How SSL Works: The Basics

How SSL Works: The Basics

If you’re a web developer or hosting reseller, the chances are you’ll bump into the mysterious world of SSL from time to time. I say mysterious because in my experience, the Secure Sockets Layer (SSL) protocol is one of the least understood technologies which is also crucial to the success of modern web applications and hosting.

In the wild world of the web, there is nothing more important to security than SSL. When we logon to Internet banking we are secured, or when we buy something from Amazon or on eBay our precious details are locked up nice and tight in an encrypted connection to a trusted and certified host. Without this peace of mind, services such as these would simply not exist and the Internet would not hold the same influence over society as it does today. In this post, I’m going to try and explain the basics of SSL, and I do mean just the basics, else this blog could quickly turn into a textbook (if it’s a textbook you’re after, stay tuned for my follow up articles which will get considerably more technical).

SSL secures your website in two important ways: First, it encrypts your connection to prevent eavesdropping and; second, it verifies the identity of the server you are connecting with.


The first and most important function of SSL is to encrypt all communications between the browser and the web server, ensuring nobody can eavesdrop or ‘wire-tap’ (that is, intercept communications between you and the server). This is becoming increasingly important as more laptops, tablets and mobiles use public internet connections and/or wireless to connect to their favourite sites. In these cases, it’s not just banking details you want to protect; every time you login to a site whether it be a forum, blog or social network, you are potentially revealing your password and all information protected by that password. Notably, Facebook and Twitter enforce SSL connections on all users who login to their site; hopefully this is the beginning of a trend toward SSL for non-banking sites.

While I’ll leave the mathematics of how strong a 256bit encryption key is for another post, I will share with you my favourite analogy of its strength to help put it into perspective. It is said that if each grain of sand on Earth was a modern desktop computer, these computers working together would take centuries to crack a single 256bit encryption key using brute force.


So now we can be pretty confident no third party will be able to listen in on our connection to the web server, but how can we be sure the web server is really who they say they are? Internet phishing scams are all too common these days, where an email claiming to be from your bank asks you to follow their link and verify your username and password. The trick in these scams is to provide a link that looks like it’s official when in fact it is linking to their own malicious server where they can capture the unsuspecting victim’s banking details. SSL certificates are the most effective and certain way of mitigating against these threats.

When a website operator purchases an SSL certificate, details about them, their business and their website are sent securely to what’s known as a Certificate Authority (CA) such as GeoTrust. The CA will then independently verify that they own the domain, and with higher security certificates (‘extended validation’), they will proactively vet the business details against public government records to absolutely validate the identity of the website. Once the CA has done their checks they will ‘sign’ the certificate, much as a lawyer or Justice of the Peace can notarise a document, the CA acts as a trusted third party who can ensure the SSL certificate actually belongs to who it claims. So the next time you connect to your Internet banking or logon to buy something online, you will see a small closed lock in your browser indicating your connection is secure. With Extended Validation certificates, you will be presented with an even more prominent green bar next to the URL which shows the (validated) business name of who owns the website and certificate.

There we have it, the SSL protocol first ensures you are connecting to an authenticated server and then encrypts any information you transfer. Hopefully this blog has helped explain the very basics of what SSL is all about. Now with the basics under your belt, stay tuned for my follow up SSL articles where I will delve into some technical detail on how public/private key encryption works, whether the Certificate Authority system is the best option going forward, and how client side security updates are making SSL common place beyond the shops and banks.