You may ask yourself, what is an SSL certificate and why do I need one? We’ll begin by explaining that Secure Sockets Layer (SSL) is actually the predecessor of the current set of cryptographic protocols refered to as Transport Layer Security (TLS). The term SSL is simply the industry accepted vernacular which refers to its successors (TLS 1.0, 1.1, etc.) as well as earlier forms of cryptographic protocols dating back the heyday of SSL and Netscape Navigator. Perhaps one day we shall install TLS certificates; albiet for now, six of one, half a dozen of the other.
TLS in a Nutshell
TLS is designed to provide communication security over a computer network. The protocol utilizes asymmetric cryptography to first authenticate the counterparts of the communication; then, negotiate a symmetric session key which is used to encrypt data flowing between the participants. When a client’s browser asks for an SSL protected page from a web server, the web server responds with an SSL certificate, also known as a signed public key and a set of intermediate certificates needed for confirmation of the server and domain name’s identity. The client’s browser then must validate the domain name’s certificate (public key) and send in response a random key encrypted with the web server’s public key. The web server upon receiving this response can decrypt and retrieve the client’s random key. At this point, both the authenticated website and browser have a shared random key to use for symmetric encryption.
Don’t be concerned if asymmetric and symmetric cryptography are Greek to you. Simply remember that asymmetric cryptography is performed at the begining of the communication to verify the server and domain’s identity to the browser; and, symmetric cryptography exchanges the data coded in such a way that only the two entities can understand. Since domain name and cooresponding web server authentication is an essential component of this process, every eCommerce web site should incorporate an SSL certificate issued by a Certificate Authority (CA) in order to authenticate itself to their clients’ web browsers. In other words, in terms of security, self signed SSL certificates are appropriate only under the least demanding conditions; e.g, the website owner is the only person logging into the admin directory from a dedicated IP address specified in the .htaccess file securing said directory.
Remember, TLS is simply the more intelligent child (or grandchild) of SSL and one does not purchase a TLS certificate. The certificate issued by a Certificate Authority is always refered to as an SSL certificate. Nevertheless, we’d like to briefly mention the objectives of the TLS Protocol:
- Cryptographic security – TLS should be used to establish a secure connection between two parties.
- Interoperability – Independent programmers should be able to develop applications utilizing TLS that will then be able to successfully exchange cryptographic parameters without knowledge of one another’s code.
- Extensibility – TLS seeks to provide a framework into which new public key and bulk encryption methods can be incorporated as necessary. This will also accomplish two sub-goals.
- Prevent the need to create a new protocol and risk the introduction of possible new weaknesses.
- Avoid the need to implement an entire new security library.
- Relative Efficiency – Cryptographic operations tend to be highly CPU intensive, particularly public key operations. For this reason, the TLS protocol has incorporated an optional session caching scheme to reduce the number of connections that need to be established from scratch. Additionally, care has been taken to reduce network activity.
The TLS protocol is composed of two layers: the TLS Handshake Protocol and the TLS Record Protocol. The TLS Handshake Protocol provides connection security that has three basic properties:
- The peer’s identity can be authenticated using asymmetric, or key, cryptography. This authentication is required for at least one of the peers… typically the server.
- The negotiation of a shared secret is secure. This shared secret is used to generate a unique key to symmetrically encrypt the rest of the connection.
- The negotiated secret is unavailable to eavesdroppers, and for any authenticated connection the secret cannot be obtained, even by an attacker who can place himself in the middle of the connection.
The TLS Record Protocol provides connection security with two basic properties:
- The connection is private.
- Symmetric cryptography is used for data encryption.
The keys negotiated by the server and client (browser) during the Handshake Protocol are uniquely generated for the symmetric cryptography utilized during each https connection. The TLS Handshake Protocol is initiated upon connection to the server by the client and allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol (https) transmits or receives its first byte of data.
The TLS protocol continues to evolve and to this date (September 2015) there is a TLS 1.3 draft under development.
Certificate Signing Requests
The SSL certficate acquision process begins with the creation of a Certificate Signing Request, or CSR. To provide a description of the process, please follow the link to our server documentation so you can see how the process of obtaining an SSL certificate is initiated. This documenation is available purely for reference sake as most of our web hosting customers rely on us to write the CSR, order the certificate from a CA (certificate authority) and install it on their domain. Nevertheless, all our web hosting customers have the option of installing their own SSL certificates by using their cPanel control panel in conjunction with the order form located in our Client Portal. For further information on obtaining an SSL certificate, either login and post a comment below or submit an SSL Cerificate support ticket in the Client Portal.
SSL certificates have many properties associated with them apart from their public key feature. Keep in mind, when used in this context, the term key or public key is synonymous with certificate or SSL certificate. Each certificate has a subject, which it “certifies”, such as a domain, or a signing service provided by an authority. It also contains an issuer, and the name of a certificate authority that “signed” this certificate. When a number of certificates sign each other in order, a certificate chain is formed. The significance of the certification chain is that every browser references their bundle of certificates containing Root and Intermediate certificates of trusted certificate authorities. For SSL to work, the domain name’s public key or an Intermediate key that signed the domain name’s key, has to be present in the browser’s bundle of Root and Intermediate keys. If a certificate that is present in the browser’s bundle of certificates has signed the domain name’s certificate, the chain of certificates is considered authentic, and thus the identity of the web site is confirmed. Certificate Authorities have their Root certificates bundled with all the major browser products and thus all the certificates signed by their Root certificates are considered valid. Therefore, a hierarchy forms where those authorities in turn validate the identity of other authorities for which they will in turn sign certificates.
In conclusion, authentication is at the heart of the SSL/TLS process. If there is no authentication, there can be no sharing of the secret symmetric cryptography keys and thus no real security. This is precisely the reason those website owners relying on self signed certificates are vulnerable to attack. It’s not worth the risk, especially when a GeoTrust SSL Certificate can be obtained for less than $20-US per year from NoSpin Web Hosting.
NoSpin Web Hosting offers SSL certificates from under $20-US per year. If you do not see what you are looking for among our popular certificates, leave a comment below and we’ll respond with a quote. If you are interested in a Wildcard or EV certificate, please login to the NoSpin Web Client Portal and submit an SSL Certificate support ticket prior to your purchase. SSL certificates must be installed on our server and even though this can be accomplished through your cPanel control panel, NoSpin Web Hosting shall perform the installation for all new cPanel accounts free of charge. For assistance, please submit an SSL Certificate support ticket in the NoSpin Web Client Portal.