When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an SSL connection using a process called an "SSL Handshake", as shown in the image below.

Essentially, three keys are used to set up the SSL connection: the public, private, and session keys. Anything encrypted with the public key can only be decrypted with the private key, and vice versa.

Because encrypting and decrypting with private and public key takes a lot of processing power, they are only used during the SSL Handshake to create a symmetric session key. After the secure connection is made, the session key is used to encrypt all transmitted data.

SSL Handshake

  1. Browser connects to a web server (website) secured with SSL (https). Browser requests the server identify itself.
  2. Server sends a copy of its SSL Certificate, including the server's public key.
  3. Browser checks the certificate root against a list of trusted CAs and make sure the certificate is unexpired, unrevoked, and its common name is valid for the websiUKte that it is connected to. If the browser trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the server's public key.
  4. Server decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
  5. Server and Browser now encrypt all transmitted data with the session key.

Why Do we need SSL?

  • One of the most important components of online business is creating a trusted environment where potential customers feel confident in making purchases. Browsers give visual cues, such as a lock icon or a green bar, to help visitors to know when their connection is secured.
    SSL Certificate - Secure Sockets Layer
  • If your site collects credit card information you are required by the Payment Card Industry (PCI) to have an SSL Certificate. If your site has a login section or sends/receives other private information (street address, phone number, health records, etc.), you should use SSL Certificate to protect the data.
  • Your customers want to know that you value their security and are serious about protecting their information. More and more customers are becoming savvy online shoppers and reward the brands that they trust with increased business.

References & Resources

  • N/A