The Secure Sockets Layer is a security protocol that provides for the transmission of private data over a secure Internet connection. SSL uses certificates between a server and a client, such as a Web server and an Internet browser, or an email server and an email client, to secure and protect the transmitted data.
How SSL Works
Most of us still lock and unlock our front doors using a key. Likewise, when we send private data across the Internet, SSL provides keys that lock and unlock the access to our data. In either case, without the right key, the data (or the door) won't open.
For example, you find something you wish to buy from an online store, but in order to do so, you must send it some private information, like your credit card number, phone number and more. Before you provide this information across the Internet, you want assurance that the store's website provides you with privacy (to keep your information confidential), integrity (that your information can't be altered), and authenticity (that the website truly is what it says it is).
In order to provide these protections, the online store operator subscribes to a certificate authority, or CA, for an SSL certificate. The SSL certificate verifies that the server and website can be trusted. The certificate contains the keys used to encrypt and decrypt transmitted data.
So, when your browser attempts to connect to a certificated Web site, an SSL handshake occurs between your browser and the Web server. With the secured connection in place, the server provides the requested information in an encrypted message.
SSL encrypts data so it can't be read by anyone eavesdropping on the transmission line. Using the public and private security keys of the client and the server, the transmitted data can be read only by the sender and the receiver.
SSL uses public key infrastructure or PKI. Each end of a secure communication link has two encryption keys: a public key, shared with anyone, and a private key, based on the public key but kept secret. In a communication session, the sender, who can be either end of the session, encrypts the data with the public key and the receiver decrypts the data with its private key.
In this way, unless a third-party has the private key of one of the participants, there is little reason to intercept the transmission because it can't be decrypted.
The SSL standard provides three basic encryption key lengths: 40 bits, 128 bits, and 256 bits. SSL certificates may support one or all of these key lengths. Which you use depends on several factors, including your host operating system, your browser, and the capabilities of the sites to which you connect. The 128-bit key length is the current standard. Older browser versions may be limited to the 40-bit or 128-bit key lengths, but most of the latest browser versions now also support the 256-bit key length.
TLS vs SSL
The Transport Layer Security protocol has largely replaced SSL for communication between applications and servers on the Internet. SSL version 3.0 became TLS 1.0 and the current version of TLS is 1.2, as of publication.
- Thawte: How SSL Works
- The Linux Documentation Project -- SSL Certificates HOWTO: What is SSL and what are Certificates?
- Global Sign: What is an SSL Certificate?
- TechTarget.com: Transport Layer Security (TLS)
- Lux Scientiae: SSL versus TLS – What’s the difference?
- Symantec.com: The Future of SSL Encryption