We’ve all bought things online and seen the little lock icon in the corner of our browser window… but very few people stop to consider what that means and what goes on behind the scenes. Come along with me as I explain what SSL is and how it works. First of all, SSL stands for Secure Socket Layer. Netscape created this system in the mid-1990s for use with the Navigator web browser, which was the first to offer reliable e-commerce capabilities. It addressed the issue of anyone being able to spy on your communications while surfing the web.
A criminal could do terrible things to you if some of those communications contained a credit card number or other personal information. As a result, Netscape created a protocol that encrypted messages as they travelled from one computer to the other, providing two computers with a way to communicate with one another. Because no one other than those two computers could read the message, your private information was safe. It doesn’t matter how your message is transmitted directly, through proxies or any other method it cannot be read.
A certification authority is a company that issues a digital certificate to the owner of the web server (CA). Each certificate has a link to the company that issued it, and it eventually ends at what’s known as a “root” CA. Every browser has a list of CAs that are considered “trustworthy.” When you make a secure connection to a web server with a digital certificate, your browser follows the “chain of authority” and checks each certificate to see if the CA that issued it is in the list.
If the browser goes all the way back to the root CA without finding it in the list, you’ll get a message that this certificate isn’t trusted. When a certificate isn’t trusted, you can’t be sure that the information listed in it — company name, address, phone number, etc. — is correct. Trusted CAs verify business licences and contact information. Other CAs may not.
Even if the contact information isn’t verified, the traffic between your browser and the web server is protected from eavesdroppers. The two computers will exchange “keys” once the browser has established that you want to trust this web site’s certificate, whether because the CA is on the browser’s list or because you confirm your trust in the warning dialog.
A “key” is simply a large number that is mathematically linked to another number in a very specific way. The method by which these numbers are chosen is complicated; explanations of the process usually begin with statements like “Agree on a finite cyclic group G with a generating element in G.”
It’s probably easiest to pretend it’s magic, as with most cryptographic concepts and proxies.
Each computer will generate two keys. Because of the unique mathematical relationship between these keys, any data encrypted with one key can only be decrypted with the other. One of these keys is kept secret, and the second is sent to the other machine.
After the keys are exchanged, each machine encrypts any data it sends using its own secret key and the key received from the other machine. When the other machine receives the data, it will decrypt it using the two keys it has. So, because the keys will only decrypt data encrypted with the matching keys, each machine knows that the message came from the same machine and was intended for this machine. As a result, the data is safe and nobody can access it.