SSL stands for
Secure Sockets Layer, a method to secure the information sent between a
web browser and server so that
third parties cannot access it. Browsing web sites gives the user very little privacy and many people can monitor what you reveal to, or request from, that site. Personal data,
credit card numbers, or
controversial information are open to the
technologically sophisticated eavesdropper. SSL was designed to defeat the
snoops.
Using
encryption to
scramble data sent to a
web site into an
unintelligible string of seemingly random characters, an SSL-enhanced browser such as
Netscape will perform a typical transaction, such as sending the contents of an
HTML form to the server. Let's say the form has a field named "cc" to hold the credit card number and we'll look at the difference between unsecure and secure transactions:
Unsecure transaction:
The
browser knows it's using a normal, unsecure connection. It sends "cc=2783-2734-8372-8737" to the server. The server receives "cc=2783-2734-8372-8737" and gives it to the
CGI script that handles this form.
Secure (SSL) Transaction:
The browser knows it is using a secure connection for this form. It takes "cc=2783-2734-8372-8737" and turns it into "e$$%0lj*&*(#foij" and sends it to the server. The server receives "e$$%0lj*&*(#foij" and converts it back into "cc=2783-2734-8372-8737" and hands it to the CGI script that handles this form.
The important idea to point out is that neither the user, nor the CGI scripts ever see the encrypted form of the credit card number. You can use the same CGI script and the same HTML form in both secure and un-secure transactions.
One might wonder how the browser knows how to encrypt the data. SSL uses a patented
algorithm involving “public” and “private”
digital keys. The server gives the browser its
public key, which the browser uses to encrypt all transmissions, and although the public key is used to encrypt the transmission, it cannot be used to decrypt it. Only the
private key will work, this is the key element in the system that makes it work so well. The server, in turn uses the private key that was never given out, to decrypt the transmissions. Likewise, the browser creates its own public/private key pair for stuff going in the opposing direction so that even if the transmission is intercepted, no sense can be made even if they have the public key.
In addition to providing privacy, SSL was designed to ensure a very important related issue, certainty that you are really communicating with the web site you intended since replies can be faked and, after all, someone might intercept all transmissions and provide a false public key for which they have the corresponding private key.
The posed question is answered using "
certificates" of identity to authenticate web sites and users. These certificates are "
digitally signed" and issued by a trusted third party such as companies Thawte or
VeriSign, which are also known as "
Certification Authorities" or CAs. Once a web site has registered with a CA, the browser can ask the CA whether the public key in question is correct for its corresponding company. Alas, as everything else in this capitalist driven society, these certificates are not free.