Welcome to a new edition of Bits & Bytes! This month, let’s return to the theme of digital security and learn more about SSL certificates, how they work, why they’re important, and how they’re easier to obtain now than ever.
Before we get started, I should point out that what we’re referring to when we say SSL (Secure Socket Layer) is now technically called TLS (Transport Layer Security). However, for the sake of familiarity, we’ll refer to it as SSL for the remainder of this article.
You probably already know that if a URL starts with “https” instead of just “http”, the “s” signifies that the website is secured with an SSL certificate. What that means is any information passed between your computer and the website will be done so securely over SSL. But what you may not know is how that works or why it’s so important.
How SSL Works
SSL employs a cryptographic concept called PKI (Public Key Infrastructure) in order to establish a secure connection, like a tunnel, through which data can then be transmitted freely between two parties (e.g. computers). With PKI, each party involved in the exchange of data has their own pair of digital security certificates called keys: one key is public and can be viewed by anyone, while the other key is private and is only ever known to its owner. If you were to look at the content of these keys, they would just look like a big jumbled mess of random characters, but taken together they serve a very specific purpose; public and private key pairs are linked mathematically such that anything encrypted with the private key can only be decrypted with the corresponding public key, and vice versa.
That word “encrypt” is used a lot these days, but we don’t often consider what it actually means. Essentially, encrypting is the act of taking some data and running it through a mathematical algorithm so that it comes out as unintelligible garbage on the other side. What’s neat about encrypting with PKI is that, even if someone has the key that you used to encrypt something, they would still need your second key in order to decrypt it. That’s because PKI incorporates the content of the key being used into the encryption algorithm and produces output that can only ever be “reversed” by the second key. The more complex the algorithm, and the larger the keys used in that algorithm, the better the encryption.
Using PKI is also great because it affords authentication and privacy to both parties involved in the exchange. Let’s look at a rough example to see how this works in practice.
Let’s imagine that Amanda needs to send something highly sensitive, such as her bank account number, to her friend Bob. To start, Amanda uses her private key to encrypt her bank account number, thus ensuring that it can only be decrypted using her public key. Why do this first? Well, since only Amanda’s public key can decrypt the data, it will prove to Bob that Amanda is the one actually sending it. She then encrypts the data a second time using Bob’s public key, ensuring that only Bob’s private key can decrypt that. When Bob receives the twice-encrypted data, he performs Amanda’s actions in reverse but uses the pairs to the keys she used instead. He first uses his private key to decrypt it once, and then uses Amanda’s public key to decrypt it a second time. The result is the fully decrypted bank account number.
SSL uses this concept to authenticate and secure the initial interaction (called a “handshake”) between two computers. Once the secure connection is established, the computers then use a shared session key for the duration of the exchange since it’s faster than using PKI. Without PKI though, the computers have no way of confirming their identities or ensuring the integrity of the data being exchanged.
Why SSL Works
SSL as a mechanism for secure communication only works if we trust that the certificates involved are genuine. Technically speaking, anyone can generate a certificate that says they’re Amazon or Bank of America, so how do we know the one we’re connecting to is real and not that of an imposter?
The answer is that real certificates are only ever issued and maintained by recognized Certificate Authorities (CAs) like DigiCert, Thawte, or VeriSign, to name a few. These large entities are known worldwide for being reliable stores for digital certificates and public keys, and any SSL certificate that was issued legitimately can always be traced back to its CA. Without trusted CAs to verify certificate chains, authentication would be meaningless and the whole system would fall apart.
Why Use SSL
So now we know how and why SSL certificates work in a general sense, but the big question is do you actually need one? And the short answer is “yes”. Let’s go over the main advantages of implementing SSL for your website:
Protection. SSL certificates protect both you and your site visitors from so-called “man-in-the-middle” attacks. That’s when a hacker inserts themself into the data exchange between visitors and your website, allowing them to impersonate your site and capture the data before it reaches you.
Compliance. If you plan to accept payment information from your visitors, particularly credit card data, SSL is a basic requirement of payment processors in order to remain PCI compliant.
Reputation. Depending on what browser they use, your visitors are likely to receive a big, glaring warning about the lack of security on your site without an SSL certificate. This doesn’t exactly make for a great first impression. Plus, there’s just something about seeing that comforting little lock symbol in the URL bar that gives people the warm fuzzies.
Still not convinced? Well, it turns out that even if you’re not scared of hackers and not handling credit card purchases via your web site, there are still several benefits to obtaining one that you may not realize:
Performance. Sites secured via SSL certificates actually load faster than without them. This will be especially true in the future.
Visibility. Sites secured via SSL actually appear higher in Google search results than those without them. Any SEO specialist should tell you that insecure sites are always deprioritized in favor of secure sites and usually end up on page 3 of search results or worse.
Relevance. Modern web/HTTP standards are geared towards the implementation of a more secure internet. It’s entirely possible that an insecure website simply won’t work some day in the near future. And you don’t want to be known as the only insecure website in town, do you?
In all seriousness, SSL certificates are such an important part of online security that there are non-profit Certificate Authorities such as Let’s Encrypt that will issue them for free. While there are caveats to using a free certificate (which we’ll discuss in another of Bits & Bytes), I’d personally argue that the pros of using a free certificate far outweigh the cons of not having one at all.
Steve Shannon has spent his entire professional career working in tech. He is the IT Director and Lead Developer at PromoCorner, where he joined in 2018. He is, at various times, a programmer, a game designer, a digital artist, and a musician. His monthly blog "Bits & Bytes" explores the ever-evolving realm of technology as it applies to both the promotional products industry and the world at large. You can contact him with questions at steve@getmooresolutions.com.