Why SSL encryption is necessary

As more reports surface about ransomware attacks and data breaches, it has become very important to put the necessary measures in place to protect users and their data. Part of this includes Secure Sockets Layer (SSL) encryption which is used to establish a secure link between a web server and a browser so that all data passed between them remain private.

SSL is identified on websites by the HyperText Transfer Protocol Secure (HTTPS) text at the beginning of the site’s web address – it’s Uniform Resource Locator (URL) and a locked symbol. This indicates that the website is

PDF Version
Security Bulletin - Aug 2019
Partner Newsletter - Aug 2019

secure and the data traffic to and from the website is protected and it is also the user’s responsibility to check that websites have valid SSL certificates before providing personal information on them. SSL is also used to secure communications between secure devices carrying sensitive data within a corporate network, for example between a server and an endpoint.

How it works

  1. The browser (Chrome, Firefox, Safari, IE, etc.) connects to the website server secured with SSL and submits a request that the server identifies itself.
  2. The server then responds with a copy of its SSL certificate, including the server’s public key.
  3. The browser checks the certificate root against a list of trusted Certificate Authorities (CAs) for expiration, the revoke status and its common name to ensure that it is valid for the website the browser is connecting to. If all the checks complete successfully, and the certificate is trusted, the browser then creates, encrypts and sends back a symmetric session key using the server’s public key.
  4. The web server decrypts the symmetric session key using its private key and replies with an acknowledgment encrypted with the session key in order to start the encrypted session.
  5. All data transmitted between the browser and server is then encrypted with the session key for the duration of the connection.

This whole process is known as an SSL/TLS (Transport Layer Security) handshake and typically happens within a few milliseconds every time a browser connects to a secured resource or website.

Different types of SSL certificates

There are basically three types of SSL certificates, namely: 1. Extended Validation (EV SSL), Organization Validated, 2. (OV SSL) and 3. Domain Validated (DV SSL). The differences between these certificates are the vetting and verification processes needed to obtain the certificate as well as the appearance in the browser address bar.

  1. Extended Validation (EV SSL) Certificates. With this certificate the Certificate Authority (CA) checks the applicant’s rights to use a specific domain name and conducts a thoroughvetting of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines, as formally ratified by the CA/Browser forum in 2007. All the steps required for a CA before issuing a certificate are specified here including verifying;  the legal, physical and operational existence of the entity; that the identity of the entity matches official record;  that the entity has exclusive right to use the domain specified in the EV SSL Certificate, and; that the entity has properly authorized the issuance of the EV SSL Certificate.

New high-security browsers such as Opera, Firefox, Google Chrome, Apple Safari and iPhone Safari identify Extended SSL Certificates and activate the browser interface security enhancements.

Examples of EV SSL Certificates:

  1. Organization Validated (OV SSL) Certificates. With these, the CA conducts a similar rights and vetting process to the above-mentioned EV SSL certificates but in less detail. Vetted company information is also displayed to customers when clicking on the Secure Site Seal and the organisation’s name appears in the certificate but not in the address bar like with EV SSL.

Example of OV SSL Certificates:

    1. Domain Validated (DV SSL) Certificates. These are the most common and least-trusted type of certificates because the CA only checks the right of the applicant to use a specific domain name and does not vet any further company information. The information is still encrypted but it is difficult to truly identify the recipient company/server. DV SSL Certificates are similar to OV SSL Certificates as they share the same browser recognition but are issued almost immediately without the need to submit any company paperwork. DV SSL Certificates are generally inexpensive (if not free) and are usually used internally in an organisation or for websites that do not process private information like credit cards and other sensitive data.

    Example of DV SSL Certificate:

No matter the choice of certificate, it’s important to make sure that any data classified as being sensitive or private is protected from prying eyes. SSL-based encryption provides a fast, secure way to send and receive information and can be used on websites, email servers, VPNs, mobile applications and other platforms. Users also need to take responsibility for their own data though and be vigilant of the tricks that hackers and fraudsters use. One also needs to bear in mind that once data is stolen by a fake or hacked website it is likely to be available to criminals forever somewhere on the Dark Web.

 

Information and images gathered from recognised Certificate Authorities, GlobalSign and DigiCert.

Security Bulletin - Aug 2019
Partner Newsletter - Aug 2019