What is an SSL Certificate?
If you can get to your website by typing https:// before the web address, your website has SSL encryption (Secure Socket Layer). This encryption acts like a padlock on your website to help keep your visitor's data secure. Encryption allows your users to safely create an account, store information, and make purchases - all without having to worry about their personal information being compromised.
SSL encryption and SSL certificates have become increasingly important in recent years. You may have heard that starting in June of this year, search engines (like Google) are now displaying warning messages when visitors attempt to visit non-https websites, as well as penalizing those sites with lower search visibility. If your website does not have an SSL certificate and is not using SSL encryption, now is a great time to get started!
Encryption allows your users to safely create an account, store information, and make purchases - all without having to worry about their personal information being compromised.
But what is an SSL certificate, and how does it work with SSL encryption to make your site safe? Today, we will explain what these technologies are, how they work, and why you need them. (And don’t worry, you won’t need an advanced computer or math degree to follow along.)
Why does my site need an SSL certificate?
When Al Gore first “created the internet,” not much thought was put into security. As a closed network meant to connect various military and university computer networks, the need simply was not there yet.
By design, computer networks work on a broadcast model. Imagine for a moment you live in a world without SSL encryption. You sit down at a coffee shop and open your laptop to visit Amazon.com for some Prime Day shopping. Your computer broadcasts a request to Amazon's servers asking for the homepage. This request gets handed off from your computer to the coffee shop's wifi, to an ISP (Internet Service Provider), up to the ISP's ISP, back down to Amazon's ISP, until Amazon eventually receives your request and sends you their homepage. Your request takes the scenic route, but with modern technology, this all happens very quickly with little to no wait.
Search engines are now displaying warning messages when visitors attempt to visit non-https websites, as well as penalizing those sites with lower search visibility.
The downside to this broadcast model is that your request goes through a LOT of hands on its way to Amazon, and there is the potential for other people to see your request at each of those handoffs. With the right tools, someone sitting in that coffee shop could watch you searching for deals, adding things to your cart, and submitting your home address and credit card information to Amazon. Yikes!
When the internet became a part of the public sphere, and people began demanding the ability to bank and shop online, it became apparent that some security mechanism would be required to keep these sensitive transactions safe.
Enter SSL Encryption.
How does SSL Encryption work?
SSL encryption is a really big topic, with a LOT of math involved. To simplify things, I'll use a few quick examples to help explain things in layman’s terms (sorry math nerds).
Imagine a door with a deadbolt. This deadbolt has a single key, which you can use to lock or unlock it. In a broader sense, you can think about the key as your password, and the door as some piece of information that you want to keep safe or encrypt. Since you use the same key (password) to both lock and unlock the door (your data), our math friends would say this key has a type of symmetry to it (since it’s used in both states of the door), and therefore call it symmetric encryption.
Now, imagine a mail dropbox. Not your typical mailbox, but the kind used for package delivery (like a PO Box, USPS cluster mailbox, etc). This kind of box has 2 keys. You have one, which is what you use to open the mailbox with, but the mail person has a different key, which they use to open the box. Since the 2 keys are not the same, our math friends out there would classify this as asymmetric, and they would call this an asymmetric encryption.
With the right tools, someone could watch you searching for deals, adding things to your cart, and submitting your home address and credit card information to Amazon.
SSL Encryption uses both asymmetric and symmetric encryption. Amazon generates a key pair (a private key that they keep to themselves, and a public key). When you go to visit Amazon.com, there is a conversation between your computer and Amazon to generate an agreed-upon symmetric key to be used in future messages. When you request the homepage from Amazon, your computer uses this new symmetric key to lock the request so no one can read it on its long journey to Amazon's servers. Amazon uses this key to unlock your request, and they use the same key to lock the response sent back to you. Your computer receives this response, unlocks it, and you can see their homepage. Amazon's keys were used to generate this new symmetric key that is used, which means no one who is listening knows the password to unlock the messages as they go from place to place except you and Amazon.
So… what is an SSL Certificate?
Up to this point, we have been talking back and forth with Amazon's servers, ordering shoes and kitchen gadgets we will never use, but how do we know we are actually talking to Amazon? We know that SSL encryption is important but if there is an unknown number of people between us and Amazon, how do we know we are not just talking to an Amazon imposter? You've likely guessed SSL certificates (as that is the title of this section) and you would be correct!
When Amazon created the keys they would use to do all their SSL encryption, they used one of their keys to encrypt a special file called a Certificate Signing Request (CSR). They then handed this CSR file off to a company called a Certificate Authority. There are only a handful of these authorities in the world, and they are trusted with vouching for the identity of key holders that want to do SSL Encryption. The authority makes a new file called an SSL Certificate based on the CSR. The certificate is just a file confirming Amazon’s identity. Since Amazon's Certificate is based on the CSR they sent, and the CSR is based on one of their keys, they can prove (using complicated math) that the key used to encrypt things is indeed Amazon’s.
With a little bit of knowledge about the ins and outs of SSL encryption, you can ensure that the website you’re making purchases on is safe, and you can offer that safety to your potential customers as well.
When you visit Amazon.com, and your web browser sees that they want to do SSL Encryption, it asks for a copy of Amazon's SSL Certificate to prove they are who they say they are. Once your browser gets that Certificate, it then confirms its validity with the company who made the certificate. If it is and the math works out, your browser feels safe to continue talking to them, and you the visitor to Amazon.com can feel safe buying things from them. Your browser communicates this to you with the little padlock icon in the address bar.
And that’s it! Sure, it might still sound a little confusing, but it’s important to understand SSL Encryption and SSL Certificates both as a consumer and as a website owner. With a little bit of knowledge about the ins and outs of SSL encryption, you can ensure that the website you’re making purchases on is safe, and you can offer that safety to your potential customers as well.
Need more information on SSLs?
If you have additional questions about SSL encryption or are interested in learning more about how you can offer a more secure web experience for your customers, give us a call. Our web developers have a knack for explaining highly technical concepts in a way that is easily understood, and we would be happy to help you better understand the unique world of SSL encryption. By doing our part and taking the time to understand, we can all make the internet a safer place to do business!