When we go online shopping or banking, for security, we expect to see the website to have both the “HTTPS” and the secured lock icon on the address bar. But what does this “HTTPS” and lock icon actually mean? To answer these questions we need to understand HTTPS, SSL protocol, and SSL certificates.
On HTTPS, SSL, and SSL certificate
Hypertext Transfer Protocol Secure (HTTPS) is the secured version of HTTP, which encrypts communications between computer networks. In HTTPS, the communication is encrypted using Secure Sockets Layer (SSL) or now known as Transport Layer Security (TLS). Hence, HTTPS is also referred to as HTTP over SSL (or HTTP over TLS). Any website with an HTTPS web address uses SSL.
Specifically, SSL or TLS, is a protocol that creates secured connections between communicating devices by implementing SSL certificates. SSL certificate is a web server’s digital certificate issued by a certificate authority (CA), hosted in a webserver, and then installed on a web browser. A CA is a trusted third-party organization that generates and gives out SSL certificates to website owners.
SSL certificate plays a critical role in building trust between the browser and the web server, and it does this by performing two functions:
1) by authenticating the identity of the webserver and the website; and
2) by encrypting the data transferred between the web browser and the webserver.
In essence, SSL certificates enable websites to use HTTPS, which is a more secure protocol. It also allows private conversation just between two parties to secure sensitive user data (e.g., usernames, passwords, email addresses, banking information, etc.), and to reduce the risk of stealing or tampering of sensitive data from fake versions of websites.
Here are the information and data included in the SSL certificate:
- The domain name that is certified
- The associated subdomains
- Person, organization, or device who owns the domain
- The certificate authority
- The digital signature of the certificate authority
- Issue date of the certificate
- Expiration date of the certificate
- The public and private keys
Types Of SSL Certificates
There are several types of SSL certificates, and they can be classified based on their level of identity validation and the number of domain/s they cover.
A. Level of validation
- Domain validated (DV) certificate – this is an X.509 public key certificate that is issued after the applicant has proven some control over the domain. This is the most common type of certificate. The sole criterion for a DV certificate is proof of control over the whois records, DNS records, email, or web hosting account of a domain. Basically, DV certificates can be issued without any human intervention, which allows it to have these following advantages:
- They are often cheap (10 USD per year) or even free, e.g. Let’s Encrypt.
- They can be generated and validated without any documentation.
- Most of them can be issued in a minute or so, via special tools which automate the issuing process.
Web browsers will display the secured lock icon but does not show any legal entity. Clicking the sign will only show “This website does not supply ownership information”.
- Organization validated (OV) certificate – this is an X.509 public key certificate that is issued when the applicant satisfies these criteria:
- control of the domain (similar to DV certificate);
- physical presence of the website owner;
- fee between 50 to 100 USD per year.
Web browsers will display the secured lock icon but does not show any legal entity, similar to a DV certificate.
- Extended validation (EV) certificate – this is an X.509 public key certificate that is issued after a CA verifies the legal organization that controls the domain. This is the most trustworthy type of certificate. The verification includes:
- control of the domain (similar to DV certificate);
- physical, operational, and legal presence of website owner;
- government business records, to make sure the company is registered and active;
- independent business directories, such as Yellow Pages, Dunn and Bradstreet, Salesforce’s data.com, etc.;
- inspection of all domain names in the certificate;
- fee between 150 and 300 USD per year.
Web browsers will display the secured lock icon and will have menus that show the EV status of the certificate and the name of the validated legal identity i.e. registered company of the website. Clicking the sign will show details about the organization, such as name and address.
B. Number of domains covered
- Single domain – This is the most common type of certificate. It secures one valid domain or subdomain name, such as example.com or www.example.com.
- Multiple domains (UCC/SAN) – This type of certificate is also known as Unified Communications Certificate (UCC) or Subject Alternative Names (SAN) certificate. It is not limited to a single domain and you can cover multiple domains up to a certain number. You can mix different domains and subdomains as long as they are related websites.
- Wildcard domain – This type of certificate covers the main domain as well as an unlimited number of subdomains that is within the wildcard format e.g. *.example.com covers example.com, www.example.com, mail.example.com, neo.example.com, etc.
How does an SSL certificate work?
Given a scenario of a user wanting to connect to the Mlytics webserver, the following will happens when the user input https://www.mlytics.com and then hit enter.
- The browser will initiate a TCP handshake and then request secure pages (HTTPS) from the Mlytics webserver.
- The Mlytics server sends an SSL certificate (digitally signed by a CA). Devices attempting to communicate with the webserver will need the SSL certificate to verify the server’s identity, and to obtain the webserver’s public key. The private key is kept secret and secure in the webserver.
- Once the browser gets the SSL certificate, the browser will check the digital signature of the certificate to make sure that it is valid or it is from the correct webserver. A digital signature is created by CAs private key, and browsers will refer to its installed CAs public keys to verify digital signatures of SSL certificates.
- Once the SSL certificate’s signature is verified, it will obtain the webserver’s public key. At this point, the secured lock icon will appear on the browser’s address bar. The lock icon can be used to indicate that the certificate can be trusted, and the browser is indeed communicating with the correct webserver, and not from an impostor.
- The next step is for the browser to share a secret. The browser will create one pair of symmetric keys, or shared secret. It keeps one key, and gives the other key to the webserver. However, it is not safe for the browser to send the secret in plain text, hence this is where the webserver’s public key comes into play. The webserver public key is a long string of characters used for encrypting the secret from plain text to cipher text. Once the copy of the secret is encrypted, the browser will send this encrypted secret to the web server.
- When the webserver gets the encrypted key, it will use a private key to decrypt it. The webserver’s private key is a long string of characters used for decrypting the secret from cipher text to plain text. Data encrypted with the public key can only be decrypted with the private key. After decrypting, the webserver and the browser now obtained the same copy of the shared secret (symmetric keys).
- From now on, all traffic between the browser and the webserver will be encrypted and decrypted using the symmetric keys.
From this example we also describe how asymmetric key algorithm and symmetric key algorithm work. The asymmetric key algorithm (public key and private key) is used to verify the identity of the webserver and to build trust between the browser and the webserver. Once the connection is established, the symmetric key algorithm (shared keys) is used to encrypt and decrypt all traffic between the browser and the webserver.