|
SSL
Definition (from Webopedia) - (pronounced as separate
letters) Short for Secure Sockets Layer, a protocol
developed by Netscape for transmitting private
documents via the Internet. SSL works by using
a private key to encrypt data that's transferred
over the SSL connection. Both Netscape Navigator
and Internet Explorer support SSL, and many Web
sites use the protocol to obtain confidential
user information, such as credit card numbers.
By convention, URLs that require an SSL connection
start with "https:" instead of "http:".
Another
protocol for transmitting data securely over the
World Wide Web is Secure HTTP (S-HTTP). Whereas
SSL creates a secure connection between a client
and a server, over which any amount of data can
be sent securely, S-HTTP is designed to transmit
individual messages securely. SSL and S-HTTP,
therefore, can be seen as complementary rather
than competing technologies. Both protocols have
been approved by the Internet Engineering Task
Force (IETF) as a standard.
SSL
is the industry de-facto method for hiding the
information a web browser and a web server send
to each other. When you browse a web site, you
have very little privacy. Many people can monitor
what you reveal to, or request from, that site.
Credit card numbers, personal data, or controversial
information are an open book to the technologically
sophisticated eavesdropper. SSL was designed to
defeat the snoops.
An
SSL-enhanced browser such as Netscape uses encryption
to scramble the data you send to a web site into
an unintelligible string of seemingly random characters.
A typical transaction is a browser sending the
contents of an HTML form to the server. Let's
say the form has a field named "cc"
to hold the credit card number and we'll look
at the difference between unsecure and secure
transactions:
- Unsecure
transaction:
The browser knows it's using a normal, unsecure
connection. It sends "cc=2783-2734-8372-8737"
to the server. The server receives "cc=2783-2734-8372-8737"
and gives it to the CGI script that handles
this form.
- Secure
(SSL) Transaction:
The browser knows it is using a secure connection
for this form. It takes "cc=2783-2734-8372-8737"
and turns it into "e$$%0lj*&*(#foij"
and sends it to the server. The server receives
"e$$%0lj*&*(#foij" and converts
it back into "cc=2783-2734-8372-8737"
and hands it to the CGI script that handles
this form.
The
important thing to notice here is that the user
and the CGI script never see the encrypted form
of the credit card number. You can use the same
CGI script and the same HTML form for both secure
and unsecure transaction.
You
may be wondering how the browser knows how to
encrypt the data. SSL uses a scheme (actually,
a patented algorithm) involving "public"
and "private" digital keys. The server
gives the browser its public key, which the browser
uses to encrypt all transmissions. The interesting
thing about this process is that although the
public key is used to encrypt the transmission,
it cannot be used to decrypt it. Only the private
key will work (trust us, it really works!). The
server uses the private key (which is never sent
to anyone) to decrypt the transmissions. Likewise,
the browser creates its own public/private key
pair for stuff going in the other direction. So,
even if someone intercepts the transmission, they
cannot make any sense of it, even if they have
the public key!
In
addition to providing privacy, SSL was designed
to answer a related question: how do you know
you are really communicating with the Web site
you intended? After all, someone could be intercepting
all transmissions and providing a false public
key for which they have the correct private key.
SSL
is structured to use "certificates"
of identity to authenticate web sites and web
surfers. These certificates are "digitally
signed" and issued by a trusted third party
such as Thawte or VeriSign. Such trusted third
parties are know as "Certification Authorities"
or CAs. Once a web site has registered with a
CA, the browser can ask the CA "Is this the
correct public key for this company?" Unfortunately,
these certificates are not free.
Valley
TechNologies, LLC
262.673.1979
414.828.2668
|
