Our Very (Very) Basics series gives a high-level look at hot tech topics. We want these posts to be a way for people who don’t normally work with the web, mobile, and marketing to understand the basics without having to deal with all the geeky stuff. If you’d like more information about any of these topics, try searching our blog to find more posts.
Have you ever heard a web company say something needs an SSL? What does that mean?
The internet is a big place. With close to 9 billion devices connecting, it can be hard to find some privacy. SSL encryption technologies are often used to facilitate a private line between two parties.
Why do you need privacy
Generally speaking, anytime a credit card or detailed personal information (like Social Security Number) is transmitted you need to use SSL encryption technology to protect that information from prying eyes.
If you didn’t use SSL technology to protect that data, there are many ways it could be exploited. If you are a wireless user, no matter if on a mobile phone, wifi, or satellite, that information is traveling in the air exposed. Anybody with the right equipment that is in range of your signal can intercept that data.
Even if you are on a wired network, you are not in that much better shape. As I write this article, I preformed a traceroute to amazon.com. It’s sort of like revealing the road-map my data traveled to arrive at Amazon. My packets touched ten different routers owned by five different companies en route to one of the largest retailers on the planet. Out of these five different companies, two I know, my own ISP and the other is Amazon. Three are an enigma to me. Never heard of them. Do I trust my credit card information totally naked in their hands? Do I know their networks are free of malware? Do I know the competence of their network security? No, I do not.
Additionally, there is another common way to harvest data, called a man in the middle attack. Though a bit harder to explain, it is one in widespread use. More or less, a website will masquerade itself as another site, likely one that already trust, like GoDaddy, PayPal, eBay, your bank, etc. People are tricked into submitting their information to these parties. Most are simple, like an email with links to a fake website, that looks like PayPal, but is actually not PayPal. Others are more complicated and far harder to explain, but the sum of it is, it will look like you are at Amazon (for example) and even though it says amazon.com in the address bar, that is not the real amazon.com.
How does SSL technology protect me
Now that you know some of the dangers of unencrypted data, let’s see what SSL encryption can do for us. When you are at your favorite reputable merchant’s website, your desire is to let them have your credit card information to charge for the agreed amount. SSL encryption gives you a private line to the merchant’s webserver. Though others may still intercept the transmission of your data, it’s going to look like trash, and it will be undecipherable as a credit card number. Additionally, SSL technologies ensure you that you are indeed speaking with the merchant you think you are, not an impostor.
But how does it work
It’s somewhat complicated as to “how” it works exactly, but I will offer a brief description.
The server administrator makes a private key. This is very long string of random characters, including lower letters, upper letters, numbers, and special characters (like + or /). This private key is never shared with anybody, but a public key (called CSR) is derived from it. This public key can encrypt data, but can not decrypt information. This public key is shared with a certificate authority (CA), like Thawte, VeriSign, Network Solutions or GoDaddy. Once the CA has validated the business, they will issue a certificate. The private key, public key, and certificate are all a trio that can only work together and are not interchangeable.
When your browser goes to a website over a secure https connection, the webserver will send back the certificate and public key. The browser will validate this as legitimate from the CA. Once the browser knows the certificate is good, it will use the public key to encrypt the data it’s about to transmit, such as credit card. The webserver will be able to decrypt this information with the private key. Only the private key will decrypt it. If this is all happening right, most browsers will show a lock in the address bar.
What about the NSA
Recently, much news has been released surrounding the NSA (and a few other agencies) and its ability to peak into various services and technologies to access information previously thought to be secret. At this time, it’s unknown what exactly they have access to, it does seem the NSA has direct access to Facebook, mobile phone data, Hotmail and Google services.
They may also have access to SSL connections. The actual encryption ciphers that Sephone uses for SSLs are AES-256 with RSA key generation. Those are by far the most common in current use. The other common encryption ciphers are RC4 and SHA. To break a AES-256 cipher would take the world’s largest super computers around 149 trillion years. Seems like a safe bet, but it may be that the NSA may have built a back door directly into the SSL protocol. It’s unknown at this time exactly.