What is SSL and why is it important?
In a previous blog post, I explained how we can install SSL on to any site for free using a cool tool we built. This is all well and good, but it missed out a few crucial elements and assumed a lot of knowledge on the part of the reader.
- What is SSL?
- What is encryption?
- Why is it important?
- How does it work?
- Why should you bother?
In this blog post I’ll try to answer the above questions without using phrases such as symmetric key encryption, cipher suite or Diffie-Hellman key exchange.
What is SSL?
SSL stands for Secure Sockets Layer and is actually now outdated. It’s successor Transport Layer Security (TLS) is often also referred to as SSL because developers are lazy despite being a different protocol (although it admittedly achieves the same thing). In this article, when I’m referring to SSL, I’m actually referring to TLS.
At the very simplest level, when you visit a website with a padlock, it places a lock around any data sent between your computer and the website so that anybody who’s managed to gain access to that data cannot read it. This makes it safe enough to do banking, shopping and any other sensitive transactions.
SSL provides two functions:
Encryption to make sure the data is encrypted between you and the intended recipient.
Identification to make sure that the intended recipient is who they say they are. It’s no good sending encrypted data to a trusted party who is actually an imposter!
What is encryption?
Encryption is a very broad term. Generally speaking, when you encrypt something (data or otherwise), you make the data impossible to read by anybody but the intended recipients. SSL allows us to encrypt data sent between a website and your computer meaning that even if someone is snooping, they can’t see what’s being sent!
If you’re a massive nerd like me, I highly recommend reading this book on the subject. It’s a great toilet book.
Why is it important?
Believe it or not, the default online is that nothing is encrypted. Data sent between your browser and the company you’re dealing with is totally open to anybody who cares to look. “Who would want to look? Who cares?” you ask. Well I’ll tell you.
- The government.
- Identity thieves.
It’s not even that hard to snoop on unencrypted web traffic. With the proliferation of unprotected and poorly managed public wi-fi, it’s shockingly simple. The stuff you do online is valuable to a whole host of people for a whole host of reasons. It’s basically Google’s entire business model.
Oh, also, it’s good for SEO to be protected by SSL.
How does it work?
It’s simple really.
- Your browser tells the server that it wants to communicate securely.
- The server agrees (if it can) and sends the SSL certificate back to the browser.
- The browser checks if the certificate is valid. (Is it expired? Is it for the correct domain? Is it trusted?)
- If so, the browser sends a session key to the server to encrypt traffic.
- All data is encrypted for that session.
More often than not, this process happens transparently and without a hitch. Although, not always. Stuff can go wrong:
- The certificate is expired. SSL certificates only last a set period of time before they must be renewed.
- The certificate is for a different domain name. SSL certificates are assigned to a domain name (or group of domain names). If you visit a website with one domain, but with the SSL certificate is for a different domain, the SSL certificate is not valid.
- The server doesn’t actually support SSL. It just won’t work.
- The certificate isn’t trusted. This can be for a variety of reasons. It’s very rarely an issue though.
If the certificate isn’t valid, you’ll get a big error message from your browser that strongly advises you to stop and turn back. You can (in most cases) override this though if you have a good reason. Unless you’re a developer, you basically have no good reason.
Why should you bother?
So you’re convinced that it’s probably a good idea, but the effort involved is too much? Stop that right now.
- Encrypting your users’ traffic is the right thing to do. Soon, most web browsers will mark all non-secure traffic as not just non-secure but as actively insecure. That big red padlock you get sometimes? That’s coming for you and your unencrypted website, buster.
- It’s good for SEO.
- People demand privacy online and SSL is the way to do it. In the wake of the Snowden leaks, people really care about this stuff now.