messages are encrypted / decrypted using Symmetric encryption.

How can the presence of SSL certificates in a website be identified?

It is possible to identify the presence of SSL certificates in a website using certain visual cues like the closed padlock on a web-browser, URL indicates https instead of http, URL bar turns green and displays the name of certificate authority/ company, presence of an image of the seal of a certificate authority which can be clicked to find out information like the validity of the SSL certificate, which organization the SSL certificate is registered with, etc. These features may slightly vary with each browser.

How can an SSL certificate be purchased / implemented?

There are Certificate Authorities (CA) which sell SSL certificates to websites. But it is also possible to create self-signed SSL certificates by companies themselves and maintain them in-house.

A Certificate Authority would issue an SSL Certificate to companies/ websites after verifying their credentials. They also maintain the PKI (Public Key Infrastructure) that is required for encryption/decryption of website content.

Generally, one SSL certificate is issued for a particular server / website domain and it is valid for a certain period of time (generally one year). Companies need to renew them every year, for a certain fixed cost.

But, based on the Certificate Authority, it is also possible to purchase special types of SSL certificates that can be applied to multiple sub-domains of a same company (or) even multiple domains (website addresses).

You can stay up to date on the various computer networking / related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’