Have you ever noticed that when you visit a website its URL starts with either “https://” or “http://”? Ever wondered what difference does the extra “s” in HTTP is and what does it add more to HTTP?

The letter “S” in HTTPS represents a secured form of HTTP. Websites which has HTTPS will add a layer of security onto the communication between the browser and the server through encryption. The main technology that backs up HTTPS is SSL.

What is SSL/TLS?

Definition from SSL.com

“SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers”.

SSL was first introduced in the year 1994 by Netscape (a web browser which was dominant in the 1990s) as a way to secure communications between the client and server on the web. The first version of SSL was never released due to a security issue. The first official release of SSL, which is version 2.0, was out in 1995. The final version of the SSL protocol, SSL 3.0, was released in November 1996. SSL 3.0 was deprecated in 1999 and TLS was introduced. At present, TLS is in version 1.3 which was released in 2018.

Whenever we fill an online form or proceed with some online cash transaction we feel worried that our data may be accessed by unauthorized parties. With HTTPS you don’t need to worry anymore because SSL ensures that both parties in the communication are authorized and communication is encrypted.

To understand more about SSL or TLS we need to know about two essential terms, which are Authentication and Encryption. Authentication is the process to verify that someone or something is really who or what it declares to be. In SSL, the server will need to prove its identity to verify that it is legitimate. Encryption is the process of transforming plain text into a form called ciphertext that only the intended users can read.

Without SSL our communication channels are vulnerable to “Man-in-the-middle attacks” where a third person will intercept the traffic and all data are visible to the hackers because it is in plain text. With SSL even if a hacker intercepts the traffic he or she will not be able to identify it because its in ciphertext.

Why we need SSL/TLS?

Key benefits of SSL;

  • SSL will help protect customer data.
  • Protection against phishing and other attacks.
  • SSL helps your website boost in Search Engine Optimization (SEO).
  • The use of SSL will increase customers’ trust and increase in revenue.

How SSL/TLS works?

Here is a simple explanation of what goes behind the scene;

  • The browser requests a website that is secured by SSL from a web server. The browser will request the webserver to verify its identity.
  • The server will respond by sending a copy of its SSL certificate. The SSL certificate holds the server’s public key and a digital signature from a Certificate Authority (CA).
  • The browser receives the certificate and will verify its authenticity using the digital signature of its provided Certificate Authority. Now the browser can verify that the received public key is from the intended web server. Verification completed.
  • Next, the browser will generate a symmetric key to encrypt its messages. For the server to decrypt these messages, it requires the sender’s symmetric key. Therefore the browser will encrypt a copy of its symmetric key using the public key of the web server knowing that only the intended web server has the private key to decrypt it.
  • The browser sends this encrypted symmetric key to the server and the server will decrypt and obtain a symmetric key. Now a secure encrypted communication can be carried on by the browser and the sender using these symmetric keys.

As we can see SSL uses an asymmetric key encryption algorithm to verify the authenticity of the webserver. Once the connection is established symmetric key encryption is used for the encryption and decryption of all communication between the two parties.

SSL/TLS HandShake in depth

In the above section, we discuss the basic theory behind SSL. Now let us dig deeper into the subject. SSL is not just one protocol but it can be considered as a group of protocols coexisting and working together to accomplish one goal. This set of protocols is also called the “SSL Protocol Stack”. Protocols in the stack include:

  1. SSL Handshake protocol
  2. Change Cipher Spec protocol
  3. Alert protocol
  4. Record protocol

The SSL Handshake protocol is where the initial connection between the client and the server takes place, verification of authenticity, and deciding the algorithms used during the communication such as key exchange, compression, and hashing algorithms. The handshake protocol can be broken down into multiple steps.

  1. The client sends the “Client Hello” message to the server.

The connection is initialized by the client (sender) by sending the Client Hello. The client browser’s Client Hello message includes:

  • List of SSL or TLS versions available
  • Compatible cipher suites
  • Compression methods available
  • Client random, which is later used to generate the encryption key
  • Session IDs, IDs from previous sessions with the server.
  • Extensions, which are additional functionalities that that client requests.

The cipher suite is a combination of a different cryptographic algorithm that will be used in the later stages. These algorithms include the key exchange algorithm, the authentication algorithm, the data encryption algorithm, and the hashing algorithm.

This is how a Client Hello looks like captured with Wireshark.

2. The server responds with a “Server Hello” message to the client.

Once the server receives a Client Hello message it will respond with a Server Hello message. This message can either be the selected algorithms proposed in the Client Hello or a Handshake Failure message. If it is not a Handshake failure the message includes;

  • the server selected SSL/TLS version.
  • server random, random number that will be used to generate the encryption key.
  • selected cipher suite
  • selected compression algorithm
  • session ID, if a match is found within the client’s session IDs of a previous session the session will be reused else a new session will be created.

This is how a Server Hello looks like captured with Wireshark.

3. The server will send a copy of its SSL certificate containing its public key if the previous step was not a Handshake Failure.

This is how a server certificate looks like captured with Wireshark.

4. (Optional) The clients sends a copy of its digital certificate.

Some times the server will request the client to verify its identity. This is accomplished using the client’s digital certificate.

5. The server sends a server exchange key.

This step is only carried if the key exchange algorithm requires an additional parameter from the server when generating the pre-master key. Diffie Hellman algorithm is one such algorithm.

This is how a server exchange looks like captured with Wireshark.

6. The server sends a Server Hello Done message to complete its Server Hello message.

7. Client Key Exchange

Now the client will share the pre-master key with the server, which will be used by both ends to generate the final symmetric key. The calculation of the pre-master key is done according to the chosen key exchange algorithm in the cipher suite. The most common and well-known key exchange algorithms are RSA (Rivest Shamir Adleman) and DH (Diffie Hellman) which are asymmetric key encryption algorithms. Once the client browser generates the pre-master key it will be encrypted using the server’s public key and sent to the server. This is done to prevent hackers from reading the premaster key even if they eavesdrop the channel. Once the server receives the encrypted key it will use its private key to decrypt the message and obtain the pre-master key.

Now both the server and client have the pre-master key. Next, the master key is generated by combining it with the parameters exchanged earlier (server and client randoms). Now both ends can use this key for symmetric key encryption. Example Client Key Exchange message;

8. The client changes the Cipher Spec.

The client will now change the encryption to a symmetric key using the Cipher Spec protocol.

9. The client sends a Handshake Finished message.

10. The server changes Cipher Spec.

11. The server sends a Handshake Finished message.

Handshake protocol ends and a secure connection is established.

Next is the Record protocol. Here is when the client and server communicate. Each message is broken down into fragments. Each fragment will be compressed and appended with the MAC (Message Authentication Code) generated using the hashing algorithm. Subsequently, these fragments are encrypted using the master key and finally, the SSL header is appended and sent. An encrypted fragment looks like;

Alert protocol is responsible for notifying the piers in case of any failures in the session. This can be classified into two parts; Warning and Fatal Error. A warning will not affect the connection but instead, sends a notification. A fatal error would cause to terminate the connection.

Digital Certificates

In an asymmetric key encryption algorithm, the public key will be shared openly. But how can we ensure that the public key was originated from the legitimate intended receiver? we might end up encrypting our confidential messages using a fraud public key generated by a hacker who will have a private key to decrypt the message. To solve this problem digital certificate was produced.

A digital certificate is an electronic credential that is used to prove the ownership of a public key. The purpose of having a digital certificate is to prove that a public key belongs to an entity that was issued with the certificate. A digital certificate can be issued by a third-party organization called a Certificate Authority (CA). A digital certificate contains the public key, metadata including the owner of the certificate, the digital signature of the certificate authority, and the validity period.

Types of SSL certificates

There are different types of SSL certificates based on the number of domains authenticated or validation levels. Certificates that differ domains authenticated includes:

  • Single Domain SSL Certificates; in this type of certificate, only a single domain will be authenticated including all its pages but not its subdomains.
  • Wildcard SSL Certificates; for a single domain and all subdomains under it.
  • Multi-Domain SSL certificates (MDC); this type of certificate can be used to authenticate multiple domains.

What is a validation level in an SSL certificate? An SSL certificate will is used to authenticate an organization’s ownership of a domain. A normal user will have their trust in the certificate authority when issuing certificates. Therefore the certificate authority needs to validate the organization. How deep the validation process of an organization is carried on can be defined as the validation level. Based on these levels there are several options when purchasing a certificate.

  • Domain Validation SSL Certificates; this is the least validated level where the organization will only require to prove that they have control of a domain. The cheapest certificate that is available.
  • Organization Validation SSL Certificates; this type of certificate involves the CA to investigate more on the organization. The certificate authority will directly contact the organization. This certificate will include the organization’s details as well to increase the trust within clients.
  • Extended Validation SSL Certificates; involves the certificate authority full background check of the organization, its legal registration as a business, and so on. This is the highest level validation and is required to get the green bar in the URL. Usually, large scale organizations and e-commerce platforms buy these types of certificates to secure customer data and ensure trust.

Difference between SSL and TLS

Even though we treat SSL and TLS as equals, there are considerable differences between them. TLS is the successor to SSL. This means that TLS is the more secure version. Here are some of the key differences;

  • SSL stands for Secure Socket Layer while TLS stands for Transport Layer Security.
  • Only SSL supports the Fortezza algorithm.
  • The final version of SSL is version 3.0 released in 1996 before being deprecated in 1999. The latest version of TLS version 1.3, was released in 2018.
  • SSL uses Message Digest to generate the master key. TLS uses a Pseudo-Random function.
  • SSL uses a Message Authenticated Code (MAC) protocol but TLS uses Hashed Message Authenticated Code (HMAC) protocol.