The Crazy Easy Guide to SSL

By Anand D | Wednesday, 24 February 2016

We've talked before about how SSL can boost your rankings in Google

…but what else is it good for?

More than that, what on earth is it and how does it work?

That's what we'll be looking at here, so keep reading to find out.

What is SSL?

SSL is a protocol. That means it's the way that two computers send information to each other over the internet.

SSL stands for Secure Sockets Layer, but that's actually the old protocol. Nowadays we use TLS, or Transport Layer Security, but still call it SSL because it sounds better.

Basically, it encrypts the information that the computers send to each other. Later on we'll look at how it does that, but first let's examine why SSL became necessary.

Why use SSL?

When the internet was first created, there wasn't very much sensitive information floating around on it. The connections weren't powerful enough to support serious web-based applications, there was very little in the way of online buying, and most people didn't put a lot of private stuff online.

Because of that, we used HTTP – the Hypertext Transfer Protocol. HTTP is fast and efficient because it sends all its messages in plain text.

That's fine if there's nothing sensitive – yeah, someone can listen in on the traffic if they know what they're doing, but there was no harm in it.

All that has changed.

It's rare that one of us goes a day without sending some sort of private information over the internet, and SSL is largely the reason that we can without worrying too much about it being intercepted and misused.

So now that we know why SSL (rather, HTTPS) is necessary, let's go on to how it works.

How SSL Works

Warning – nerd stuff ahead. If you're only interested in how the various types of SSL certificates are different and not in various methods of online encryption, then maybe skip ahead.

In encryption, there are two methods that we need to look at.

Symmetric Encryption

This is when you use one code to encrypt a message – the same code to encrypt and decrypt the message.

Let's say we're using a code there a=1, b=2, c=3 and so on.

I want to write "hello, world!" using this code.

I use this code to encrypt the message and get the following:

8 5 12 12 15, 23 15 18 12 4!

Now, to decrypt the code you need to use the same code. You run it backwards and get the original message. Simple, right?

The trouble with this type of code is that you can only use it if both parties know it already. And the problem with using it online is that you need to send the code (which is also the key) over an unencrypted connection, which defeats the whole purpose of the exercise. Anyone who has this code can read the message.

That's why we have…

Asymmetric Encryption

This is a considerably more complicated method, and can be best explained using an analogy.

Think of a padlock. Anyone can close it, but you need a key to get it open.

In asymmetric encryption, there's a public key. That key functions like the padlock – it can be used to "lock" any message, and its function is to be publicly accessible. The difference here is that you use different codes to encrypt and decrypt the message.

There's another key, though – the private key. This is the one that can figuratively unlock the message.

But hang on – can't any piece of maths just be run backwards to get the original method? How does asymmetric encryption actually work?

In order to get into that, we'll need to look at a concept called modular arithmetic.

Modular arithmetic is a mathematical system that limits how many numbers it uses by making them "wrap around" another number.

Think of a regular 12-hour clock.

It's eight o'clock now. In six hours, it will be 2 o'clock. This is because the clock functions like a modulo, where the numbers wrap around at 12. Mathematically, this is expressed like this:

8+6=2 mod 12

So I can have a result (2) with many different beginning values – keeping the example of the clock, it can be 1+1, 3+11, or any number of different initial values that give me my final value.

This lets me encrypt something while keeping my modulo secret – from the output you get, there's almost no way of knowing how I encrypted it unless you know the modulo I'm using.

Using my previous message (hello, world!) and the same numerical code, we can put a twist on it so that it can't be decoded by reversing the original code. Please note that this is not the actual way that this encryption works – it's simply a very primitive example of one concept that allows it to work.

We take the numbers:

8 5 12 12 15, 23 15 18 12 4!

And now we run them through the following formula:

X * 3 mod 10

We get the output:

4 5 6 6 5, 9 5 4 6 2!

This is an awful code because it creates output that can't even be decoded if you know the modulo, but it's just an example. The real amazing part of the mathematics behind this sort of encryption is choosing the numbers so that it's possible to encrypt the message, but not decrypt it.

For a real in-depth analysis of how this encryption works, see this link.

SSL: A mix of symmetry and asymmetry

SSL uses both of these methods to ensure that connections are secure and fast.

You see, asymmetrical encryption takes a lot more computing resources than symmetrical encryption does. To make the connection faster, SSL uses asymmetric encryption to secure not the message that you're sending, but the key for a symmetrically encrypted secure session. Now that the key isn't being sent over an insecure connection, you can send anything you want, knowing that it's safe.

Different SSL Certificates: The Differences

All SSL certificates use the technology that we outlined above. So what makes the types of certificates different?

Most of the time, a site uses SSL for the reasons above – encryption and security.

There are also certificates that verify information about the organization that the certificate has been issued to, though. These are used to enhance trust in the organization.

Domain Validation

These certificates show that you have the right to your domain and encrypts your traffic using HTTPS. The domain is validated by email and it usually includes little information about you and your business.

Extended Validation

EV SSL certificates have much more information in them about the site and the organisation associated with it. These make it much more difficult to mount phishing or man in the middle attacks and provide the green address bar that is commonly associated with SSL.

Wildcard Certificates

Wildcard SSL certificates have the advantage of being able to secure subdomains as well as your main domain. If you had many subdomains that all have sensitive transactions or information going on in them, then this is the type of certificate you'd need.

Certificates also differ in the size of the warranty they offer. This warranty covers possible fraudulent transactions on the site that the certificate covers, giving people more protection for the business they conduct online.

So that's it – a basic overview of what SSL and HTTPS are, the ways that they encrypt our data and help keep us safe.

There's more to it than ecommerce, though. SSL is also used by those interested in combating surveillance and spying.

If you're interested in securing your site, then we have a great selection of SSL certificates available for you to choose from.