Whether we realize it or not, we all use Secure Sockets Layer (SSL) every day: Whenever we log in or simply access a secure website (indicated by a URL starting with https), we’re using SSL. But how does it work, and what exactly does it do? Here, we’ll take a quick look at SSL encryption and the TLS (Transport Layer Security) handshake.
Netscape developed the original SSL protocols in 1994 as a response to growing concerns over safety online. As it became less favorable over time, it eventually evolved into TLS (but it’s still commonly referred to as “SSL”). Now, anytime you see a padlock icon next to a web address, it means you’re visiting a secure site.
Previously, only sites that collected or stored personal information (payment details, other such personally identifiable information, etc.) were required to have an SSL certificate. Today, to tighten security across the board, all sites are moving toward having them. Whenever your browser says a site isn’t secure, you immediately question staying on it.
So, how does it work? Imagine SSL as the bodyguard who goes ahead of you to make sure the coast is clear and the people you’re about to interact with are who they say they are. But instead of a person who’s scoping out the place, there’s actually a secret handshake involved — specifically, the TLS handshake.
For example, when you visit a website, before the connection is established, your browser communicates with the web server to make sure it’s safe. What follows are several exchanges between the browser and the web server, including:
- The web server sends its public key and SSL certificate to the browser so it can verify its validity and identity
- The browser encrypts data for the web server to decrypt
- Both sides create session keys
(This is an abbreviated version of the full encryption process. To get a better understanding, head over to my new [Secure Sockets Layer (SSL) Fundamentals course].)
Once these transmissions are complete, any data exchanged between the browser and the web server is encrypted. So, if someone tried to intercept it, they would just see jumbled-up information, making it incredibly difficult to decrypt.
Want to Know More?
Encrypting data is a vital part of safety and security, so it’s a good idea to understand how it works beyond the lock icon in your browser. There’s a lot more to SSL and TLS than we’ve covered here. Check out my new [SSL Fundamentals course], which offers a high-level understanding of how to implement and maintain an environment that supports SSL and TLS. (No secret handshake needed.)
If we can help in any way during this journey, please reach out via our Community Slack (search for the #security channel), or leave a comment below!