What is SSL (https://) and how does it work?
Find resources designed to help you get the most from Replicon
Secure Socket Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet.
SSL is a technology that relies on the concept of public key cryptography to accomplish its tasks. In normal encryption, two communicating parties each share a password or key, and this is used to both encrypt and decrypt messages. While this is a very simple and efficient method, it doesn't solve the problem of giving the password to someone you have not yet met or trust.
In public key cryptography, each party has two keys, a public key and a private key. Information encrypted with a person's public key can only be decrypted with the private key and vice versa. Each user publicly tells the world what his public key is but keeps his private key for himself.
Connection is denoted with https instead of http.
How SSL Works?
Obtaining an SSL Certificate
XYZ Inc., intends to secure their customer checkout process, account management, and internal employee correspondence on their website, xyz.com.
Step 1: XYZ creates a Certificate Signing Request (CSR) and during this process, a private key is generated.
Step 2: XYZ goes to a trusted, third party Certificate Authority, such as Trustwave . Trustwave takes the certificate signing request and validates XYZ in a two step process. Trustwave validates that XYZ has control of the domain xyz.com and that XYZ Inc. is an official organization listed in public government records.
Step 3: When the validation process is complete, Trustwave gives XYZ a new public key (certificate) encrypted with Trustwave's private key.
Step 4: XYZ installs the certificate on their webserver(s).
Communication between the Server using SSL.
Step 1: A customer makes a connection to xyz.com on an SSL port, typically 443. This connection is denoted with https instead of http.
Step 2: xyz.com sends back its public key to the customer. Once customer receives it, his/her browser decides if it is alright to proceed.
The xyz.com public key must NOT have expired
The xyz.com public key must be for xyz.com only
The client must have the public key for Trustwave installed in their browser certificate store. 99.9% of all modern browsers (1998+) include the Trustwave root certificate. If the customer has Trustwave trusted public key, then they can trust that they are really communicating with XYZ, Inc.
Step 3: If the customer decides to trust the certificate, then the customer will be sent to xyz.com his/her public key.
Step 4: xyz.com will next create a unique hash and encrypt it using both the customer's public key and xyz.com's private key, and send this back to the client.
Step 5: Customer's browser will decrypt the hash. This process shows that the xyz.com sent the hash and only the customer is able to read it.
Step 6: Customer and website can now securely exchange information.