SSL stands for Secure Sockets Layer
, a method to secure the information sent between a web browser
and server so that third parties
cannot access it. Browsing web sites gives the user very little privacy and many people can monitor what you reveal to, or request from, that site. Personal data, credit card numbers
, or controversial information
are open to the technologically sophisticated eavesdropper
. SSL was designed to defeat the snoop
data sent to a web site
into an unintelligible string of seemingly random characters
, an SSL-enhanced browser such as Netscape
will perform a typical transaction, such as sending the contents of an HTML
form to the server. Let's say the form has a field named "cc" to hold the credit card number and we'll look at the difference between unsecure and secure transactions:
knows it's using a normal, unsecure connection. It sends "cc=2783-2734-8372-8737" to the server. The server receives "cc=2783-2734-8372-8737" and gives it to the CGI
script that handles this form.
Secure (SSL) Transaction:
The browser knows it is using a secure connection for this form. It takes "cc=2783-2734-8372-8737" and turns it into "e$$%0lj*&*(#foij" and sends it to the server. The server receives "e$$%0lj*&*(#foij" and converts it back into "cc=2783-2734-8372-8737" and hands it to the CGI script that handles this form.
The important idea to point out is that neither the user, nor the CGI scripts ever see the encrypted form of the credit card number. You can use the same CGI script and the same HTML form in both secure and un-secure transactions.
One might wonder how the browser knows how to encrypt the data. SSL uses a patented algorithm
involving “public” and “private” digital keys
. The server gives the browser its public key
, which the browser uses to encrypt all transmissions, and although the public key is used to encrypt the transmission, it cannot be used to decrypt it. Only the private key
will work, this is the key element in the system that makes it work so well. The server, in turn uses the private key that was never given out, to decrypt the transmissions. Likewise, the browser creates its own public/private key pair for stuff going in the opposing direction so that even if the transmission is intercepted, no sense can be made even if they have the public key.
In addition to providing privacy, SSL was designed to ensure a very important related issue, certainty that you are really communicating with the web site you intended since replies can be faked and, after all, someone might intercept all transmissions and provide a false public key for which they have the corresponding private key.
The posed question is answered using "certificates
" of identity to authenticate web sites and users. These certificates are "digitally signed
" and issued by a trusted third party such as companies Thawte or VeriSign
, which are also known as "Certification Authorities
" or CAs. Once a web site has registered with a CA, the browser can ask the CA whether the public key in question is correct for its corresponding company. Alas, as everything else in this capitalist driven society, these certificates are not free.