Skip to main content

What Is SSL? Like, Really… Plus How to Get It Installed on WordPress

What is SSL? Like, really…

Okay, so you know what SSL stands for. That would be, “Secure Sockets Layer.”

In simple terms, SSL is used to encrypt the connection between a website and its visitor. When this encryption takes place, it means that only that specific website and that specific visitor can read the information they’re sending back and forth.

Without the SSL in place, virtually anyone can eavesdrop on the data transfer. And I do mean anyone!

The traditional way in which HTTP communication is handled on the web is by sending plain packets that can be read by third parties while on their way between the source and the destination. This is not such a problem when you’re just browsing 9gag, but it can be a serious threat when you’re trying to buy something online and have just input your credit card number.

In other words, here’s what happens when you visit a website that does not use SSL:

no ssl

The guy in the middle can read the entire communication purely because it’s all happening in the open with no encryption whatsoever.

Imagine talking to someone in a busy cafe. It’s kind of like that.

Now with SSL running:

with ssl

The communication is encrypted. While people can still intercept it as it’s traveling through the interwebs, decrypting it is near impossible.

Imagine sitting in the same busy cafe, but now you’re speaking Klingon, backwards.

How does SSL work?

It’s all quite simple when we get to the mechanics:

Again, SSL encrypts all data being transferred between the visitor and the website.

For a website to use SSL, they need to obtain an SSL certificate. That certificate is a proof that the website is a legit one and that the SSL encryption they’re using is correct, plus the certificate also holds the information about the public key used for encryption (more on that later).

Here’s what’s going on step by step when a person visits an SSL-powered website:

Phase 1: ?

The visitor’s browser checks if the SSL certificate of the website is valid.

This is done to make sure that the certificate is not fake and that the website is what it claims to be.

The browser checks the certificate to make sure it’s not an imposter site. However, the browser doesn’t do this on its own but instead checks with a certificate authority – a third party company that issues certificates.

If the validation goes well, the browser lets you know by showing this familiar padlock:


Phase 2: ?

The browser uses the certificate when communicating with the website.

This is done by taking the public key that’s part of the certificate and using it to encrypt all data sent to the website.

That data is then transmitted to the website in its encrypted form.

Phase 3: ?

The website uses its own private key to decrypt the message and then processes it.

That private key is known only to the website, and it’s also the only key that can decrypt the message correctly. This means that only the website can read the information that the user is sending.

This becomes crucially important when the data being sent is stuff like credit card numbers.

Phase 4: ?

The website sends a response to the visitor and adds a unique signature to it using the private key.

The signature can be verified on the user’s end by using the public key of the website. In other words, only the website itself could produce that specific signature since only it has the private key.

At this stage, we’ve come full circle, from establishing a secure connection to sending data to the website and then receiving a response. This is how communicating through SSL is done.

The public-private key pair is a simple concept, but it’s all that’s required to establish a secure channel of communication and to make sure that the party you’re communicating with is what they claim to be.

? In simple terms, you can think of the public key as the padlock and the private key as the actual secret combination that can be used to open the padlock.

What’s the difference between SSL and TLS

In a word, there’s no difference.

Okay, to be more specific, there is. But a simple one for all we need to know. TLS (Transport Layer Security) is an updated version of SSL. It’s more secure, and it’s actually what all of us use these days instead of SSL.

Yes, you read that right, whenever you get a – what you think is – an SSL certificate for your website, you’re actually getting a TLS certificate.

We still refer to it as SSL because it’s a more commonly used and understood term.

What’s HTTPS?

HTTP is a protocol used for communicating over the internet. It’s using this protocol how a website sends you its contents/data and how you can interact with it and send data back.

HTTPS is a secure version of the protocol. That’s what the “S” at the end stands for.

With HTTPS, the communication itself is done pretty similarly with the only difference being that it’s encrypted using an SSL certificate, making it secure.

Types of SSL/TLS certificates

Not all SSL certificates are created equal. Based on what type of certificate you get for your website and how you configure it, your visitors will see different notifications in their browsers.

Most commonly, certificates are grouped based on two things:

  • (a) what the validation level of the certificate is
  • (b) how many domains can be secured using a single certificate

Under the first group (a), we have:

  • certificates validating just the domain name itself – the certificate authority simply validates that the company has control of their domain name
  • certificates validating the organization owning the domain – this one validates not only the domain name but also the information included in the certificate about the organization, such as name and address
  • certificates offering extended validation – this is the highest level of a certificate where the certificate authority verifies the ownership of the domain, the information about the organization, their physical location, and even legal existence of the company

In order to make your site correctly integrated with SSL, you need to opt for either standard domain validation or organization validation. The third level is usually something only the big players opt for, such as PayPal, Airbnb, etc.

You can see the level of SSL certificate in the browser window.

WordPress Design, WordPress Development, cPanel Hosting, Web Design, Web Development, Graphic Design, Mobile Development, Search Engine Optimization (SEO) and more.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.