SSL INTRODUCTION OVERVIEW
We are often asked why SSL is needed and what benefit it brings. SSL is a term used mostly in respect of secure web site access via a browser and stands for Secure Sockets Layer. SSL is also used to setup secure channels to send data over between different devices even when no human interaction takes place.
- TLS - stands for "Transport Layer Security" and is what SSL now should be called as the older versions of SSL are not secure. In many cases servers that use the older SSL will not allow a secure connection to be created unless its TLS 1.2.
- Encryption standards - there are many encryption standards used at different parts in the security processing. The three most referred to are RSA 2048 bit for SSL certificates that are used to identify devices and setup the initial secure link, and SHA256 for checking a file is valid, AES256 for encrypting the data once a secure channel is setup.
- Private/public keys - small files created on a device using an encryption standard and form part of the encryption/decryption process. The public key is usually made available on the internet for anyone to access but the private key should be tightly controlled.
- SSL Certificate - a file that is generated when a public key is sent away to a trusted third party to be checked and marked as valid.
- Chain of Trust - the internet has a series of very secure servers that check the issued certificates to make sure they are valid. When you connect to a web site with https the browser checks the target site certificate and reports back.
- Root server - around the internet are a series of servers that are the top of the chain of trust. Occasionally you may notice during a device update changes to these root certificates as they can expire from time to time.
- CA - Certificate Authority. Can refer to a specify server in an intranet or a company on the internet. Used to sign public keys which means an additional mark is applied to the file.
- IA - Intermediate Authority. A server that sits between you and the root server, usually to spread the workload.
Most web sites use a basic certificate that is tied to a FQDN (fully qualified domain name) where the signing authority checks the right of the person asking to use the domain. This is called Domain Validated. Other types include:
- Organization Validated - like Domain Validated but basic company checks are performed.
- Extended Validation - like Organization Validated but the signing authority performs a thorough vetting of the organization. You can tell a site has Extended Validation when part of the browser address at the top goes green.
- Wildcard - allows you to create a certificate based on a range of sub domain urls. For example a basic certificate could be created for www.text.org but could not be used on ftp.text.org. Whereas a wildcard certificate for *.test.org could be used on both urls.
- IP - IP address used rather than a domain name
As the checking level goes up so does the cost and the insurance coverage provided by the issuer.
One/Two Way Validation
When you use a browser to access a https site your browser checks the SSL certificate is valid. If it is valid it will carry on. If it is not valid then the browser will report this and ask you what to do. You can override the issue but is not recommended. Some organisations won't allow access to sites with expired SSL certificates. An issue can occur if the certificate has expired or if the device is using a self-signed certificate that has not be marked as secure by a trusted third party.
Two way authentication is where your browser checks that the server you want use is secure and the server checks you by checking your certificate. Most users do not have a certificate on their PC so this is not often used with browsers. Two way authentication is typically only used when two servers open a secure channel to each other. Two way authentication is not the same as two factor authentication.
Basic One Way Browser Operation
It can be useful to see some of the steps in how SSL works for a browser to a server.
- User opens browser on device and puts in the address of server starting with https.
- Browser looks up IP address of server and asks the server for a secure connection, usually on network port 443.
- If the server is using SSL and has an available licence it sends back its SSL certificate and some details on what types of encryption it can accept.
- Browser checks the SSL certificate and how it has been signed. This is the asynchronous setup using the RSA 2048 bit certificate to prove authenticity .
- If all is as it should be then the two devices setup a secure encrypted channel using a separate random encryption key and process, SHA256, or whatever the maximum standard is that both the server and browser can use. This is the synchronous part of the setup.
- Data is exchanged over the secure channel until one site breaks the connection.
Large organisations often have networks that span the internet using Virtual Private Networks (VPN's) and are called intranets - only devices or users inside the organisation can access the intranet. In this case the company ICT can create a server as their own CA and use it to sign and validate certificates it issues. Often the design will need mutiple servers to handle CA. These type of certificates will not usually work on the internet. The licensing of a CA can be expensive and requires some well trained operations staff to ensure it works at all times. No CA no network! Note that the VPN's themselves are often secured by similar technology only using full internet signed certificates.
Signing technology is also used for marking files in an number of other ways including:
- DRM - digital rights management where important or valuable files can be digitally signed so that they can only be opened by authorised users.
- Code signing - developers can mark files to prove they came from them and have not been tampered with.
- Government - some government processes require the person sending the data to sign the data to prove it came from them.
Google ranks sites higher if the site is fully https.