In this post, we’ll take a look at SSL protocol and TLS protocol to help you understand the different aspects of these protocols. One of the most important topics in Cyber-security course is web secure.
SSL (Secure Sockets Layer) is a protocol for establishing authenticated and encrypted links between networked computers. In other words, SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL preventing criminals from reading and modifying any information transferred (between two systems), including potential personal details. The two systems can be:
- A server and a client
- A server to server
SSL uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. SSL supports the following information security principles:
- Encryption: protecting data transmissions (e.g. browser to server, server to server, application to server, etc.).
- Authentication: ensuring the server you’re connected to be actually the correct server.
- Data integrity: ensuring that the data that is requested or submitted is what is actually delivered.
TLS (Transport Layer Security) is the successor protocol to SSL. TLS is an improved version of SSL. In fact, when the time came to update from SSLv3.0, instead of calling the new version SSLv4.0, it was renamed TLSv1.0. We are currently on TLSv1.2. TLS works in much the same way as the SSL, using encryption to protect the transfer of data and information. When you buy an ‘SSL’ certificate, you can of course use it with both SSL and TLS protocols.
Which Communications Can SSL and TLS be Able to Secure?
- Online credit card transactions or other online payments
- The transfer of files over HTTPS and FTP(s) services
- Intranet-based traffic (like internal networks, file sharing and extranets)
- Webmail servers (like Outlook Web Access, Exchange and Office Communications Server)
- System logins to applications and control panels
- Hosting control panel logins and activity
- Workflow and virtualization applications like Citrix Delivery Platforms or cloud-based computing platforms
What is a SSL Certificate and How Does it Work?
We know that in the past (and of course still) websites have been published by Port TCP 80 or HTTP protocol. This protocol is not very secure, which is why a protocol called HHTPS has been released, which is based on data encryption. The SSL Protocol is used to encrypt data in the HTTPS Protocol. In this way, a SSL certificate is installed on the web server (which hosts the website) and through it and by the SSL protocol, the website security operation is performed. So the two words HTTPS and SSL are very close. In other words, browser and the server need what is called an SSL Certificate to be able to establish a secure connection. SSL-secured websites also begin with https rather than http. The closed lock icon is https icon. A SSL-secured website has a closed lock in address bar in web browser. Green address bar is another icon for for a HTTPS website (it’s secured by SSL).
SSL (and TLS also) operates directly on top of the transmission control protocol (TCP). Underneath the SSL layer, the other protocol layers are able to function as normal. If an SSL certificate is being used correctly, the hacker may be able to figure out which host name the user is connected to but, crucially, not the rest of the URL. As the connection is encrypted, the important information remains secure.
SSL certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.
The most important part of an SSL certificate is that it is digitally signed by a trusted CA, like DigiCert. Anyone can create a certificate, but browsers only trust certificates that come from an organization on their list of trusted CAs. Browsers come with a pre-installed list of trusted CAs, known as the Trusted Root CA store. An SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party has authenticated that organization’s identity. Since the browser trusts the CA, the browser now trusts that organization’s identity too. If the SSL/TLS certificate itself is signed by a publicly trusted certificate authority (CA), such as SSL.com, the certificate will be implicitly trusted by client software such as web browsers and operating systems. Publicly trusted CAs have been approved by major software suppliers to validate identities that will be trusted on their platforms.
There are some types of certificates you can earn depending on the SSL you obtain:
- Extended Validation (EV): This type of certificates are the most expensive SSLs to obtain. If you want to buy a certificate of this type, you have to pay about $ 600 per year. You can search the internet to find reputable global certification authorities (CAs). This certificate is suitable for eCommerce websites .This certificate shows the padlock, HTTPS, business name and country in the address bar to diminish being mistaken for a spam website. To set up an EV SSL, you must prove that you are authorized to own the domain you’re submitting. In fact, during verification of an EV SSL Certificate, the owner of the website passes a thorough and globally standardized identity verification process to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has authorized the issuance of the certificate. An EV SSL certificate can be obtained by any business, and it should be a priority especially for those that need identity assurance. EV SSL Certificates can be used in all applications that require stronger identity assurance High profile websites often targeted for phishing attacks can use EV SSL Certificates for their public facing websites. Of course, these days, phishers have started using DV certificates (usually acquired from free SSL service that lack adequate phishing checks) to help their sites look more trustworthy and trick unsuspecting victims into submitting financial or personal information. This emphasizes the need for verified identities online.
- Organization Validated (OV SSL): These Certificates assure visitors that they’re on a website run by a legitimate business. Organization name also appears in the certificate under the ON field. OV SSL Certificates come up with features such as wildcard & Multi-domain SSL feature. The wildcard SSL feature allows the users to validate business and to secure an unlimited number of sub-domains. Whereas the multi-domain feature allows the users to secure up to 100 fully qualified domain names. The CA checks the right of the applicant to use a specific domain name PLUS it conducts some vetting of the organization. Additional vetted company information is displayed to customers. Social networking platforms, banking platforms, Facebook games & apps, Firefox Add-ons, Google Chrome extensions are highly recommended to adopt OV SSL certificate for security purposes. If you want to buy a certificate of this type, you have to pay about $ 350 per year. This certificate is suitable for Organizations and business websites.
- Domain Validation (DV): This certificate is suitable for personal websites but it is not highly recommended for large commercial websites. These Certificates are SSL certificates that are issued after an applicant has proven some control over a domain. Generally, no other validation is done. In order to get a Domain Validated SSL Certificate you just have to prove that you own the domain by responding to an email or phone call using the information in the WHOIS record of the domain. The CA checks the right of the applicant to use a specific domain name. While you can be sure that your information is encrypted, you cannot be sure who is truly at the receiving end of that information. This type of certificates has two advantages: Speed and price. You can usually get a fully-functioning certificate within minutes. No need to send in company validation documents. Also, it is the cheapest SSL certificates available. If you want to buy a certificate of this type, you have to pay about $ 600 per year. These certificates have also some disadvantages: Low assurance, and low safety. Because your company is not validated, these certificates don’t help your visitors know who is running your site. The certificates themselves still enable full encryption but there are other security problems. (1)- Any phisher can get one and can hide their identity completely. (2)- They make man-in-the-middle attacks more dangerous. In fact, DV certificates do almost nothing to verify that you are talking to who you think you are talking to.
But there is another classification for certificates as follows:
Single Domain SSL Certificates: A Single Domain SSL protects one domain and you can’t use it to protect subdomains or a completely different domain. For example, if you purchase this certificate for example.com, you can’t use it for blog.example.com.
Wildcard SSL Certificates: Wildcard SSLs ensure that if you buy a certificate for one domain, you can use that same certificate for subdomains. For example, if you bought a Wildcard for example.com, it could be applied to mail.example.com.
Unified Communications (UCC) SSL Certificates: These certificates also known as Multi-domain SSL certificates and they allow multiple domain names to be on the same certificate. Multi-domain SSL certificates cover up to 100 domain names.
How Can I Get a SSL Certificate for My Website?
The first step is to determine what type of certificate you need. It may mean that you need different SSL certificates. One of the other key considerations is the validity period of a certification. Most standard SSL certificates that you purchase are available for one to two years by default, but it’s better you consider more advanced certificates that offer longer time periods.
Does SSL Work on Email?
Most of the big email providers use SSL encryption to encrypt users’ mail. In most cases, the SSL option will be automatically checked in email settings. If a company is setting up its own email service the IT team may need to check with their provider that they are also secured by SSL. This will eliminate security problems when sending out mail shots and individual mail.