How do secure websites work? (Part 1 of 2)

I have been asked this question more times than I can remember. In fact the first time I was asked I did not really understand the process myself and now, even though I do understand the process, it can still be a challenging question to answer. This is because encryption is not without its share of complexities. In some ways it is these complexities that help protect your personal information, credit card data, passwords etc.


I am going to attempt to walk you through the SSL , or Secure-Socket-Layer, process over the course of the next two posts and hopefully once you have read all parts of the series you will understand and feel better about using your sensitive information on the web. If nothing else maybe you will understand all those “certificate error” messages you have ignored all these years.

So how does SSL protect your information? Well first we need to understand some basic fundamentals regarding encryption and the SSL process. You see like so many things with technology, you have to understand the basics before the big picture can be made clear.

First of all there are two types of encryption keys used in the SSL process. These two types of encryption perform very specific tasks and each has unique capabilities.

The first of these is known as Synchronous Encryption. With synchronous encryption the same key is used to encrypt and to decrypt data. It is fast, uses little computer resources and, when used correctly, is very secure.

The second type if encryption is called Asynchronous Encryption. You may have heard it referred to as Public-Key encryption. Asynchronous encryption has almost the opposite characteristics of synchronous. It is much slower in comparison, it uses a key pair, rather than a single key, and it uses a lot more computer resources to perform the encryption and decryption processes. Now, while there is a lot more to these two forms of encryption, this covers what you need to know for this discussion.

Next there is the SSL Certificate.This certificate, contains information about the owner of the certificate, like e-mail address, owner's name, certificate usage, duration of validity, resource location and the certificate ID of the person who certifies this information. It also contains the public key (asynchronous encryption) and a hash to ensure that the certificate has not been tampered with.

Finally, there is the Certificate Authority, or CA for short. There are many of these providers available, but a couple of the more popular are Verisign and Entrust. The service these companies provide is very important to you the consumer and yet their service does not cost you a dime. Here is how it works. An entity desires to provide services to you which need the protection of encryption while in transit over the hostile network known as the Internet. So they set up a web server and configure this server to use SSL. In doing so the web server is used to generate a CSR, or Certificate Signing Request. The company setting up the secure site then contacts a CA and requests an SSL Certificate be generated for their web server and they provide the authority with the CSR that was just generated on the server, along with other information about the company. Then, for a fee, the CA will generate the SSL certificate. However before they do so, they perform validation checks to ensure that the company requesting the SSL certificate is who they claim to be. Then the CA's certificate ID is added to the SSL certificate as indicated above. So that when you conduct business with this companies web server, if no errors are generated by your web browser, you can be assured that you are sending your sensitive information to the right persons.


So there are the basics, not too bad I hope. Next we will put it all together and explain how all of these components contribute to the SSL encryption of your information and, if used properly, grants you the security you need when submitting sensitive information on the web.

Steve