What is SSL and why is it important?
Almost daily, we heard of incidents involving identity theft, stealing of account passwords, malware installations on the back end of websites and even ransomware. The internet is a hostile place for the unprotected.
These security breaches have a certain means of attack in common, and that is social engineering. When you’re tricked into clicking on a link you’re not supposed to, or when you open files or applications from untrusted sources. It’s an easy mistake to make, especially when the website looks legitimate, but it’s easy to avoid if you know what SSL is.
By now you have probably seen the green padlock that appears next to the web address in the browser navigation bar. For example, when logging into your back account. The padlock will usually include the name of your bank. That’s what SSL is and it’s what will save you from becoming victim of nefarious hacks.
The following article will explain what SSL means and why it is important in today’s web environment.
What is SSL, and how does it work?
Let’s start with the basics. SSL stands for Secure Sockets Layer.
SSL is the current standard for establishing a secure and encrypted connection before two points on the internet. For example, your computer and a web server for a website that you are currently browsing.
There are several versions that have been released. However, they all do the same job which we will discuss further below.
SSL is the basis for secure HTTP or HTTPS (the “S” standing for secure) – This basically means a website that is transported through Hypertext Transfer Protocol that goes through a secure, encrypted connection. I will simplify below with an analogy.
Suppose you want to open an account with your local bank. You approach the teller, but the teller does not want to open an account for you, as she does not know you. One option is for the bank to call the authorities (a government department or social security) since they most likely have your identification.
But that seems too tedious, so she asks you for identification instead. You provide your passport, which contains your personal details etc. This serves as the document that authenticates your identity. However, the document itself does nothing exceptional except identify you. You cannot use it to withdraw money from the bank.
However, because your passport is an identifiable document issued by a trusted authority (the government), you can use it to open an account, acquire a atm card and then withdraw money from the bank.
The same scenario occurs when you access a secure website. Your browser seeks authentication and identification from the web server (website), which it presents through as its SSL Certificate. The website cannot simply say “I am the Commonwealth Bank”. It needs a trusted certificate provider to establish this identity.
This takes the form of an SSL handshake, which at a high level is a back-and-forth communication to establish a connection and identification before the web browser actually provides you with the website content.
For a more details explanation of the SSL Handshake. Click Here.
Is it that simple, then? Can’t I just acquire a certificate from a cheap provider?
Not all SSL Certificates provides are the same.
There is a broad range of enterprise-grade certificates that can be very expensive (thousands of dollars year), while some are practically free if not very cheap.
Another analogy here is that your passport is a secure indication of your citizenship to a country, and it is a trustworthy document that establishes your citizenship and identity. It can be used to travel to other countries. Note, however, that not all passports are the same. Some are more “powerful” than others since a bearer can travel to more countries without requiring a visa. For other passport bearers, they are required to secure additional documents before being granted access to a country.
In the same breath, SSL certificates are different. In the example above, the certificate’s name itself is displayed on the browser, and it is one of the top-tier types of certificates. Most lower grade more common certificates only display the “Secure” lock icon, and the certificate owner’s name is not presented.
Of course, not all websites require the security of a bank website.
If you run a small blog, then security is appreciated by your users but it is not a deal breaker. However, if you run a website such as a ecommerce or tech website whereby your users share personal details like address, card numbers and the like. In this case, it would be necessary to have a top tier SSL Certificate.
Websites such as SSLLABS.com will run a test on your websites SSL Certificate and score the security of your website based on 4 metric scores.
For example, my website parallaxcreative.com.au has a “A” rating which is more than suitable for the functionality of the website.
This guide does not preclude other potential dangers, like social engineering attacks (spoofing and phishing) that can circumvent the security of your website.
To conclude with my earlier analogy, it’s like someone creating a fake ID and pretending to be you while making a transaction at the bank, or someone stealing your ATM or Credit Card and using it to buy items or withdraw money.
Still, SSL is certainly the bare minimum of ensuring the security of your users / clients and customers information and communications across client and server. No website or application should be without it, and you as a user, should be wary of sending information across non secure connections.
If you need assistance in securing your website or installing a SSL Certificate. Please contact us below.